Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
configuring_ocr_in_open_mobile [2012/11/09 19:28]
emessina
configuring_ocr_in_open_mobile [2014/03/03 22:10] (current)
ybarajas [Configuring a Profile]
Line 1: Line 1:
 +====== Configuring OCR with Open Mobile for Windows ======
 +
 +On-Campus Roaming (OCR) configuration is available in Open Mobile 1.2.1 for Windows and later. It requires an administrator to acquire encryption and authentication information from a test client, and then publish that information to other client profiles as a custom network directory. ​
 +
 +The complete OCR configuration procedure has these steps:
 +  - **Enabling 802.1x export in a test profile.**
 +  - **Publishing the test profile to a test system.**
 +  - **Configuring OCR on the test system and exporting the XML configuration file.**
 +  - **Uploading the configuration file to the Open Mobile Portal.**
 +  - **Including the uploaded configuration file in one or more Open Mobile profiles.**
 +
 +Please see [[Manage Profiles]] for more information.
 +
 +===== Enabling 802.1x Export =====
 +
 +First, select an Open Mobile profile and enable 802.1x export in that profile.
 +
 +**To enable 802.1x export in an Open Mobile profile:**
 +  - Log in to the Open Mobile Portal.
 +  - Click **Configuration | Manage Profiles**. Then, next to the profile you wish to use, choose **Manage**.
 +  - Under **Networks and Policies**, click **Configure**.
 +  - Under **Wi-Fi**, click **Configure**.
 +  - Confirm that **Enable Wi-Fi** is selected, and then click **Save**.
 +  - Under **Wi-Fi | Advanced Settings**, pick **Configure**.
 +  - Check **Enable 802.1x network configuration**,​ and select **View, Edit and Export network configurations**.
 +  - Click **Save** to save network settings.
 +  - Configure the rest of the test profile as needed.
 +
 +===== Publishing the Test Profile =====
 +
 +Next, publish the test profile to a test system.
 +
 +**To publish the test profile to a test system:**
 +  - On a test system, do one of the following:
 +    * If the test system already has Open Mobile installed with the same profile number as your test profile, update Open Mobile by right-clicking the iPass system tray icon and selecting Update, OR
 +    * If the test system doesn’t have this client profile, build the profile installer, and then download and install the new client.
 +
 +===== Configuring OCR on a Test System =====
 +
 +Third, configure OCR on the test system with the test profile. This will set parameters in your OCR configuration file, which you can then export to other profiles.
 +
 +==== Before Setting Parameters ====
 +
 +Before setting parameters for the OCR configuration file, you should note the following:
 +
 +**Encryption method:** Determine the encryption method for your selected OCR network. If the encryption method is being used is uncertain, check the Windows wireless tray menu. Hold the cursor over the network in question to display the encryption type.
 +
 +**Authentication method:** Open Mobile currently supports these methods:
 +  * PEAP-MS-CHAPv2 on Windows 7, Vista and XP.
 +  * EAP-TLS on Windows 7, Vista and XP (for Open Mobile 1.4.1)
 +  * PEAP-TLS on Windows 7 and Vista.
 +
 +Choose the procedure outlined here based on your version of Open Mobile.
 +
 +==== For Open Mobile Versions 1.4.1 and Later ====
 +
 +Follow this procedure for Open Mobile version 1.4.1 and later.
 +
 +**To configure an OCR connection method:**
 +
 +  - Click **Options | Wi-Fi**.
 +  - Click **Campus Networks**.
 +  - Under **Connection Methods**, click **Add**.
 +  - Do the following:
 +    - In **Method Name**, enter a descriptive name, such as MSCHAPv2.
 +    - In the **Authentication Protocol** drop-down, select the 802.1x method for your network.
 +    - If you are employing a user-based authentication mode and wish to use your iPass roaming credentials for authentication,​ in **Credential Source**, select //​Account//​. Then, from the **Account Name** drop-down list, select the account configured for Open Mobile to use.
 +    - Enter the protocol-specific connection settings as required for your connection method, such as authorization mode, outer and inner tunnel, trusted certificate authorities,​ and other settings.
 +  - Click **Save**.
 +
 +Now, try to connect to the 802.1x network. If the connection is unsuccessful,​ adjust your settings and to make sure your settings are correctly entered. Your settings will be stored in an XML configuration file.
 +
 +When the settings are correct, and you are able to make a successful 802.1x connection, export the XML file. The XML file must be exported to an unencrypted folder (such as any iPass Open Mobile folder).
 +
 +**To export the XML configuration file:**
 +  - Select **Options | Wi-Fi**.
 +  - Click **Campus Networks**.
 +  - Configure your network connection settings as required, then click **Save**.
 +  - Click **Export**. Your settings will be exported as an XML file.
 +  - Browse to an unencrypted folder in which to save the XML export file, and then name and save the file.
 +
 +=== Key Usage ===
 +
 +Open Mobile does not enable the specification of a value for the optional Key Usage flag. If you need to indicate a value for Key Usage, you will need to specify the value in an XML editor manually, before uploading the configuration file. The following table illustrates the range of hexadecimal values for the Key Usage flag.
 +
 +^ Flag ^ Hexadecimal Value ^ Description ^ 
 +| EncipherOnly | 1 | The key can be used for encryption only. |
 +| CrlSign | 2 | The key can be used to sign a Certificate revocation list. |
 +| KeyCertSign | 4 | The key can be used to sign certificates. |
 +| KeyAgreement | 8 | The key can be used to determine key agreement. |
 +| DataEncipherment | 10 | The key can be used for data encryption. |
 +| KeyEncipherment | 20 | The key can be used for key encryption. |
 +| NonRepudiation | 40 | The key can be used for authentication. |
 +| DigitalSignature | 80 | The key can be used for digital signature. |
 +| DecipherOnly | 8000 | The key can be used for decryption only. |
 +
 +Key Usage values can be single or composite. The following example shows a single Key Usage value of 80 (for Digital Signature).
 +
 +<​code>​
 +<​UserCertificate>​
 +  <​CriteriaList>​
 +    <​Criteria>​
 +      <​Key>​Issuer</​Key>​
 +      <​Value>​iPassOCRCA</​Value>​
 +    </​Criteria>​
 +    <​Criteria>​
 +      <​Key>​Key Usage</​Key>​
 +      <​Value>​80</​Value>​
 +    </​Criteria>​
 +  </​CriteriaList>​
 +</​UserCertificate>​
 +</​code>​
 +
 +You can also choose to specify a composite value to search for the properties to be present in the certificate being selected for authentication. Use the binary OR operation to combine two key values. ​
 +For example:
 +  * Digital Signature and Key Encipherment = A0 (result obtained after ORing the two flags).
 +  * Digital Signature and Non-repudiation = C0.
 +  * Data Encipherment,​ Key Encipherment and Non-repudiation = 70.
 +
 +**To edit the Key Usage flag in the XML configuration file:**
 +  - Open the exported XML file in an XML editor.
 +  - Set the values as shown above for Key Usage.
 +  - Save and close the XML configuration file.
 +
 +==== For Open Mobile Versions 1.3.1 and Earlier ====
 +
 +Follow this procedure for Open Mobile client versions 1.3.1 and earlier.
 +
 +**To configure OCR on the test system:**
 +  - In Open Mobile, click **Tools | Networks**, and then select **Campus Networks**.
 +  - Click **Add Network** and enter these settings:
 +    * **Network Name:** Enter the SSID of the 802.1x network.
 +    * **Security:​** Enter the encryption method, such as WPA2-AES.
 +    * In **Connection Method**, click **Add**.
 +      - In **Method Name**, enter a descriptive name, such as MSCHAPv2.
 +      - In the **Authentication Protocol** drop-down, select the 802.1x method for your network.
 +      - If you are employing a user-based authentication mode and wish to use your iPass roaming credentials for authentication,​ in **Credential Source**, select //​Account//​. Then, from the **Account Name** drop-down list, select the account configured for Open Mobile to use.
 +      - Enter the protocol-specific connection settings as required for your connection method, such as authorization mode, outer and inner tunnel, trusted certificate authorities and other settings.
 +      - To enable quick reconnections for this protocol after being disconnected,​ select Fast Reconnect.
 +  - Click **Save** to save the connection method settings, and then click **Save** again to save the network settings. Name and save the XML file.
 +
 +<note important>​If you save the file to a location on your hard drive that uses disk encryption, you will not be able to view the XML file manually.</​note>​
 +
 +Now, try to connect to the 802.1x network. You may need to select the network manually from the list of SSIDs.
 +
 +If the connection is unsuccessful,​ adjust your settings and make sure they are correctly entered. Return to Campus Network configuration,​ choose **Modify** instead of **Add**, and modify the settings as required.
 +
 +When the settings are correct, and you’re able to make a successful 802.1x connection, export the XML configuration file.
 +
 +**To export the XML configuration file:**
 +  - In Open Mobile, pick Tools | Networks, and then select Campus Networks.
 +  - Select the method you just created previously, and click Export.
 +  - Browse to a location to save the XML export file.
 +
 +===== Uploading the Configuration File to the Open Mobile Portal =====
 +
 +You can now upload the configuration file to the Open Mobile Portal as a custom network Directory.
 +
 +**To upload a custom OCR configuration file:**
 +  - Log into the Open Mobile Portal. Click **Configuration**,​ and then select** Upload Networks.**
 +  - Under **Wi-Fi Network Directories**,​ click **Manage**.
 +  - Click **Import New Directory.**
 +  - Give the custom directory a descriptive name. You will see this name in the client configuration later.
 +  - Click **Browse** and select the XML configuration file you exported earlier, and then click **Upload File.**
 +
 +When the upload finishes, you should see the new OCR directory in the list of available directories.
 +
 +===== Configuring a Profile =====
 +
 +
 +Finally, you can configure one or more profiles with the uploaded configuration file. This will make your local, functioning 802.1x settings a permanent part of an Open Mobile client profile.
 +
 +
 +**To configure a profile with the new configuration file:​** ​
 +
 +
 +    - In the [[https://​openmobile.ipass.com|Open Mobile Portal]], on the **Configure** ​ tab, select **Manage Profiles**.
 +    - Next to the profile you wish to enable for 802.1x, select **Manage**.
 +    - Under **Choose Networks**, click **Configure**.
 +    - Under **Enable Wi-Fi** ​ and **Unassigned Wi-Fi Hotspot Lists**, locate the file you previously uploaded.
 +    - Using the arrow keys, move the directory to the **Assigned Wi-Fi Hotspot Lists** ​ on the right.
 +    - Click **Show Advanced Options**, and then de-select the checkbox for Enable 802.1x network configuration. **Note:​** ​ If you are done configuring 802.1x networks, de-selecting the checkbox will prevents users from capturing and exporting 802.1x information.
 +    - Click **Save** ​ to save your network settings.
 +    - Publish the updated profile to Test again.
 +
 +
 +At this point, users will be able to connect to the 802.1x network when it is in range. The network will be displayed in Open Mobile as a custom network.
 +
 +Go to: **[[dokuwiki_other|Other Product Documents]] > [[tech_notes|Tech Notes]]**
 +
 +{{tag>​ocr 802.1x tech_notes}}
 +
  
 

©2015 iPass Inc. All rights reserved. Terms of Use