Honeywell 7900LU0, 7900BU0, 7900LUP, 7900BUP User Guide
Client Configuration Area
Each user account needs to define the protocol and the credentials used to authenticate a user. Because Windows Mobile devices are usually small devices with a single NIC and, usually, a single user, the initial configuration is usually the only time the software needs to be set up. The Client will need to be reconfigured if the device is used on multiple networks, or if different users share the computer.
Note: Fields are be grayed out if not relevant to the selected protocol.
Accessing the Client Configuration Area
On the main screen, tap Client > Configure (see Client Menu on page 9-17). The Client Configuration screen opens displaying the User tab.
On this tab, |
You… |
User Settings Tab Configure authentication credentials and profiles.
System Settings Tab Set the level of detail that the Client will provide in the system log and zero-config options.
Server Identity Tab Control how the Client authenticates the server that handles the 802.1X protocol on the network side. This applies only to the TLS, TTLS, and PEAP authentication methods and is used to tell the Client what server credentials to accept from the authentication server to verify the server.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 21 |
User Tab
The User settings tab defines the protocol and the credentials used to authenticate a user.
Field
Profile
Identity
Password
Authentication type
Description
Multiple user credential profiles can be created for use when the user roams from one network to another. The drop-down list contains existing authentication credential profiles. Select a profile from the list to edit it in the fields that follow.
Tapping Add permits new profiles to be added to the list. A screen appears where you can enter a name for the new profile.
Enter a Profile name and tap OK. The name entered appears in the Profile drop-down list.
Tapping Delete deletes authentication profiles. To be deleted, a profile cannot be assigned to a configured network.
This is the 802.1X identity supplied to the authenticator. The identity value can be up to 63 ASCII characters and is case-sensitive.
For tunneled authentication protocols such as TTLS and PEAP, this identity (called the Phase 1 identity) is sent outside the protection of the encrypted tunnel. Therefore, it is recommended that this field not contain a true identity, but instead the identity “anonymous” and any desired realm (e.g. anonymous@myrealm.com). For TTLS and PEAP, true user credentials (Phase 2 identity) are entered in the Tunneled authentication section.
Note: When used with PEAP and the .NET Enterprise Server Version 5.2, this field must contain the identity used in both Phase I and Phase II. The Phase II identity field is ignored.
This is the password used for MD5-Challenge or LEAP authentication. It may contain up to 63 ASCII characters and is case-sensitive. Asterisks appear instead of characters for enhanced security.
This is the authentication method to be used - MD5-Challenge, LEAP, PEAP, TLS, or TTLS.
Your network administrator should let you know the protocols supported by the RADIUS server. The RADIUS server sits on the network and acts as a central credential repository for Access Servers that receive the radio signals and ultimately block or allow users to attach to the network.
9 - 22 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
Field
Use certificate
Description
This is the certificate to be used during authentication. A certificate is required for TLS, optional for TTLS and PEAP, and unused by MD5 and LEAP. Therefore, this option becomes active only when TLS, TTLS, or PEAP is selected as the Authentication type.
If Use certificate is enabled, the client certificate displayed in the field is the one that is passed to the server for verification.
To select a client certificate, tap Change and select the certificate from the list that appears.
To appear in this list, certificates must be installed in the system, for a description of this process see Installing Certificates with CertAdd on page 9-32.
The Issued to field should match the Identity field and the user ID on the authentication server (i.e., RADIUS server) used by the authenticator.
Your certificate must be valid with respect to the authentication server. This generally means that the authentication server must accept the issuer of your certificate as a Certificate Authority.
Note: When obtaining a client certificate, do not enable strong private key protection. If you enable strong private key protection for a certificate, you will need to enter an access password for the certificate each time this certificate is used.
Tunneled authentication area
Tunneled authentication parameters are used by only by TLS, TTLS and PEAP protocols, in Phase 2 of authentication, and after the secure tunnel has been established. The fields in this section are active only if the TLS, TTLS, or PEAP is selected as the Authentication type.
Identity
Password
Protocol
The user identity used in Phase 2 authentication. The identity specified may contain up to 63 ASCII characters, is case-sensitive and takes the form of a Network Access Identifier, consisting of <name of the user>@<user’s home realm>. The user’s home realm is optional and indicates the domain to which the tunneled transaction is to be routed.
Note: Because Microsoft .NET Enterprise Server Version 5.2 does not use this parameter for PEAP, This field will have no effect for PEAP at this time. Phase 1 identity is used instead.
The password used for the tunneled authentication protocol specified. It may contain up to 63 ASCII characters and is case-sensitive. Asterisks appear instead of characters for enhanced security.
This parameter specifies the authentication protocol operating within the secure tunnel.
The following protocols are currently supported for TTLS: EAP-MD5, CHAP, PAP, MS-CHAP and MS- CHAP-V2.
The following protocols are currently supported for PEAP: EAP-MS-CHAP-V2, TLS/SmartCard, and Generic Token Card (EAP-GTC).
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 23 |
System Tab
The System Settings tab controls logging and the port manger timeout period.
Field
Log Level
Defaults
Disable Wireless
Zero Config
Port Manager
Timeout
Description
These settings control the detail of the log messages generated by the Client. Each level is cumulative. By default, all errors, warnings, and information events are logged. Each entry records a severity code (of one [debug message] to four [error] asterisks), a time stamp, and a message.
Errors - only the most severe conditions are logged.
Warnings - less severe conditions are logged.
Information - all errors, warnings, and information events are logged. This is the default setting.
Debugging - creates a log message each time the Client detects or reacts to an event. Be advised that log entries fill memory quickly if the Debugging level is chosen. Do not use the Debugging option for a significant length of time because most internal operations generate messages.
Tap this button to return log settings to the default settings.
Use this option only as directed by technical support.
Selecting this option disables other wireless utilities whether the Client is running or not. If not selected, other wireless utilities cannot apply their settings to the wireless card while the Client is running (although their status displays are usually unaffected). You will need to perform a soft reset whenever this setting is changed.
The interval at which the client polls the ports. This is used under different circumstances, for instance after physical changes such as card removal or insertion have been detected. This value should not be changed from the 10-second default unless so advised by technical support.
9 - 24 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
Server Tab
The Server identity tab defines the credentials the client uses to authenticate the server during TLS/TTLS/PEAP authentication message exchange. The Client uses this information to verify that the Client is communicating with a trusted server.
Field
Do not validate server certificate chain
Certificate issuer must be
Allow intermediate certificates
Server name must be
Must match exactly
Must contain domain name
Description
If this option is selected, the server certificate received during the TLS/TTLS/PEAP message exchange is not validated.
This is the certificate authority used during TLS/TTLS/PEAP message exchange. Any Trusted CA is the default selection and means that any certificate authority can be used during authentication.
Both trusted intermediate certificate authorities and root authorities whose certificates exist in the system store are available for selection in the drop-down list.
This option is selected by default and enables unspecified certificates to be in the server certificate chain between the server certificate and the certificate authority selected in the
Certificate issuer must be field.
When selected, this option allows the server certificate received during negotiation to be issued directly by the certificate authority or by one of its intermediate certificate authorities.
If disabled, then the selected Certificate issuer must have directly issued the server certificate.
This is either the server name or the domain the server belongs to, depending on which option is selected below the text field.
During authentication, this name will be compared to the server certificate’s Subject: CN field.
When selected, the server name entered must match the server name found on the certificate exactly.
When selected, the server name field identifies a domain and the certificate must have a server name belonging to this domain or to one of its sub-domains (e.g., zeelans.com, where the server is blueberry.zeelans.com).
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 25 |
Port Settings Area
In the Port Settings area, you configure network parameters for each port listed on the main screen; see Main Screen on page 9-17.
1.On the main screen, tap and hold on a port. The Port popup menu appears; see Port Menu on page 9-20.
2.Tap Configure. The Port Settings Configuration screen opens displaying the Wireless Networks tab.
On this tab, |
You… |
Wireless Networks Tab Set the parameters for Network APs and underlying protocol.
Protocol Tab |
Configure common protocols that apply to any network the port connects to. |
9 - 26 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
Wireless Networks Tab
Field Description
Available Networks Section
This section displays the networks the terminal recognizes as available to connect to. When the Client is first installed, there are no entries in the Available Networks list.
Scan
Move to Configured
Tap this button to see a list of networks broadcasting their availability.
Note: You can also attach to networks who are not broadcasting.
This button activates only after Scan has been tapped and available networks have been retrieved.
In the list of networks retrieved, select the network you wish to connect to, and tap Move to Configured. This selects the network, which now appears in the Configured Networks section.
Configured Networks section
This section displays the networks your terminal is connected to. This section enables you to add or remove networks as well as review and edit the properties of existing configured networks.
Default
Up
Down
Add
Remove
When the Client is first installed, there is a Configured Network named "default" in the list. This profile has Associate with any network selected in its Properties selection screen.
If you are going to be in a location with only one AP (or more than one AP that attaches to the same network), the default profile may be sufficient for you needs, without necessitating the selection of a specific network or networks.
If default is last in the list, it can act as a wildcard should you be out of the range of your primary networks (which are listed first). Do not place default at the top or middle of the list because, if it is, connection to the other list entries will never be attempted.
Tapping this button moves a selected network up one place in the list.
Tapping this button moves a selected network down one place in the list.
Note: The order of the networks in this list is the exact order that connections will be attempted. The network listed first will be attempted first and so on. Place your primary networks first.
Tap this button to manually add a network to the Configured Networks list if
•the AP does not broadcast its SSID or
•you are pre-configuring the client for an AP that is not currently in range.
For more information, see Adding a Wireless Network Configuration on page 9-29.
Tap this button to remove a selected network in the list.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 27 |
Field
Properties
Protocol Tab
Description
Tap this button to review the properties of a network selected in the list. This button opens the same network configuration screen as the Add button does; use it to edit network configuration properties.
The Protocol tab enables you to configure parameters that will apply to all the networks the selected port connects to.
Field
Protocol
Settings
Display EAP notifications
Renew IP address
Description
These are the timer intervals and retry settings defined in the 802.1X standard. They determine how long the supplicant state machine will wait in a given state. These parameters shouldn’t be modified without an understanding of the supplicant state machine. For more information about the supplicant state machine, obtain its 802.1X protocol specification.
The parameters are:
•Authentication Timeout - The period of time the Client remains in the authenticating or acquired state without receiving a response from the AP or switch.
•Held Timeout - The period of time the Client remains in the held state after failing authentication.
•Start Timeout - The period of time the Client remains in the connecting state before restarting when there is no response.
•Number of Start Attempts - The number of times the Client restarts before giving up. At that point, the Client then defaults to the authenticated state, but there will be no network connectivity because the protocol exchange was never completed.
This option specifies that the EAPOL notification message will be displayed to the user. An authenticator may use such notification to inform you, for example, about a near password expiration. However, some authenticators send chatty and annoying notifications that may, for the convenience of the user, be suppressed. Note that all notifications are written to the event log even if they are not displayed.
Select this option to initiate a DHCP request to obtain a dynamic IP address after a successful authentication, but only if the client detects that the connected network (the SSID) has changed. The result is that renewal should not occur upon re-authentication, but does occur at boot or when connecting to a different network. If you have a slow authenticator, you may wish to enable this option when configuring the service because a slow authenticator may prevent you from getting a DHCP-assigned IP address upon boot-up. This option is ignored if the given adapter has a static IP address.
9 - 28 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
Adding a Wireless Network Configuration
To add a wireless network configuration, on the main screen, tap and hold on the port, tap Configure on the Port popup menu, then tap Add in the Network Configurations section of the Wireless Networks tab. The Network Profile screen opens displaying the Profile Info tab.
Profile Info Tab
Field
Network Profile
Network Name
Peer-to-Peer Group (ad hoc mode):
Do active scan
Authentication
Profile
Description
Enter the name of this record. This is the name that appears in the Configured Networks list and, by default, is the same as the broadcast SSID. Note that there is nothing special about the name "default". You could configure any other record similarly and it would behave the same way.
This is the SSID of the AP. If the AP broadcasts its SSID, then this value may be derived from the Available Networks list. If the SSID does not broadcast, then you must manually enter the value here.
Select this option to have two or more client workstations communicate with each other without the benefit of an AP. You should also select Do Active Scan and, in the WEP Management page, enable Use key for data encryption while entering a common key for both sides. WPA is not supported in this mode.
Select this option whenever the AP (or client, for ad hoc mode) is not broadcasting its SSID.
Select the Client Configuration (user) profile associated with this network. The drop-down list contains client profile names created in the User tab of the Client Configuration Area; see User Tab on page 9- 22.
To open the selected profile, select it in the drop-down list and tap View. The User tab opens displaying the profile details. If you tap OK (to save changes) or Cancel, you are returned to the Profile Info tab.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 29 |
WEP Mgmt Tab
The WEP Mgmt tab enables you to set WEP parameters for each port.
Note: The settings on this tab window are interrelated. This means that selecting one may disable access to others.
Field
Provide encryption key dynamically
Use key for data encryption
Use key to authenticate with AP
Key
Key Index/Transmit
Key
Description
This option is selected by default. If this option is selected, the other WEP settings on this page are disabled. To enter a custom WEP, de-select this option. The other fields become active.
Select this option to manually enter a WEP key to encrypt your data to the AP. You enter that key in the Key field below.
Select this option if your network does not support 802.1x authentication and you need to connect to the AP without username and password authentication. The key entered below is used to authenticate instead.
In this field, enter the WEP key:
ASCII - 5 or 13 characters
Hexadecimal - 10 or 26 characters.
When the key entered is in the correct format, the screen changes to display the type - ASCII or Hexadecimal.
The Key Index drop-down list contains the available keys. You may enter up to four keys for reception; the Client will try all four to find one that works with the AP.
From the drop-down list, select the key to be used for transmission as well. If the key selected is the transmit key, the Transmit key box is checked.
To change the transmit key, select another key and check the Transmit key box. The check box of the original transmit key will be automatically de-selected.
9 - 30 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
WPA Settings Tab
The WPA Settings tab enables you to configure WPA settings.
Field
WPA Mode
PSK pass-phrase
Description
This drop-down list contains the following options:
•Disabled - Do not enable WPA mode. This is the default selection.
•WPA 802.1x - Enable WPA and obtain key information through the 802.1x protocol.
•WPA PSK - Enable WPA with Pre-Shared Key (PSK) information entered in the field below. This mode is used if the 802.1x protocol is not being used for authentication.
This field activates if you select WPA PSK in the WPA Mode drop-down list.
Enter between 8 and 63 characters for your pass phrase. Asterisks appear as you type for increased security.
Logging
The event log is an ASCII text file named “LOG8021X.TXT” located in the directory defined by the WINDIR environment variable (usually the Windows directory). The information the log records is determined by the log settings on the System tab of the Client Configuration Area; see System Tab on page 9-24.
The format of the entries is
Time Stamp |
Message Text |
The Refresh button at the bottom of the screen is used to update the log file while you are reading it. If the file gets too large, old entries are automatically deleted.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 31 |
If you wish to start with a blank file, exit from the Client (so the icon no longer appears at the lower right of the screen) and delete the log file (log8021x) in File Explorer; see Finding and Organizing Information on page 4-12.
When you restart the Client, a new log file is created.
Installing Certificates with CertAdd
Certificate Requirements
During configuration, you may have specified one or two certificates to use during the authentication process. The specified identity should match the Issued to field in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. In addition, your certificate must be valid on the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a trusted Certificate Authority.
If the selected certificate does require a password or pass phrase to decode the private key, enter this value in the “Certificate Pass Phrase” field. This value will be encrypted when the configuration is saved. However, on some systems, there may not be a certificate. If that is the case, you can use the section below as a primer on OS X certificate management.
About CertAdd
CertAdd is a stand-alone utility included with the Client that allows certificates to be selected and installed on a Windows Mobile device.
Installing Certificates with CertAdd
Client or Certificate Authority (CA) certificates can be imported from *.cer (same as *.der), *.p7b, or *.pfx files.
1.Download the certificate file to the My Documents folder. The location isn’t critical, although you may want to create a standard folder for consistency.
9 - 32 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
2.Go to Start > Programs > Meetinghouse Certificate Installer. The opening screen is displayed. All valid certificate file types located in the My Documents folder appear in the list.
3.Tap and hold on a certificate in the list. A pop-up appears asking if you want to install the certificate.
4.Tap OK. The certificate is loaded into the correct certificate store.
Advice and Workarounds
Issue |
Possible Causes and Solutions |
|
|
|
|
The Client will not start on the device with an |
Perform a soft reset. |
|
error message about missing files. |
||
|
||
|
|
|
The wireless network interface (port) does not |
• The license is not valid (If you have entered a time-limited license, is |
|
appear in the main AEGIS screen. |
your clock on the device correct?). |
|
|
• Restart the client - on the main screen tap Client > Restart. |
|
|
• Perform a soft reset. |
|
|
• If the radio is turned off or the radio card is not present, this will |
|
|
sometimes cause the port name to not appear. |
|
|
• If the radio driver is very old and does not support NDIS 5.1 |
|
|
commands, the Client may not be able to detect it. |
|
|
|
|
The wireless network interface appears, but |
Power up the radio; see Enabling Radios and Radio Combinations on |
|
when I select it and go to the "configure" menu, |
||
page 4-7. |
||
the Scan button is disabled. |
||
|
||
|
|
|
The client is not attaching to the correct AP. |
The default network profile instructs the client to attach to the first |
|
|
available AP. You must select a network, move it to the Configured |
|
|
Networks list, and then move it above default in the list using the up |
|
|
arrow buttons. |
|
|
For more information, see Wireless Networks Tab on page 9-27. |
|
|
|
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 33 |
Advice and Workarounds
Issue |
Possible Causes and Solutions |
|
|
|
|
The Client is failing authentication even though |
1. |
Verify that the network profile for the AP corresponds to the authenti- |
all my information was entered correctly. |
|
cation profile you created for it. |
|
|
• Select the network profile in the Configured Networks list. |
|
|
• Tap Properties. The Profile Info tab opens - see page 9-29. |
|
|
• In the Authentication profiles drop-down list, select the profile |
|
|
you want to review. |
|
|
• Tap View. The User tab appears displaying the profile’s |
|
|
information. |
|
2. |
Verify that you have configured the identity and password into the |
|
|
correct fields on the User tab (page 9-29) in the authentication |
|
|
profile. If you are using PEAP or TTLS, the username and password |
|
|
are entered in the Tunneled authentication section. |
|
|
|
My AP does not broadcast its SSID. Even |
• |
Make sure that the desired SSID is listed as the Network Name, not |
though I have manually configured an AP with |
|
the Network Profile (which is a screen label) |
that name, the Client won't associate with it. |
• |
Verify that Do Active Scan is selected on the Profile Info tab; see Do |
|
|
active scan on page 9-29. Otherwise, the Client will not attempt to find |
|
|
the AP. |
|
|
|
I am authenticated, but I don't get an IP |
On the main screen, tap and hold on your AP, tap Configure on the |
|
address through DHCP. |
popup menu, and select the Protocol tab. Verify that Renew IP Address |
|
|
is selected; see Renew IP address on page 9-28. |
|
|
|
|
I cannot attach to my old network that does not |
• |
Verify that you can see your SSID in the Available Networks list on the |
support 802.1x authentication, but is using |
|
Wireless Networks tab. Move the SSID to the top of the Configured |
WEP encryption. |
|
Networks list so that it is accessed first. If the SSID is not there, you |
|
|
can add it manually and enter the SSID as the network name - page |
|
|
9-27 |
|
• |
Select the SSID and tap Properties. |
|
• |
On the Profile Info tab, select Do active scan if your AP does not |
|
|
broadcast its SSID. |
|
• |
On the WEP Mgmt tab, select Use key for data encryption and Use |
|
|
key to authenticate with AP. |
|
• |
Enter the WEP Key - see Key on page 9-30. |
|
• |
On the Protocol tab, select Renew IP Address (unless you have |
|
|
entered one manually separate from the Client) |
|
• |
Note that the port status indicator in the main screen reads |
|
|
"Associated," not "Authenticated" when the connection is complete; |
|
|
although the log file will indicate "Entered AUTHENTICATED state." |
|
|
|
I made changes, but they do not appear to have |
Always tap OK before exiting a screen you have changed. Then restart |
|
taken effect. |
the Client from the Client menu on the main screen. |
|
|
|
|
How do I enable peer-to-peer (ad-hoc) mode to |
• |
On the Wireless Networks tab, add a new profile to the Configured |
have two clients communicate without an AP? |
|
Network list. |
|
• |
On the Profile Info tab, give each side the same network name (SSID). |
|
• |
Select Peer-to-Peer Group (ad hoc mode) and Do active scan. |
|
• |
On the WEP management section, select Use key for data encryption |
|
|
and enter an identical key for both clients. |
|
• |
Verify that this network profile is the first (or only) one in the |
|
|
Configured Network list and try to restart both clients at roughly the |
|
|
same time. |
|
|
|
9 - 34 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
How 802.1X Works
The network elements in the above graphics are those involved in a typical wireless LAN. When 802.1X is running, a wireless device must authenticate itself with the AP in order to get access to the Existing LAN. With respect to the terms used in the 802.1X standard, APs (APs) function as authenticators and wireless devices function as supplicants. The authenticator keeps a control port status for each Client it is serving. If a Client has been authenticated, its control port status is said to be Authorized, and the Client can send application data to the LAN through the AP. Otherwise, the control port status is said to be Unauthorized, and application data cannot traverse the AP.
Typical Message Exchange Using MD5 or TLS
The above graphic displays the typical message exchange when the device and the AP support 802.1X. When an AP acting as an authenticator detects a wireless station on the LAN, it sends an EAP-Request for the user's identity to the terminal. In turn, the terminal responds with its identity, and the AP relays this identity to an authentication server, which is typically an external RADIUS server.
The RADIUS server can then act as a central repository of user profile information. Such use of a centralized authentication server allows the user to access wireless LANs at many different points, but still be authenticated against the same server. In response to the Access-Request, the RADIUS server sends an Access-Challenge to the AP, which is then relayed in the form of an EAP-Request to the device. The device sends its credentials to the AP, which in turn relays them to the RADIUS server. The RADIUS server determines whether access to the network is accepted or denied based on the Client's credentials.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 35 |
Typical Message Exchange Using TTLS and PEAP
The above graphic shows a typical message flow for a TTLS transaction. TTLS authentication comprises two phases. In Phase 1, TLS is used to authenticate the TTLS server to the client. The TTLS server may optionally request authentication of the client's certificate, but by default the client verifies only the server's certificate. The TLS handshake is negotiated between the client and the TTLS server. Following the TLS handshake, Phase 2 may proceed using a secure channel (tunnel) provided by the TLS record layer. The secure tunnel is then used to exchange information for the negotiation of the following legacy protocols: EAPMD5, PAP, CHAP, MS-CHAP, or MS-CHAPV2 (subject to support by the AAA server). A TTLS server may perform the authentication, or the information may be de-tunneled and passed on to an AAA server. The AAA server is the server in the user's home domain where authentication and authorization are administered.
PEAP works in the same manner as TTLS. However, supports different legacy protocols within the encrypted Phase 2 tunnel. Currently the tunneled protocols are EAP-MSChapV2 and EAP-TLS/SmartCard. Like TTLS, the use of a client certificate is optional, if one is used, the same certificate is used for Phase 1 and Phase 2. The client certificate is optional for both phases.
Benefits of 802.1X
Central User Administration
The Client allows network administrators to continue to use RADIUS or another AAA server as their centralized authentication server. In 802.11b, where authentication took place between the AP and the station, there was no concept of passing credentials from the AP to an authentication server. For LANs this was fine. However, as users began to use their devices in remote locations, the security provided became inadequate. 802.1X solves this problem by allowing APs to pass client credentials to the appropriate authentication server.
9 - 36 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
For example, the following graphic displays the authentication flow for a mobile user who wishes to create a virtual private network with his home office.
By using the Client, the user can associate with a wireless network provided by a third party, in this case the ISP. We assume that the company and the ISP have established a service relationship beforehand. When the ISP receives the user's credentials, the ISP proxies the credentials to the company's AAA server, which returns a message telling the ISP to either accept or deny the user access. This response is then propagated to the remote user.
Dynamic Session Specific Wireless Encryption Keys
There have been many published reports recently about the lack of security provided by the Wired Equivalent Privacy (WEP) protocol. One of the problems with WEP is that the shared key used by the station and the AP is inherently static. That is, this shared key will only change if it is manually reconfigured on both devices. The Client remedies this by supporting the Transport Layer Security (TLS) protocol. TLS ensures that a new shared key is generated each time a station associates itself with an AP. TLS has proven itself an excellent authentication and encryption protocol in commercial environments. The Client also supports the MD5 and TTLS security protocols.
Additional Advantages of TTLS and PEAP
The Client provides the advantage of Tunneled TLS (TTLS) and PEAP support. These protocols provide the security of TLS with greatly reduced administrative load. Security is enhanced by never passing user ID and password in the clear. No "real" user ID or password is required in Phase 1. After the secure tunnel is established, Phase 2, user credentials are passed in safe, encrypted form. To further enhance security, the WEP keys, which encrypt the data between the wireless card and the AP, may be automatically changed on a per-session basis, limiting the time available to an unauthorized sniffer to crack the keys. By limiting the session time (the reauthentication period), the keys can essentially be made uncrackable.
Administration is eased by greatly reduced certificate requirements in comparison to TLS. In TLS, each client must have a client certificate to pass to the server, and a CA certificate with which to verify a server certificate, while the server must have a client certificate from each user and CA certificates for each possible CA chain and its own server certificate. TTLS and PEAP require only that a single server certificate be created for the server to present to the client, and that the client have a CA certificate to verify the server. Because these are the same for each client on the network, they are easily managed, unlike TLS, where every client certificate is unique. TTLS and PEAP thus provide the security of a TLS channel without the need for managers to distribute and manage client certificates. Lastly, TTLS allows for the use of existing legacy authentication protocols. Administrators may continue to use established authentication databases.
Cisco LEAP
The message exchange used by Cisco LEAP is proprietary. This protocol is not a standard EAP type, but is supported by the Client through a licensing arrangement with Cisco.
Relative Merits of Authentication Protocols
MD5 is the least secure of the EAP protocols as it only does a one-way authentication, and does not support automatic distribution and rotation of WEP keys, increasing the administrative burden of manual WEP key maintenance.
TLS, while the most secure EAP protocol, requires client certificates to be installed on each wireless client. Establishing and maintaining this PKI infrastructure is normally a burden most administrators do not feel is worth the extra level of security gained.
TTLS and PEAP bypassed the certificate issue by tunneling TLS, and thus eliminating the need for a certificate on the client side. PEAP supports only EAP-compliant authentication protocols within the tunnel structure, and is rapidly becoming the most widely supported of the EAP methods. TTLS supports pre-EAP authentication protocols within the tunnel structure, and should be used in those circumstances when pre-EAP interior protocols are desirable.
LEAP is a pre-EAP, Cisco-proprietary protocol, with many of the features of EAP protocols. Cisco controls the ability of other vendors to implement this protocol, so it should be selected for use only when limited vendor choice for client, access-point, and server products is not a concern.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
9 - 37 |
Differences Between Protocols
Security Feature |
MD5 |
TLS |
TTLS |
PEAP |
LEAP |
|
|
Challenge |
|
|
|
|
|
Client -side certificate required? |
No |
Yes |
No |
No |
No |
|
Server-side certificate required? |
No |
Yes |
No |
Yes |
No |
|
Dynamic WEP Re-keying |
No |
Yes |
Yes |
Yes |
Yes |
|
Mutual or One-way Authentication? |
One-way |
Mutual |
Mutual |
Mutual |
Mutual |
|
Support of non-EAP protocols within |
N/A |
N/A |
Yes |
No |
N/A |
|
a secure tunnel? |
||||||
|
|
|
|
|
||
Relative Deployment Complexity |
Simple |
Difficult |
Moderate |
Moderate |
Moderate |
|
Relative Security |
Poorest |
Highest |
High |
High |
High |
9 - 38 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
10
Wireless PAN Communications with Bluetooth
Overview
Dolphin 7900 terminals are available with a Bluetooth radio for WPAN (Wireless Personal Area Network) usage. When the mobile computer is first initialized, the *.cab file and module for Bluetooth are installed.
Enabling the Bluetooth Radio Driver
Before using the radio, make sure that the Bluetooth radio is enabled. When the radio driver is enabled, the Bluetooth icon appears in the task tray on the Today screen.
Radios are enabled in the Radio Manager utility; see Enabling Radios and Radio Combinations on page 4-7.
Setting Up Your Bluetooth Card
Note: If you use the Get Connected! Wizard, which is recommended for normal usage, then this step is not necessary. This step would be used to change the friendly name of your mobile computer.
1.Tap the Bluetooth icon that appears in the task tray on the Today screen.
2.In the pop-up menu, select Advanced Features, then My Bluetooth Device. (If you installed OBEX, the menu also lists Transfer via Bluetooth.)
3. In the My Bluetooth Device screen, you can modify the Friendly Name and make any desired configuration changes. When done, tap OK.
•In normal phone connect operation, Discoverable mode is not needed and should be disabled.
•If you do enable Discoverable mode (e.g., for ActiveSync), note that it does not shut off by itself. To save power, remember to disable it when not needed.
•Connectable, Use Authentication, and Use Encryption are also not required for printing or dial-up networking applications.
•Check Use Authentication to enable the Use Encryption option.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
10 - 1 |
Assign COM Ports
Follow these steps to view and/or modify the Bluetooth COM ports. If you are not going to use the IrDA port, you can disable it to free up a port for Bluetooth devices; see Using Infrared on page 8-5.
1. Tap on the Bluetooth icon on the Today screen. Select Advanced Features then My Bluetooth Device.
Note: If you installed OBEX, the menu also lists Transfer via Bluetooth.
2. The My Bluetooth Device screen appears. Tap on the COM Ports tab.
3. As needed, view and/or enable/disable the Bluetooth COM port assignments. Tap OK.
Note: The Bluetooth Phone port cannot be disabled. For more information about COM ports, see Com Port Assignment Table on page 7-20.
Discover Bluetooth Device(s)
Follow these steps to discover other Bluetooth devices nearby, including non-phone devices. The Device Discovery Wizard is a more detailed alternative to using the Bluetooth “Get Connected!” Wizard or Bluetooth ActiveSync or Bluetooth LAN Access options. The Device Discovery Wizard allows you to discover any type of Bluetooth device.
1.If not open, launch the Bluetooth Devices folder. Tap on the Bluetooth icon on the Today screen. Select Advanced Features then Bluetooth Devices.
2.In the Bluetooth Devices Folder, tap on the Device Discovery icon. Or you can tap on Tools. In the pop-up menu, select Device Discovery.
10 - 2 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
3.Follow the Bluetooth Device Discovery Wizard to search for Bluetooth devices nearby. When prompted, select the device type you seek.
4. When the search is complete, a screen reports the discovered Bluetooth devices. Check the box next to any device you wish to save information about, (i.e., any devices you wish to connect to). Tap Next.
5.A service discovery phase begins, 5-10 seconds per chosen device.
6.In the next screen, tap Finish.
Bond With Discovered Device(s)
Follow these steps to bond with an already discovered Bluetooth device. In most cases, bonding is for establishing secure communications with a Bluetooth-enabled phone. This is a more detailed alternative to using the Bluetooth “Get Connected! Wizard.”
Important!
•Do not try to bond with a Motorola Timeport 270C or Nokia 6310!
•Do not use this method to bond with a printer! The third-party printing software included on the installation CD also handles bonding.
1.If not open, launch the Bluetooth Devices folder. Tap on the Bluetooth icon in the Today screen. Select Advanced Features, then Bluetooth Devices.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
10 - 3 |
2. Tap and hold your stylus on the Bluetooth device you want to bond with. In the pop-up menu, select Bond.
3. Alternatively, after selecting a device, tap on the Bond icon. Or tap on Device, then select Bond.
4. The Bluetooth Device Bonding Wizard launches. Follow the wizard to bond with your selected device.
10 - 4 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
5. As prompted, make sure the Bluetooth device that you want to bond with is in Bondable mode.
6.If the remote device is set up to accept bonding, a Bluetooth Passkey screen appears. To continue bonding, enter the correct passkey and tap Reply.
7. When you have successfully bonded with the other device, tap Finish.
View Device Properties
Follow these steps to view the properties of an already discovered device.
1.If not open, launch the Bluetooth Devices folder. Tap on the Bluetooth icon on the Today screen. Select Advanced Features then Bluetooth Devices.
2.Select a device. Tap on the Properties icon, or tap on Device then select Properties. Alternatively, you can tap and hold your stylus on the Bluetooth device you want to view information about. In the pop-up menu, select Properties.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
10 - 5 |
3. Use the General and Services screens to research device properties. If needed, assign a new device type icon by tapping on the arrow buttons in the General screen. You can also use the Device name field to rename the device. When done, tap OK for the setting to take effect.
Set Up Your Favorite Device
Follow these steps to set up default devices in the Bluetooth Devices folder. Please note that the Get Connected! Wizard automatically assigns the favorite phone.
Complete these steps:
1.Tap on Tools and select My Favorites.
2.Tap on the tab for the type of device you would like to set a favorite for. If needed, use the arrow buttons to scroll and find the tab you need.
Note: Tabs appears only for COM ports you have enabled. To enable a port, refer to the “Assign COM Ports” section earlier in this chapter.
3.To select a favorite device, select Use the favorite selected above. In the drop-down list, select your device. Tap OK.
4.After setting a device as your favorite, its icon appears in the Bluetooth Devices folder with a heart next to it.
Change Views
You can switch between the Large Icons or Details views for the Bluetooth Devices folder.
1. In Bluetooth Devices, tap on View.
10 - 6 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
2. In the pop-up menu, choose between Large Icons or Details.
Large Icons Details
Note: In Details view, you can see the Device Class and scroll right to see the current Bonded status.
Delete a Device From the Folder
If you no longer plan to connect with it, you can delete a device from the Bluetooth Devices folder.
1.If not open, launch the Bluetooth Devices folder.
2.Tap and hold your stylus on the device you wish to delete. In the pop-up menu, select Delete.
3.Alternatively, after selecting a device, tap on the Delete icon. Or tap on Device then select Delete.
4.A Confirm screen appears. Tap Yes.
Turn Radio Transmitter ON/OFF
You may want to turn off the radio transmitter to save power or if you are entering an area with radio restrictions (e.g., an airplane). 1. The Bluetooth icon should appear in the task tray on the Today screen. Tap on the icon.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
10 - 7 |
2. In the pop-up menu, select Turn Transmitter OFF.
3.The Bluetooth Card radio transmitter shuts off. The Bluetooth icon in the task tray becomes gray, as well as relevant menu options (e.g., Get Connected!).
4.To turn the radio transmitter back on, tap on the gray Bluetooth icon. In the pop-up-menu, select Turn Transmitter ON.
Bluetooth ActiveSync
This section explains how to use the Bluetooth ActiveSync feature. It helps you quickly and easily ActiveSync to a notebook or desktop computer with ActiveSync v3.x installed.
1. Tap on the Bluetooth icon. In the pop-up menu, select Bluetooth ActiveSync.
2.The next screens varies depending on if your Bluetooth Devices folder contains any computers, and if one is chosen as your favorite. Please refer to the appropriate scenario:
SCENARIO #1: Your Bluetooth Devices folder contains a favorite desktop computer.
(a)When you tap Bluetooth ActiveSync, your mobile computer automatically tries to connect to your favorite computer.
(b)The Connect To screen appears, reporting that it is trying to connect to Wireless ActiveSync.
(c)After a successful connection is made, the status screen reports Connected. Now you are ready to synchronize files, if desired.
SCENARIO #2: Your Bluetooth Devices folder contains no favorite desktop computer.
10 - 8 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
(a)When you tap on Bluetooth ActiveSync, a screen appears that allows you to choose which computer to connect to in your Bluetooth Devices folder. Choose a computer from the list and tap Select, or tap Find to search for another computer.
Note: If the computer you want to connect to is not listed, tap Find to begin a search. Proceed as described in Scenario #3 on page 10-9.
(b) Your mobile computer attempts to connect to your selected computer.
(c)After a successful connection is made, the status screen reports Connected. Now you are ready to synchronize files, if desired.
SCENARIO #3: Your Bluetooth Devices folder contains no computers.
(a) When you tap on Bluetooth ActiveSync, a Bluetooth Device Search automatically begins.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
10 - 9 |
Note: You can also start the device search by tapping Find in the Bluetooth Devices screen.
(b)After the search is complete, select the computer you wish to ActiveSync with and tap Select. If the computer is not listed, make sure the computer is discoverable and tap Refresh to search again.
(c)After you tap Select, a service discovery phase begins.
(d)The Connect To screen appears, reporting that it is trying to connect to Wireless ActiveSync.
(e) After a successful connection is made, the status screen reports Connected. Now you are ready to synchronize, if desired.
Bluetooth LAN Access
This section explains how to use the Bluetooth LAN Access feature to quickly and easily connect to a Bluetooth-enabled LAN AP. 1. Tap on the Bluetooth icon. In the pop-up menu, select Bluetooth LAN Access.
2.The next screens varies depending on if your Bluetooth Devices folder contains any APs, and if one is chosen as your favorite. Please refer to the appropriate scenario:
SCENARIO #1: Your Bluetooth Devices folder contains no favorite AP.
10 - 10 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
(a)When you tap Bluetooth LAN Access, a screen appears that allows you to choose which AP to connect to in your Bluetooth Devices folder. Choose an AP from the list and tap Select.
Note: If your AP is not listed, tap Find and proceed as described in Scenario #3.
(b) Your mobile computer tries to connect to the selected AP.
(c)If your LAN requires a passkey, a screen appears asking for the passkey. Enter the passkey, then tap OK.
(d)After a successful connection is made, the status screen reports Connected.
(e) Now you are ready to access your LAN for Internet access, files, etc.
SCENARIO #2: Your Bluetooth Devices folder contains a favorite AP.
(a) When you tap Bluetooth LAN Access, your mobile computer automatically tries to connect with your favorite AP.
(b)If your LAN requires a passkey, a screen appears, asking for the passkey. Enter the passkey, then tap OK.
(c)After a successful connection is made, the status screen reports Connected.
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. Rev (c) 4/11/05 |
10 - 11 |
(d) Now you are ready to access your LAN for Internet access, files, etc.
SCENARIO #3: Your Bluetooth Devices folder has no APs.
(a) When you tap Bluetooth LAN Access, the mobile computer automatically begins to search for new Bluetooth devices.
Note: You can also start the device search by tapping Find in the Bluetooth Devices screen. See Scenario #2 on page 10-8.
(b)After the search is complete, select the AP you wish to connect to. Tap Select. If the AP is not listed, tap Refresh to search again.
(c) After you tap Select, a service discovery phase begins.
(d)If the LAN requires a Passkey, a screen appears, asking for the Passkey. Enter the passkey, then tap OK.
(e)After a successful connection is made, the screen reports Connected.
(f)Now you are ready to access your LAN for Internet access, files, etc.
OBEX
This section explains how to use the OBEX (object exchange) application to trade business cards, contacts or files with another Bluetooth device that supports OBEX.
Bluetooth OBEX application supports five operations:
•Exchange Business Cards
•Send a Contact
•Send a File
10 - 12 |
Dolphin® 7900 Series Mobile Computer User’s Guide-Prelim. |
Rev (c) 4/11/05
Loading...