Canon I Sensys Mf8550cdn User Guide

							0ALJ-0A6
Configuring IEEE 802.1X Authentication
The machine can connect to  an  802.1X network as a client  device. A typical 802.1X network consists of a RADIUS server  (authentication
server), LAN switch  (authenticator), and  client  devices with authentication software  (supplicants). If  a device tries to  connect to  the
802.1X network, the  device must go through user  authentication in order to  prove that  the  connection is  made  by an  authorized  u ser.
Authentication information  is  sent to  and  checked  by a RADIUS server, which permits or rejects  communication to  the  network depending
on  the  authentication result. If  authentication fails,  a LAN switch  (or an  access point) blocks access from the  outside of the  network.
Select the  authentication method from the  options below. If  necessary, install or register  a key  pair  or CA certificate before  configuring
IEEE  802.1X authentication (Using  CA- issued Key  Pairs and  Digital Certificates ).
TLS
The machine and  the  authentication server  authenticate each other by mutually verifying their  certificates. A key  pair  issued  b y a
certification  authority  (CA) is  required for  the  client  authentication (when authenticating the  machine). For the  server  authentication,
a CA certificate installed via  the  Remote  UI can be used in addition to  a CA certificate preinstalled in the  machine. The TLS  m ethod
cannot  be used with TTLS  or PEAP at the  same time.
TTLS
This authentication method uses a user  name and  password for  the  client  authentication and  a CA certificate for  the  server
authentication.  MSCHAPv2 or PAP can be selected as the  internal protocol. TTLS  can be used with PEAP at the  same time. Enable S SL
for  the  Remote  UI before configuring this authentication method (
Enabling  SSL Encrypted Communication for the Remote  UI ).
PEAP
The required settings are  almost the  same as those of TTLS. MS-CHAPv2 is  used as the  internal protocol. Enable SSL  for  the  Remo te
UI before configuring this authentication method (Enabling  SSL Encrypted Communication for the Remote  UI ).
Start  the Remote UI  and  log  on in System Manager Mode.  Starting Remote UI
Click [Settings/Registration].
Click [Network Settings]  [IEEE 802.1X Settings].
1
2
3
>à>à>Ý>Ì>Û>Ì>â>ã>â
 
						

							Click [Edit...].
Select the [Use IEEE 802.1X]  check  box, enter the login name in the [Login Name] text box, and  specify the
required settings.
[Use IEEE 802.1X]
Select the  check  box to  enable  IEEE  802.1X authentication.
[Login  Name]
Enter up  to  24 alphanumeric  characters  for  a name (EAP identity)  that  is  used for  identifying the  user.
Setting TLS
1Select the [Use TLS] check box and  click [Key  and  Certificate...].
2Click [Register  Default  Key]  on  the right  of the key pair you want to use for the client authentication.
4
5
>à>à>Þ>Ì>Û>Ì>â>ã>â
 
						

							NOTE:
Viewing details of a key pair or certificate
You  can check  the  details of the  certificate or verify the  certificate by clicking  the  corresponding text link  under [Key
Name], or the  certificate icon.  
Verifying  Key  Pairs and  Digital Certificates
Setting TTLS/PEAP
1Select the [Use TTLS]  or [Use PEAP]  check box.
NOTE:
Internal protocol for TTLS
You  can select MSCHAPv2 or PAP.  If  you want to  use PAP,  click the  [PAP] radio button.
2Click [Change User Name/Password].To specify  a user  name other than the  login  name,  clear the  [Use Login  Name as User Name] check  box. Select the
check  box if  you want to  use the  login name as the  user  name.
3Set the user  name/password and  click [OK].
>à>à>ß>Ì>Û>Ì>â>ã>â
 
						

							[ User Name ]
Enter up  to  24 alphanumeric  characters  for  the  user  name.
[ Change  Password]
To set or change the  password, select the  check  box and  enter up  to  24 alphanumeric  characters  for  the  new password
both  in the  [Password]  and  [Confirm]  text boxes.
Click [OK].
Restart the machine.
Turn  OFF  the  machine, wait  for  at least  10 seconds,  and  turn  it back ON.
NOTE
You  can enable  or disable the  IEEE  802.1X authentication from .IEEE 802.1X Settings
LINKS
Configuring  Settings  for Key  Pairs and  Digital Certificates
6
7
>à>à>à>Ì>Û>Ì>â>ã>â
 
						

							0ALJ-0A7
Configuring Settings for Key Pairs and Digital Certificates
In order to  encrypt  communication with a remote device, an  encryption key  must be sent and  received over an  unsecured network
beforehand. This problem is  solved by public -key  cryptography. Public -key  cryptography ensures  secure communication by protecting
important  and  valuable information  from attacks, such as sniffing,  spoofing, and  tampering of data as it flows over a network.
Key  Pair
A key  pair  consists of a public  key  and  a secret key, both  of which are  required for  encrypting  or decrypting data.
Because data that  has been encrypted  with one of the  key  pair  cannot  be returned  to  its original  data form without
the  other,  public -key  cryptography ensures  secure communication of data over the  network. Up to  five key  pairs can
be registered (
Using  CA- issued Key  Pairs and  Digital Certificates). For SSL  encrypted  communication,  a key
pair  can be generated  for  the  machine (Generating Key  Pairs ).
CA Certificate
Digital certificates  including CA certificates  are  similar to  other forms of identification, such as driver's licenses. A
digital certificate contains a digital signature, which enables the  machine to  detect any spoofing  or tampering of data.
It is  extremely difficult  for  third parties to  abuse digital certificates. A digital certificate that  contains a public  key  of a
certification  authority  (CA) is  referred to  as a CA certificate.  CA certificates  are  used for  verifying the  device the
machine is  communicating with for  features such as printing with Google  Cloud Print  or IEEE  802.1X authentication.
Up to  10 CA certificates  can be registered, including the  five certificates  that  are  preinstalled in the  machine (
Using
CA- issued Key  Pairs and  Digital Certificates ).
Key  and Certificate  Requirements
The certificate contained in a key  pair  generated  with the  machine conforms  to  X.509v3.  If  you install a key  pair  or a CA certificate from
a computer, make sure  that  they meet  the  following  requirements:
Format Key pair: PKCS#12
CA certificate:  X.509v1 or X.509v3,  DER  (encoded binary)
File extension Key pair: ".p12"  or ".pfx"
CA certificate:  ".cer"
Public  key  algorithm 
(and  key  length) RSA (512 bits,  1024  bits,  2048  bits,  or 4096  bits)
Certificate signature  algorithm SHA1-RSA, SHA256-RSA, SHA384-RSA , SHA512-RSA , MD5 -RSA, or MD2 -RSA
Certificate thumbprint algorithm SHA1
 Requirements for  the certificate contained in a key pair  are pursuant  to  CA  certificates.
 SHA384 -RSA and  SHA512 -RSA are available only  when the RSA key length is 1024 bits or  more.
NOTE
The machine does not  support use of a certificate revocation  list  (CRL).
*1
*2 *2
*1
*2
>à>à>á>Ì>Û>Ì>â>ã>â
 
						

							0ALJ-0A8
Generating Key Pairs
A key  pair  can be generated  with the  machine when it is  required for  encrypted  communication via  Secure Sockets Layer  (SSL). You  can
use SSL  when accessing the  machine via  the  Remote  UI. Up to  five key  pairs can be registered to  the  machine.
Start  the Remote UI  and  log  on in System Manager Mode.  Starting Remote UI
Click [Settings/Registration].
Click [Security  Settings]  [Key and  Certificate Settings].
Click [Generate Key...].
NOTE:
Deleting  a registered  key pairClick [Delete] on  the  right of the  key  pair  you want to  delete  
click [OK].
A key  pair  cannot  be deleted  if  it is  currently used for  some  purpose,  such as when "SSL" or "IEEE  802.1X", is  displayed under
[Key Usage]. In this case, disable the  function or replace  the  key  pair  before deleting  it.
Specify  settings  for the key and  certificate.
1
2
3
4
5
>à>à>â>Ì>Û>Ì>â>ã>â
 
						

							[Key  Settings][Key  Name]
Enter up  to  24 alphanumeric  characters  for  naming the  key  pair. Set a name that  will  be easy  for  you to  find later in a list.
[Signature  Algorithm]
Select the  signature  algorithm from the  drop-down list.
[Key  Algorithm]
RSA is  used for  generating  a key  pair. Select the  key  length from the  drop-down list. The larger  the  number for  the  key
length, the  slower  the  communication.  However, the  security is  tighter.
NOTE:
[512bit] cannot  be selected for  the  key  length, if  [SHA384]  or [SHA512]  is  selected for  [Signature  Algorithm].
[Certificate Settings][Validity Start  Date  (YYYY/MM/DD)]
Enter the  date from which the  certificate is  valid between  01/01/2000 and  31/12/2037.
[Validity End  Date  (YYYY/MM/DD)]
Enter the  date to  which the  certificate is  valid between  01/01/2000 and  31/12/2037. A date earlier than [Validity  Start Date
(YYYY/MM/DD)] cannot  be set.
[Country/Region]
Click the  [Select Country/Region]  radio button and  select the  country/region from the  drop-down list. You  can also  click the
[Enter Internet  Country Code] radio button and  enter a country code,  such as "US"  for  the  United  States.
[State]/[City]
Enter up  to  24 alphanumeric  characters  for  the  location as necessary.
[Organization]/[Organization  Unit]
Enter up  to  24 alphanumeric  characters  for  the  organization name as necessary.
[Common  Name]
Enter up  to  48 alphanumeric  characters  for  the  common  name of the  certificate as necessary. "Common Name" is  often
abbreviated as "CN."
Click [OK].
A key  pair  may  take approximately  10 to  15 minutes  to  generate.
After a key  pair  is  generated, it is  automatically registered to  the  machine.
LINKS
Using  CA- issued Key  Pairs and  Digital Certificates
Verifying  Key  Pairs and  Digital Certificates
Enabling  SSL Encrypted Communication for the Remote  UI
Configuring  IPSec  Settings
6
>à>à>ã>Ì>Û>Ì>â>ã>â
 
						

							0ALJ-0A9
Using CA-issued Key Pairs and Digital Certificates
Key pairs and  digital certificates  can be obtained from a certification  authority  (CA) for  use with the  machine. You  can store  and  then
register  these files  by using the  Remote  UI. Make  sure  that  the  key  pair  and  the  certificate satisfy  the  requirements of the  machine
(
Key  and  Certificate Requirements ). Up to  five key  pairs and  10 CA certificates  (including  the  five preinstalled certificates)  can be
registered.
Start  the Remote UI  and  log  on in System Manager Mode.  Starting Remote UI
Click [Settings/Registration].
Click [Security  Settings]  [Key and  Certificate Settings] (for  key pairs) or [CA Certificate Settings] (for  CA
certificates).
Click [Register Key  and  Certificate]  or [Register CA Certificate].
NOTE:
Deleting  a registered  key pair or CA certificate
Click [Delete] on  the  right of the  key  pair  or CA certificate you want to  delete  
 click [OK]. You  cannot  delete  the  preinstalled
CA certificates.
A key  pair  cannot  be deleted  if  it is  currently used for  some  purpose,  such as when "[SSL]" or "[IEEE  802.1X]" is  displayed
under [Key Usage]. In this case, disable the  function or replace  the  key  pair  before deleting  it. The preinstalled CA certifica te
cannot  be deleted.
1
2
3
4
>à>à>ä>Ì>Û>Ì>â>ã>â
 
						

							Disabling or enabling the preinstalled CA certificates
Click [Disable] on  the  right of the  preinstalled CA certificate you want to  disable. To enable  the  certificate again,  click [Enable] on
the  right of the  certificate.
Click [Install...].
NOTE:
Deleting  a key pair or CA certificate
Click [Delete] on  the  right of the  file you want to  delete, and  then  click [OK].
Click [Browse...],  specify the file to install, and  click [Start Installation].
The key  pair  or CA certificate is  installed in the  machine.
Register the key pair or CA certificate.
Registering a key pair
1Click [Register]  on  the right  of the key pair you want to register.
2Enter  the name  of the key pair and  password,  and  then  click [OK].
[Key  Name]
Enter up  to  24 alphanumeric  characters  for  the  name of the  key  pair  to  be registered.
[Password]
Enter up  to  24 alphanumeric  characters  for  the  password of the  private key  set for  the  file to  be registered.
Registering a CA certificate
Click [Register] on  the  right of the  CA certificate you want to  register.
5
6
7
>à>à>å>Ì>Û>Ì>â>ã>â
 
						

							LINKS
Generating Key  Pairs
Verifying  Key  Pairs and  Digital Certificates
Enabling  SSL Encrypted Communication for the Remote  UI
Configuring  IPSec  Settings
Configuring  IEEE 802.1X Authentication
>à>á>Ü>Ì>Û>Ì>â>ã>â