Introduction:
The follow guide is a step by step process for using CertLoader with in SecurePlus. In this scenario in which I am going to describe, I have an Access point using TKIP with EAP-TLS encryption connecting to a radius server for authentication to the network. There are many ways to create a certificate. In this documentation I am only describing one way.
Items Needed:
Before we begin you will need the following items
- Mobile Device
a. Enabler >= 5.2
b. Power cables and active Sync cables
2. Access point configured to communicate to a Radius Server
a. TKIP with EAP-TLS encryption
3. Server
a. Radius server
b. Active Directory and Configured User
c. Certificate Authority
4. AvalancheMC
a. SecurePlus >=1.1.57.17
b. Appropriate Licensing
5. Active Sync or Mobile Device Center
____________________________________________________________________
Step 1. Installation and configuration of SecurePlus
____________________________________________________________________
In order to start this process you will need to install SecurePlus into AMC
After installation is complete, select the software, configure and launch.
This will launch the SecurePlus Config GUI
For the purpose of this testing I have disabled most of the password options.
Make sure on the Auth. Servers tab that you have the IP address of the PC that has the SecurePlus Server service running. This is critical and should not be missed.
Next “Configure Client” button:
Here uncheck Stop ActiveSync and disable hardware Keys.
During testing it is a good idea to set the logging level to Debug and for ease of use, and I also make the file size a bit bigger than the defaults.
- 1. Keep Current user in Registry
- 2. Show Last Logon Information
Everything else can stay the same. Click "OK" when finished.
Next “Configure Service” button:
You do not have to Fill out the Run As info if you don't want to, just hit the install and follow the prompts, the do the same thing for Start. You maybe prompted for administrator credentials. To uninstall follow the same steps, stop, uninstall..If you just uninstall, it may take a bit longer as it will stop the service first before uninstalling. Click "OK" when finished.
Next “OTA Certs” button:
Be sure to enable the check box feature as this turns this option on.. Fill out the address of where certificate requests are to be sent.
Next enter the IP address or FQDN.
Next is the number of days before the cert expires to request a new one. For testing we have to set this value to 365 + to test the OTA process otherwise we have to wait a year for the cert to expire.
Next fill out the request time interval and check for new. I usually set these both to 5 mins. for testing purposes. No reason to wait any longer than necessary.
Next use the drop down and select one of the 3 options.. This gives the request of a new cert a unique name from other devices..
** The cert that is requested will be the same each time a request is sent so be sure to make note of the date and time it was submitted.
TerminalID_Domain_User.Request
Example request name: 15068699_qatest_cachilli.req
Next fill out the location of where the cert is to be put and looked for. If you change this make sure the directories are there before saving the changes. Also the default location is the following:
C:\Users\"USERNAME"\.wavelink\avalanche\_AVA\avapackages\SecurePlus\SecurePl\APPS\SecurePl\ - certificate and requests folders
Click "OK" when finished.
You can now load your device with SecurePlus..
____________________________________________________________________
Step 2. configuration of CertLoader
____________________________________________________________________
We are now ready to start the certificate process:
Active Sync your device to the same PC that has AMC installed on it, along with SecurePlus, once active sync’d, go to AMC and select and configure SecurePlus but this time we are going to launch CertLoader.
The CertLoader GUI should now appear.
First we need to configure a couple options. Select Configuration:
Check the following options:
Show User Cert Options:
Show Cut/Paste Options:
Next go to the Network Tab at the bottom:
Fill out both SSID Fields and appropriate check boxes. Since I am using TKIP I have those checked and they are checked by default.
Click "OK" when finished.
At this stage we can send down the "Network Assignment".
The device will reboot during this process you may also see a license error as well if using a anything below version 1.1.57.20.. This is usually pretty consistent about throwing up that error here, however watching the log files through BareTail shows it did get one.
Next we start the actual cert creation:
Click on Device Certificate:
The device at this point should still have the SecurePlus logon screen up on the device:
Click on Create Certificate:
If you get a licensing error try creating again:
If successful you will see the following image:
For this tutorial my device ID is my domain\User
Then click the green Plus sign:
It will then update the device and finish to this screen: DO NOT CLOSE THIS OUT.
You should now see the following image.
Once here, click on view and copy the contents of the window
This information is what we need to create the actual Certificate at the Cert Authority!
____________________________________________________________________
Step 3. Certificate Authority
____________________________________________________________________
Navigate to the Cert Authority and select Request a certificate
Next we want to submit an advanced certificate request
On the next screen select the option for using a base 64-encoded
On the request page paste in the certificate information you copied from certloader after selecting User from the drop down
Now select Submit >:
Once submitted you will be taken to an issue page as shown below
On this page, select "Base 64 encoded" and "Download certificate chain". you will be prompted to save this certificate.. save and open in word pad or notepad and copy the entire contents.
We are now ready to go back to CertLoader!
______________________________________
Loading the certificate:
If you still have the window open with the previous creation, hit the red x on the screen to be taken back to the main menu.
this time click on assign Certificate:
Once this process starts it will open up to a window to paste in the information you copied from the certificate
once the certificate information has been pasted in, click on "OK".
At this point the certificate will be placed on the device.. The device should reboot when done.
If we now look at the device we should be connected to the AP with the certificate in place on the device:
Screen shots from the device, Fusion radio Wavelink Profile
____________________________________________________________________
Step 4. Verify the Cert took on the device
____________________________________________________________________
By all means the device should be connected to the network, however for visual inspection, it should look like the below screen shots.
Verify the IP address:
Assumptions:
This guide assumes that you have knowledge of creating a radius server, Active Directory and configuring your AP accordingly to communicate with the Radius server. You should also have an understanding of basic abilities to install and execute programs and executables, such as AMC, enablers etc.
Information contained herein is subject to change without notice.