Introduction
802.1x Authentication is a port-based authentication protocol that allows or blocks access to a network. WXP supports two 802.1x Authentication-related settings: One for wired network connections (802.1x Authentication (Wired)) and one for wireless network connections (802.1x Authentication (Wireless)).
Target Audience
Printer Administrators who define and manage policies for enforcement.
Configuring 802.1x Authentication (Wired)
To configure 802.1x Authentication for a wired connection in a policy:
Create or modify a printer-specific or a printer group policy.
On the Select Policy Settings page, locate and select 802.1x Authentication (Wired).
Click Next. The Set Options page appears.
In the Settings list, click 802.1x Authentication (Wired) to expand it and display configurable properties.
Modify the Assessment and Remediations options on the left of the panel as necessary. 802.1x Authentication (Wired) supports the following options:
Setting | Description |
Severity | Defines the relative security risk (Low, Medium, or High) should the setting be out of compliance. |
Ignore Unsupported Item | When enabled, this setting is ignored if the feature is unsupported by the device, so WXP does not assess a setting that the printer doesn’t support. |
Ignore Unentitled Item | When enabled, this setting is ignored if the feature is unentitled based on the HP service subscription, so WXP does not assess a setting the user can’t use. |
Remediation | When enabled, this setting is remediated if it is found to be out of compliance. Otherwise, WXP only flags the setting when non-compliant and does not attempt to remediate it. |
Configure the 802.1x (Wired) Authentication settings:
Setting | Description |
802.1x Username | The username used to authenticate printers when connecting to an 802.1x network. If no username is supplied, the printer hostname is used. |
802.1x Password/ Confirm 802.1x Password | The password used to verify printers when connecting to an 802.1x network. HP recommends using a strong password for better security. |
Encryption Strength | Select one of: High, Medium, or Low. |
Authentication Server Name | The name of the authentication server that is used during the 802.1x authentication process. This is typically a domain name or hostname and is found in the server’s digital certificate. For a stricter validation of the server’s identity, you can enter the CN (Common Name) or SAN (Subject Alternative Name) that is listed in the server’s certificate and check Require Server Name to Match Certificate. For a less strict validation, enter a portion of the servers name and leave Require Server Name to Match Certificate unchecked. |
Require Server Name to Match Certificate | When checked, the authentication server name you enter must match the CN or the SAN in the server’s digital certificate for 802.1x authentication to be successful. |
EAP-TLS | When checked, EAP-TLS (Extensible Authentication Protocol Transport Layer Security) is used. This protocol requires digital certificates for client and network server authentication. |
PEAP | When checked, PEAP (Protected EAP) is used. This protocol requires digital certificates for network server authentication and passwords for client authentication. |
On Authentication Failure | Indicates the behavior in the event that 802.1x authentication fails. Choose one of:
|
Click Create/Save.
Configuring 802.1x (Wireless) Authentication
This setting creates a port-based authentication protocol that allows or blocks access to the wireless network.
To configure 802.1x Authentication for a wireless connection in a policy, when creating or modifying a printer-specific or a printer group policy, configure the following 802.1x Authentication (Wireless) settings and options:
In the Settings list, click 802.1x (Wireless) to expand it and display configurable properties.
Modify the Assessment and Remediations options on the left of the panel as necessary. . 802.1x Authentication (Wired) supports the following options:
Setting | Description |
Severity | Defines the relative security risk (Low, Medium, or High) should the setting be out of compliance. |
Ignore Unsupported Item | When enabled, this setting is ignored if the feature is unsupported by the device, so WXP does not assess a setting that the printer doesn’t support. |
Ignore Unentitled Item | When enabled, this setting is ignored if the feature is unentitled based on the HP service subscription, so WXP does not assess a setting the user can’t use. |
Remediation | When enabled, this setting is remediated if it is found to be out of compliance. Otherwise, WXP only flags the setting when non-compliant and does not attempt to remediate it. |
Configure the 802.1x (Wireless) Authentication settings:
Setting | Description |
WiFi Protected Access (WPA) | The type of Wi-Fi access protection you are configuring. Choose one of: No Security: Wi-Fi access is open to all and unsecured. None of the remaining settings is required. Personal: Wi-Fi access requires only the Security Key for authentication. Enterprise: Wi-Fi access requires full 802.1x authentication using one of EAP-TLS, LEAP, or PEAP protocols. |
Source of Common Name (CN) | Whether to use the Fully Qualified Domain Name (FQDN) of the printer’s Embedded Web Server or the printer’s IP address as the Common Name (CN) value. |
802.1x Username | The username used to authenticate printers when connecting to an 802.1x network. If no username is supplied, the printer hostname is used. |
802.1x Password/ Confirm 802.1x Password | The password used to verify printers when connecting to an 802.1x network. HP recommends using a strong password for better security. |
Encryption Strength | Select one of: High, Medium, or Low. |
Authentication Server Name | The name of the authentication server that is used during the 802.1x authentication process. This is typically a domain name or hostname and is found in the server’s digital certificate. For a stricter validation of the server’s identity, you can enter the CN (Common Name) or SAN (Subject Alternative Name) that is listed in the server’s certificate and check Require Server Name to Match Certificate. For a less strict validation, enter a portion of the servers name and leave Require Server Name to Match Certificate unchecked. |
Require Server Name to Match Certificate | When checked, the authentication server name you enter must match the CN or the SAN in the server’s digital certificate for 802.1x authentication to be successful. |
EAP-TLS | When checked, EAP-TLS (Extensible Authentication Protocol Transport Layer Security is used. This protocol requires digital certificates for client and network server authentication. |
LEAP | When checked, LEAP (Lightweight EAP) is used. This protocol requires passwords for mutual authentication between the client and network server. |
PEAP | When checked, PEAP (Protected EAP) is used. This protocol requires digital certificates for network server authentication and passwords for client authentication. |
Click Create/Save.
Contact Us
For any assistance, create a support case or email support@wxp.hp.com.