User`s guide
Zebra Mobile Printers • Wireless Configuration Guide • rev. H 47
Wireless Security- EAP-TTLS and WPA EAP-TTLS
INTRODUCTION
Extensible Authentication Protocol- Tunneled Transport Level
Security (EAP-TTLS) is an IEEE 802.1x EAP security method
that uses an initial TLS handshake to authenticate a server
to a client using PKI (Public Key Infrastructure) cryptography
X.509 digital certificates. Using the secure tunnel established
by the TLS handshake, a RADIUS (Remote Authentication
Dial-In User Service) server is used to authenticate a client
using legacy username and password authentication before
allowing wireless access onto the network. The server proves
its identity to the client (our Zebra mobile printer) by passing
a digital certificate to the printer. A root certificate is stored on
the printer which will be used to help prove the identity of the
server. The printer authenticates to the server by sending its
username and password inside the secure TLS tunnel. Encryp-
tion keys are then generated securing all communications traf-
fic between the wireless client and the network
NOTE: It is the responsibility of end users to determine the proper
configuration parameters for their particular network. The
following discussion is intended as an example to follow when
configuring a WLAN network for use with this protocol.
The following discussion assumes the use of a Cisco Aironet
1200 access point (the EAP authenticator), and a Windows
version of the popular FreeRadius authentication server. The
firmware level on the Cisco access point should be 12.3(7)JA
or higher. More information on FreeRadius appears later in this
section.
You must ensure compatibility of your printer with the
EAP-TTLS protocol. At the time of writing the following mobile
printer models and radio options will support EAP-TTLS:
Radio Option
Model 802.11b CF
802.11b
PCMCIA
Zebra
802.11b
QL 220 Plus yes no yes
QL 320 Plus yes no yes
QL 420 Plus yes no yes
RW 220 yes no yes
RW 420 yes no yes
You can verify compatibility by performing a 2-key self test (power
on the printer with the Feed button pressed, and release it once
the self test starts printing) to print the unit’s configuration. Verify
that that the Software Version in the Program Section begins with
“SH”. If your printer does not show this information, than you do
not have a printer with the capability for EAP-TTLS authentication.
NOTE: EAP-TTLS is not supported on Zebra mobile printers with
the PCMCIA radio option
.
CONFIGURING THE NETWORK FOR EAP-TTLS AUTHENTICATION
Configure the Access Point
EAP-FAST is implemented using a RADIUS (Remote Authen-
tication Dial-In User Service) server to authenticate a user (in
this case a Zebra mobile printer) before allowing wireless ac-
cess onto the network.
You must have your server configured in a manner similar to
the following:
NOTE: These settings are based on typical settings for a Cisco
Aironet 1200 access point. This access point also acts as the
EAP authenticator, transferring the data between the printer
and the RADIUS server. The access point should have a firmware
version of 12.3(7) JA or later. Earlier firmware versions may not
support local EAP-FAST authentication.
continued