This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
android_ocr [2014/02/28 21:50]
ybarajas [Next Steps]
android_ocr [2014/04/14 22:49] (current)
ybarajas [Next Steps]
Line 1: Line 1:
 +====== On-Campus Roaming ======
 +**Available for:** //Android 2.6.0 and later clients//
 +If On-Campus Roaming (OCR) is enabled, users can log in to a corporate network with an 802.1x connection. Although Wi-Fi is ubiquitous, security and authentication standards may widely vary from location to location. OCR enables users to be more productive on a far-flung corporate campus, and allows easy access for guests and contractors,​ without needing to use multiple connection managers.
 +Campus hotspots are automatically detected and presented as Wi-Fi networks. Users can log in using their regular Open Mobile credentials. Open Mobile sets the proper SSID and security method.
 +In order for a user to connect to an 802.1x network, the network must be included in a custom directory, and the directory included in an Open Mobile profile installed on the user's device. ​
 +Open Mobile for Android supports the PEAP-MSCHAPV2 and TTLS-MSCHAPV2 authentication types (both with and without certificate authentication) for use with OCR.
 +OCR networks will be displayed in Open Mobile with the custom networks icon:​{{::​custom_connection.png?​nolink&​20|}} ​
 +**Forced Auto-Connect:​** If the Forced Auto-Connect option is enabled for the directory, users will automatically be connected to the 802.1x network if it is within range (and their credentials have been saved). ​
 +<note important>​Ordinarily,​ Open Mobile will only display, and permit connections to, local 802.1x networks that are specified in a custom network directory. However, if a user connects to one of these networks using the native Android connection setting, Open Mobile will display the connected network in the list of Available Network. However, it will not facilitate disconnection and will serve as a display-only observer for the network.
 +===== Configuring OCR for an Android Profile =====
 +The process of configuring OCR for an Open Mobile for Android profile is as follows:
 +  - Create (or choose) a profile for which to enable OCR.
 +  - Download the sample directory file, and customize the sample directory to specify the settings for a single 802.1x network.
 +  - Upload the custom directory to the Open Mobile Portal.
 +  - If connectivity will include certificate validation, upload the certificate as a profile attachment. ​
 +  - Publish the profile to test, and then distribute the test profile to your test users.
 +  - After testing is complete, publish the profile to production and distribute it to your user base.
 +==== Creating an OCR 802.1x Directory ====
 +An OCR 802.1x directory must be a validly formatted XML file that describes a single 802.1x network. You will need to determine values for the network parameters in the file, and then specify them in the XML file settings. To specify more than one 802.1x network, use a separate directory file for each one.
 +An annotated sample OCR directory {{:​8021x_customer_directory_template.xml|can be downloaded here}}. Edit and save it to create your own 802.1x directory. The sample directory includes instructions for customizing the file with your own network information.
 +You should use an XML editor to edit the file.
 +**To create an OCR 802.1x directory for a single 802.1x network,**
 +  - {{:​8021x_customer_directory_template.xml|Download the sample file}}.
 +  - Open the file in an XML editor of your choice.
 +  - Following the annotations in the file, edit the file as needed for a single network.
 +  - To enable certificate authentication,​ in the XML file, ensure that the //​ValidateCertificate//​ flag is set to true, and replace the value //​myrootCAcert.cer//​ with the name of your actual certificate file. 
 +  - Save the file with the desired filename.
 +===== Enabling OCR for a Profile =====
 +Enabling OCR for an Android 2.6.0 or later profile involves uploading the directory file to the Open Mobile Portal to make it available for assignment, and then actually assigning it to a profile. In addition, to enable certificate authentication,​ the certificate file must be attached to the selected profile.
 +==== Uploading the Directory File ====
 +**To upload an OCR directory file to the Open Mobile Portal,**
 +  - Log into the Open Mobile Portal.
 +  - Under **Client Configuration**,​ pick **Upload Networks.**
 +  - Under **Wi-Fi Networks Directories**,​ click **Manage**.
 +  - On the **Wi-Fi Directories** page, click **Import Directory**.
 +  - On the **Import Wi-Fi Directory** page, in **Display Name**, enter the name of the directory as it will be displayed in the Portal (for example, //Corporate HQ Directory//​). ​
 +  - Click **Browse**. Select the directory XML file you have previously created. The directory will now be available to add to profiles.
 +{{ :​uploadnetworks.jpg?​450 |}}
 +==== Assigning the Directory to a Profile ====
 + ** To add an uploaded OCR directory file to a profile,​**  ​
 +  - Under **Client Configuration**,​ pick **Manage Profiles.** ​
 +  - Select (or create) an Android 2.6.0 or later profile to which you will add the customer directory.
 +  - Under **Actions**,​ pick //Manage//.
 +  - Under **Networks and Policies**, click **Configure**.
 +  - For **Wi-Fi**, under **Actions**,​ click **Configure**.
 +  - Under **Available Lists**, the OCR directory you have previously uploaded will be displayed. Select it, and then click the right arrow to assign it to the profile.
 +  - To enable Forced Auto-Connect for the directory, click **Authentication Settings.** Select the directory in the list of assigned directories. Under **Forced Auto-Connect**,​ select //Yes//. Then, click **Back**.
 +  - Continue assigning other directories if needed, repeating Steps 6-7.
 +  - Click **Save** to save your directory assignments.
 +{{ :​ocrdirectory.jpg?​450 |}}
 +==== Attaching the Certificate ====
 +If you choose to enable certificate authentication for your selected OCR authentication type, the certificate must be included in the OCR-enabled profile as a profile attachment. (You may attach multiple certificates to a profile if necessary.)
 +  - Under **Client Configuration**,​ pick **Manage Profiles.** ​
 +  - Select the Android 2.6.0 or later profile to which you have previously assigned the OCR directory.
 +  - Under **Actions**,​ pick //Manage//.
 +  - Under **Custom Profile Attachments**,​ click **Configure**.
 +  - On the **Custom Profile Attachments** page, click **Attach File**. ​
 +  - Locate the certificate file you wish to upload, and pick **Open**. The file is now attached to the profile. (Note that the name of the selected certificate file must match the name of the certificate you specified in the custom directory XML file.)
 +  - Continue to upload other certificates as needed.
 +{{ :​customprofileattachments.jpg?​450 |}}
 +==== Next Steps ====
 +You can now continue to edit the selected profile as needed with any other desired settings. When complete, publish the profile to Test and distribute it to your test users. Perform thorough testing on your OCR-enabled profile. After testing, the profile may be published to production and distributed to your user base.
 +=== Enabling the Security Certificate on an Android Device ===
 +If On-Campus Roaming has been enabled for a device, and you have chosen to attach a security certificate to the profile, then when first launching Open Mobile, the user will be required to install the certificate. The user will also be prompted to set a lock screen PIN or password for the device, if one has not been previously set.
 +  * On Android OS 2.2 or 2.3, the user should follow the prompts to enable the lock screen PIN or password for the device. Do not rename any certificate filename; use the default name. The certificate filename is presented, but the user should use the default name and not rename the file. 
 +  * On Android 4.0 and later versions, this procedure is called Enabling Credential Storage. The user can follow the prompts to enable credential storage on the device, as well as to set the lock screen PIN or password. The certificate filename is presented, but the user should use the default name and not rename the file.
 +{{ :​4.0-3.png?​direct&​150 | }}
 +Go to: **[[android_help|Open Mobile for Android]]**
 +{{tag>​ocr 802.1x}}

©2015 iPass Inc. All rights reserved. Terms of Use