User`s guide
Zebra Mobile Printers • Wireless Configuration Guide • rev. H 52
Wireless Security- PEAP and WPA PEAP
INTRODUCTION
Protected Extensible Authentication Protocol (PEAP) is an IEEE
802.1x EAP security method that uses an initial TLS handshake
to authenticate a server to a client using PKI (Public Key
Infrastructure) cryptography X.509 digital certificates. Using
the secure tunnel established by the TLS handshake, a RADIUS
(Remote Authentication Dial-In User Service) server is used
to authenticate a client using legacy username and password
authentication before allowing wireless access onto the
network. The server proves its identity to the client (our Zebra
mobile printer) by passing a digital certificate to the printer.
An optional root certificate is stored on the printer which will
be used to help prove the identity of the server. The printer
authenticates itself to the server by sending its username and
password inside the secure TLS tunnel. Encryption keys are
then generated securing all communications traffic between
the wireless client and the network
NOTE: It is the responsibility of end users to determine the proper
configuration parameters for their particular network. The
following discussion is intended as an example to follow when
configuring a WLAN network for use with this protocol.
The following discussion assumes the use of a Cisco Aironet
1200 access point (the EAP authenticator), and a Windows
version of the popular FreeRadius authentication server. The
firmware level on the Cisco access point should be 12.3(7)JA
or higher. More information on FreeRadius appears later in this
section. The version of PEAP supported in the TLS tunnel is the
Microsoft implementation of MS-CHAPv2.
You must ensure compatibility of your printer with the PEAP
protocol. At the time of writing the following mobile printer
models and radio options will support PEAP:
Radio Option
Model 802.11b CF
802.11b
PCMCIA
Zebra
802.11b
QL 220 Plus yes no yes
QL 320 Plus yes no yes
QL 420 Plus yes no yes
RW 220 yes no yes
RW 420 yes no yes
You can verify compatibility by performing a 2-key self test (power
on the printer with the Feed button pressed, and release it once
the self test starts printing) to print the unit’s configuration. Verify
that that the Software Version in the Program Section begins with
“SH”. If your printer does not show this information, than you do
not have a printer with the capability for PEAP authentication.
NOTE: PEAP is not supported on Zebra mobile printers with the
PCMCIA radio option.
CONFIGURING THE NETWORK FOR PEAP AUTHENTICATION
Configure the Access Point
PEAP is implemented using a RADIUS (
Remote Authentication
Dial-In User Service) server to authenticate a user (in this case
a Zebra mobile printer) before allowing wireless access onto
the network.
You must have your server configured in a manner similar to
the following: