User`s guide
Zebra Mobile Printers • Wireless Configuration Guide • rev. H 42
INTRODUCTION
Extensible Authentication Protocol- Transport Level Security
is an IEEE 802.1x EAP security method that uses digital certifi-
cates for mutual server and client authentication. EAP-TLS re-
quires a RADIUS (Remote Authentication Dial-In User Service)
server to authenticate a user (i.e. a Zebra mobile printer) before
allowing wireless access onto the network. Both the server and
the client prove their identities via PKI (Public Key Infrastruc-
ture) cryptography passing X.509 digital certificates to each
other. Encryption keys are then generated securing all commu-
nications traffic between the wireless client and the network.
NOTE: It is the responsibility of end users to determine the proper
configuration parameters for their particular network. The
following discussion is intended as an example to follow when
configuring a WLAN network for use with Zebra Mobile Printers
and this protocol.
The following discussion assumes the use of a Cisco Aironet
1200 access point (the EAP authenticator), and a Windows
version of the popular FreeRadius authentication server. The
firmware level on the Cisco access point should be 12.3(7)JA
or higher. More information on FreeRadius appears later in this
section.
You must ensure compatibility of your printer with the
EAP-TLS protocol. At the time of writing the following mobile
printer models and radio options will support EAP-TLS:
Radio Option
Model 802.11b CF
802.11b
PCMCIA
Zebra
802.11b
QL 220 Plus yes no yes
QL 320 Plus yes no yes
QL 420 Plus yes no yes
RW 220 yes no yes
RW 420 yes no yes
You can verify compatibility by performing a 2-key self test (power
on the printer with the Feed button pressed, and release it once
the self test starts printing) to print the unit’s configuration. Verify
that that the Software Version in the Program Section begins with
“SH”. If your printer does not show this information, than you do
not have a printer with the capability for EAP-TLS authentication.
NOTE: EAP-TLS is not supported on Zebra mobile printers with the
PCMCIA radio option
.
CONFIGURING THE NETWORK FOR EAP-TLS AUTHENTICATION
Configure the Access Point
EAP-TLS is implemented using a RADIUS (Remote Authentica-
tion Dial-In User Service) server to authenticate a user (in this
case a Zebra mobile printer) before allowing wireless access
onto the network.
You must have your server configured in a manner similar to
the following:
NOTE: These settings are based on typical settings for a Cisco
Aironet 1200 access point. This access point also acts as the
EAP authenticator, transferring the data between the printer
and the RADIUS server. The access point should have a firmware
version of 12.3(7) JA or later. Earlier firmware versions may not
support local EAP-TLS authentication.
• Set Open Authentication with EAP and no Key Management
• Set WEP Encryption to Mandatory
• Configure a RADIUS server entry. Select the IP address and en-
ter its shared secret. By default the FreeRadius server listens on
TCP ports 1812 and 1813.
Select the RADIUS server’s IP address
in the Default Server Priorities (EAP Authentication section).
• Ensure the EAP TLS protocol is selected for the Local Radius
Server Authentication Setting. Enter the IP address of the
access point in the Network Access Servers section and the
server’s “shared secret”.
Wireless Security- EAP-TLS and WPA EAP-TLS
continued