Configure PEAP with EAP-TLS and printer name authentication

Before you begin

This instruction applies to the [Printer name from domain; PEAP with EAP-TLS]  authentication method. The authentication method refers to the method you selected on PRISMAsync Print Server.

The instructions below refer to Windows Server 2016. Other systems may need other configuration. See the vendor documentation for complete instructions.

These configurations have been done.

1. Configure IEEE 802.1X on the authentication server (phase 1)

2. Configure IEEE 802.1X on the authenticator

3. Configure IEEE 802.1X on PRISMAsync Print Server

Perform the instructions in the order they are listed.

Instruction 1. On Active Directory, create a group on the domain

1. In [Server Manager] click [Tools].

   [Server Manager] options

2. Open the [Active Directory Users and Computers] console.

3. Right-click the domain name, click [New]. Then click [Group].

4. Enter a name for the group.

   New group

5. Select [Global] in the [Group scope] option group.

6. Select [Security] in the [Group type] option group.

7. Click [OK].

Instruction 2. On Active Directory, add printer name as computer name

1. In [Server Manager], click [Tools].

   [Server Manager] options

2. Open the [Active Directory Users and Computers] console.

3. Expand the domain entries.

4. Right-click [Computers].

5. Click [New]. Then, click [Computer].

6. Enter the hostname of the printer.

   DNS uses the hostname and appends the DNS domain hierarchy to that name to create the FQDN name.

   Find the hostname on the Identity certificate of PRISMA Print Server.

   The [Subject alternative name 1], [Subject alternative name 2] or [Subject alternative name 3] field contains the contents of the [Common name] field. This is the Fully Qualified Domain Name (FQDN) printer name, such as: hostname.example.net. Here you enter the hostname part of the FQDN.

   New computer

7. Click [OK].

8. When the printer name is added, right-click the name. Then click [Properties].

9. Click the [Member Of] tab and select the group you created in instruction 1.

   Select group

10. Click the [Dial-in] tab.

11. In the [Network Access Permission] option group, select [Control access through NPS Network Policy].

    [Dial-in] options

12. Click [OK].

13. Open the ADSI Edit editor.

    ADSI Edit editor

14. Browse to the CN=Computers directory.

15. Right-click the printer name and click [Properties].

16. Select [servicePrincipalName] and click [Edit].

17. Enter the printer name according to this format: host/<hostname>.<DNS domain hierarchy> . For example: host/PRISMAprinter.ft5.cppvenlo.cpp.net.

18. Click [OK].

Instruction 3. On the authentication server, configure network policy for PEAP with EAP-TLS and printer name authentication

1. In [Server Manager] click [Tools].

   [Server Manager] options

2. Open the [NPS] console.

3. Expand [Policies].

4. Right-click [Network Policies]. Then click [New]. The [New Network Policy] wizard opens.

5. Enter a policy name.

   [Network Policies] wizard

6. Ensure [Unspecified] is selected in the [Type of network access server] option.

7. Click [Next].

8. On the [Specify Conditions] page, select [Machine Groups]. Then click [Add...].

   [Network Policies] wizard

9. Select the group you created in instruction 1.

   [Network Policies] wizard

10. Click [OK] to close the [Select Group] dialog box.

11. Click [Next].

    [Network Policies] wizard

12. On the [Specify Access Permission] page, select [Access granted].

    [Network Policies] wizard

13. Click [Next].

14. On the [Configure Authentication Methods] page, click [Add...]].

15. From the [Authentication methods] list, select [Microsoft: Protected EAP (PEAP)]. Then, click [OK].

    [Network Policies] wizard

16. Select [Microsoft: Protected EAP (PEAP)] and click [Edit].

    [Network Policies] wizard

17. In the [Edit Protected EAP properties] dialog box, select the Identity certificate of the RADIUS server. This certificate refers to the trusted certificate available on PRISMAsync Print Server.

    [Network Policies] wizard

18. From the [Eap Types] list, select [Smart Card or other certificate].

    When the entry is not in the list, first add it to the list.

19. Click [Edit] to check if the Identity certificate of the RADIUS server is selected.

20. Click [OK] to close the [Edit Protected EAP Properties] dialog box.

21. Clear the [Less secure authentication methods] check boxes that refer to authentication methods you do not want to use.

    [Network Policies] wizard

22. Click [Next].

23. On the [Configure Constraints] page, click [Next].

    [Network Policies] wizard

24. On the [Configure settings] page, click [Next].

    [Network Policies] wizard

25. On the [Completing New Network Policy ] page, click [Finish].

    [Network Policies] wizard

More information

• Learn about IEEE 802.1X authentication protocols

• Learn about IEEE 802.1X port-based authentication

• Overview required IEEE 802.1X configuration procedures

• Configure IEEE 802.1X on the authentication server (phase 1)

• Configure IEEE 802.1X on the authenticator

• Configure IEEE 802.1X port-based authentication on PRISMAsync Print Server