Configuring OCR with Open Mobile for Windows

On-Campus Roaming (OCR) configuration is available in Open Mobile 1.2.1 for Windows and later. It requires an administrator to acquire encryption and authentication information from a test client, and then publish that information to other client profiles as a custom network directory.

The complete OCR configuration procedure has these steps:

  1. Enabling 802.1x export in a test profile.
  2. Publishing the test profile to a test system.
  3. Configuring OCR on the test system and exporting the XML configuration file.
  4. Uploading the configuration file to the Open Mobile Portal.
  5. Including the uploaded configuration file in one or more Open Mobile profiles.

Please see Manage Profiles for more information.

Enabling 802.1x Export

First, select an Open Mobile profile and enable 802.1x export in that profile.

To enable 802.1x export in an Open Mobile profile:

  1. Log in to the Open Mobile Portal.
  2. Click Configuration | Manage Profiles. Then, next to the profile you wish to use, choose Manage.
  3. Under Networks and Policies, click Configure.
  4. Under Wi-Fi, click Configure.
  5. Confirm that Enable Wi-Fi is selected, and then click Save.
  6. Under Wi-Fi | Advanced Settings, pick Configure.
  7. Check Enable 802.1x network configuration, and select View, Edit and Export network configurations.
  8. Click Save to save network settings.
  9. Configure the rest of the test profile as needed.

Publishing the Test Profile

Next, publish the test profile to a test system.

To publish the test profile to a test system:

  1. On a test system, do one of the following:
    • If the test system already has Open Mobile installed with the same profile number as your test profile, update Open Mobile by right-clicking the iPass system tray icon and selecting Update, OR
    • If the test system doesn’t have this client profile, build the profile installer, and then download and install the new client.

Configuring OCR on a Test System

Third, configure OCR on the test system with the test profile. This will set parameters in your OCR configuration file, which you can then export to other profiles.

Before Setting Parameters

Before setting parameters for the OCR configuration file, you should note the following:

Encryption method: Determine the encryption method for your selected OCR network. If the encryption method is being used is uncertain, check the Windows wireless tray menu. Hold the cursor over the network in question to display the encryption type.

Authentication method: Open Mobile currently supports these methods:

  • PEAP-MS-CHAPv2 on Windows 7, Vista and XP.
  • EAP-TLS on Windows 7, Vista and XP (for Open Mobile 1.4.1)
  • PEAP-TLS on Windows 7 and Vista.

Choose the procedure outlined here based on your version of Open Mobile.

For Open Mobile Versions 1.4.1 and Later

Follow this procedure for Open Mobile version 1.4.1 and later.

To configure an OCR connection method:

  1. Click Options | Wi-Fi.
  2. Click Campus Networks.
  3. Under Connection Methods, click Add.
  4. Do the following:
    1. In Method Name, enter a descriptive name, such as MSCHAPv2.
    2. In the Authentication Protocol drop-down, select the 802.1x method for your network.
    3. If you are employing a user-based authentication mode and wish to use your iPass roaming credentials for authentication, in Credential Source, select Account. Then, from the Account Name drop-down list, select the account configured for Open Mobile to use.
    4. Enter the protocol-specific connection settings as required for your connection method, such as authorization mode, outer and inner tunnel, trusted certificate authorities, and other settings.
  5. Click Save.

Now, try to connect to the 802.1x network. If the connection is unsuccessful, adjust your settings and to make sure your settings are correctly entered. Your settings will be stored in an XML configuration file.

When the settings are correct, and you are able to make a successful 802.1x connection, export the XML file. The XML file must be exported to an unencrypted folder (such as any iPass Open Mobile folder).

To export the XML configuration file:

  1. Select Options | Wi-Fi.
  2. Click Campus Networks.
  3. Configure your network connection settings as required, then click Save.
  4. Click Export. Your settings will be exported as an XML file.
  5. Browse to an unencrypted folder in which to save the XML export file, and then name and save the file.

Key Usage

Open Mobile does not enable the specification of a value for the optional Key Usage flag. If you need to indicate a value for Key Usage, you will need to specify the value in an XML editor manually, before uploading the configuration file. The following table illustrates the range of hexadecimal values for the Key Usage flag.

Flag Hexadecimal Value Description
EncipherOnly 1 The key can be used for encryption only.
CrlSign 2 The key can be used to sign a Certificate revocation list.
KeyCertSign 4 The key can be used to sign certificates.
KeyAgreement 8 The key can be used to determine key agreement.
DataEncipherment 10 The key can be used for data encryption.
KeyEncipherment 20 The key can be used for key encryption.
NonRepudiation 40 The key can be used for authentication.
DigitalSignature 80 The key can be used for digital signature.
DecipherOnly 8000 The key can be used for decryption only.

Key Usage values can be single or composite. The following example shows a single Key Usage value of 80 (for Digital Signature).

<UserCertificate>
  <CriteriaList>
    <Criteria>
      <Key>Issuer</Key>
      <Value>iPassOCRCA</Value>
    </Criteria>
    <Criteria>
      <Key>Key Usage</Key>
      <Value>80</Value>
    </Criteria>
  </CriteriaList>
</UserCertificate>

You can also choose to specify a composite value to search for the properties to be present in the certificate being selected for authentication. Use the binary OR operation to combine two key values. For example:

  • Digital Signature and Key Encipherment = A0 (result obtained after ORing the two flags).
  • Digital Signature and Non-repudiation = C0.
  • Data Encipherment, Key Encipherment and Non-repudiation = 70.

To edit the Key Usage flag in the XML configuration file:

  1. Open the exported XML file in an XML editor.
  2. Set the values as shown above for Key Usage.
  3. Save and close the XML configuration file.

For Open Mobile Versions 1.3.1 and Earlier

Follow this procedure for Open Mobile client versions 1.3.1 and earlier.

To configure OCR on the test system:

  1. In Open Mobile, click Tools | Networks, and then select Campus Networks.
  2. Click Add Network and enter these settings:
    • Network Name: Enter the SSID of the 802.1x network.
    • Security: Enter the encryption method, such as WPA2-AES.
    • In Connection Method, click Add.
      1. In Method Name, enter a descriptive name, such as MSCHAPv2.
      2. In the Authentication Protocol drop-down, select the 802.1x method for your network.
      3. If you are employing a user-based authentication mode and wish to use your iPass roaming credentials for authentication, in Credential Source, select Account. Then, from the Account Name drop-down list, select the account configured for Open Mobile to use.
      4. Enter the protocol-specific connection settings as required for your connection method, such as authorization mode, outer and inner tunnel, trusted certificate authorities and other settings.
      5. To enable quick reconnections for this protocol after being disconnected, select Fast Reconnect.
  3. Click Save to save the connection method settings, and then click Save again to save the network settings. Name and save the XML file.

If you save the file to a location on your hard drive that uses disk encryption, you will not be able to view the XML file manually.

Now, try to connect to the 802.1x network. You may need to select the network manually from the list of SSIDs.

If the connection is unsuccessful, adjust your settings and make sure they are correctly entered. Return to Campus Network configuration, choose Modify instead of Add, and modify the settings as required.

When the settings are correct, and you’re able to make a successful 802.1x connection, export the XML configuration file.

To export the XML configuration file:

  1. In Open Mobile, pick Tools | Networks, and then select Campus Networks.
  2. Select the method you just created previously, and click Export.
  3. Browse to a location to save the XML export file.

Uploading the Configuration File to the Open Mobile Portal

You can now upload the configuration file to the Open Mobile Portal as a custom network Directory.

To upload a custom OCR configuration file:

  1. Log into the Open Mobile Portal. Click Configuration, and then select Upload Networks.
  2. Under Wi-Fi Network Directories, click Manage.
  3. Click Import New Directory.
  4. Give the custom directory a descriptive name. You will see this name in the client configuration later.
  5. Click Browse and select the XML configuration file you exported earlier, and then click Upload File.

When the upload finishes, you should see the new OCR directory in the list of available directories.

Configuring a Profile

Finally, you can configure one or more profiles with the uploaded configuration file. This will make your local, functioning 802.1x settings a permanent part of an Open Mobile client profile.

To configure a profile with the new configuration file:

  1. In the Open Mobile Portal, on the Configure tab, select Manage Profiles.
  2. Next to the profile you wish to enable for 802.1x, select Manage.
  3. Under Choose Networks, click Configure.
  4. Under Enable Wi-Fi and Unassigned Wi-Fi Hotspot Lists, locate the file you previously uploaded.
  5. Using the arrow keys, move the directory to the Assigned Wi-Fi Hotspot Lists on the right.
  6. Click Show Advanced Options, and then de-select the checkbox for Enable 802.1x network configuration. Note: If you are done configuring 802.1x networks, de-selecting the checkbox will prevents users from capturing and exporting 802.1x information.
  7. Click Save to save your network settings.
  8. Publish the updated profile to Test again.

At this point, users will be able to connect to the 802.1x network when it is in range. The network will be displayed in Open Mobile as a custom network.

Go to: Other Product Documents > Tech Notes

 

©2015 iPass Inc. All rights reserved. Terms of Use