HP Wi-Fi Direct Printing in the Enterprise

Have you been thinking that Wi-Fi Direct will mainly be limited to consumer applications? Think again. HP just announced support for Wireless Direct Printing, which allows any Wi-Fi capable device to print directly to the printer when in proximity without connecting through the corporate network.

This solution works by leveraging the Wi-Fi Direct standard that was developed last year by the Wi-Fi Alliance and the Apple AirPrint technology that eliminates software or driver installation on Apple mobile devices. The user simply needs to connect to the Wi-Fi network that the printer advertises, then print.

Pros: Easy printing from mobile devices in the enterprise

This should help simplify support for BYOD (bring your own device) initiatives. Since BYOD typically is also designed with security restrictions around corporate network access, and printers are usually distributed throughout the network, providing access to those printers would be a management headache to say the least.

Also, mobile device printing via Apple AirPrint on a corporate network is not usable at this point due to protocol limitations that prevent printer discovery and access across layer 3 network boundaries. The ability to connect directly to the printer and print documents will allow immediate adoption of AirPrint in the enterprise.

HP Wireless Direct Printing is Easy using AirPrint
(but appears to lack any security)

Cons: Unproven security


The security issues involved with a Wi-Fi network being advertised by a printer that is directly cabled into your network are significant. Printers have historically been easy targets for attackers to gain access to corporate networks due to their lack of focus on security. Just look here! By allowing direct wireless access to the printer, enterprises risk exploitation of numerous printer vulnerabilities which could result in broad internal network access for an attacker.

HP's implementation also appears to use an open Wi-Fi network, which makes the risk even greater! The Wi-Fi Direct faq states the use of a separate "security domain" from the corporate wireless network. What this means is that security of the Wi-Fi Direct connection can be different (and simpler) than security required to access the corporate network. But that doesn't require an open connection. Wi-Fi Direct supports strong WPA2 pre-shared key security and ease-of-setup using WPS. However, HP's documentation implies a wide-open wireless network.

HP Wireless Direct Printing Appears to Lack Any Security

Recommendation: Wait and see

I can't provide a solid recommendation on this technology or use in the enterprise until I learn more about HP's implementation. I have more questions than answers at this point. The prudent path for enterprises will be to wait and see what is discovered about this solution by the community over the coming weeks / months and engage your HP account team to learn more about the solution and security features.

Additionally, verify if the printers that your organization are purchasing support this technology, what the default settings are, and what controls can be put in place to prevent use of this feature until its use is appropriately secured and approved.

Cheers,
Andrew

Wireless Field Day 2 Video Archives

In addition to all the videos from the Wi-Fi Mobility Symposium, check out the great videos from the subsequent Wireless Field Day 2.

The videos contain technical details on vendor solutions and are filled with answers to the questions that every engineer wants to ask the vendors but few get meaningful replies to. The delegate crew interacts with founders and technical experts at each of the vendors, making these discussions much more valuable than sales product pitches and marketing!

Thanks to Gestalt IT, Tech Field Day, and Prime Image Media for hosting the event!

Video Recordings

COMPLETE WIRELESS FIELD DAY 2 PRESENTATIONS

• Ekahau Presents at Wireless Field Day 2
• Aerohive Presents at Wireless Field Day 2
• MetaGeek Presents at Wireless Field Day 2
• BYOD and Mobile Device Management Panel From the WiFi Symposium
• Gigabit Wi-Fi Panel From the Wi-Fi Symposium
• Hotspot 2.0 Panel From the Wi-Fi Symposium
• WiFi Symposium Presentations From Aerohive, Aruba, HP, and Ruckus

INDIVIDUAL WIRELESS FIELD DAY 2 VIDEOS

• GT Hill demonstrates Ruckus Wireless’ ChannelFly technology
• David Stiff and Wilson So demonstrate 802.11u at Ruckus Wireless
• Victor Shtrom talks about Ruckus Wireless’ beamforming and antennas
• Rob Haviland continues his discussion of the HP Wi-Fi product line
• Rob Haviland introduces HP’s wireless product line
• Virtual Controller technology and RF management Q&A with Pradeep Iyer of Aruba Networks
• Carlos Gomez and Cameron Esdaile demonstrate Aruba’s security and policy controls
• Keerti Melkote of Aruba Networks suggests wireless as a primary network strategy
• WFD2 Day One Wrap Up
• Live demonstrations of Meraki Wi-Fi gear with Pablo Estrada
• CEO Sanjit Biswas talks about founding and developing Meraki
• EJ Jackson demonstrates Ekahau RTLS in 10 minutes
• Jussi Kiviniemi and EJ Jackson present Ekahau’s wireless site survey tools
• Ryan Woodings demonstrates MetaGeek Sputnik, Eye PA, and other cool stuff
• Trent Cutler of MetaGeek demonstrates Wi-Spy at WFD2
• Aerohive demos at Wireless Field Day 2
• Aerohive at WFD2 Part 1: Devin Akin, Matthew Gast, Founders
• WFD2 Introduction

INDIVIDUAL WI-FI MOBILITY SYMPOSIUM VIDEOS

• Hotspot 2.0 and 802.11u Discussed at the Wi-Fi Mobility Symposium
• Gigabit Wi-Fi (802.11ac/ad) Discussed at the Wi-Fi Mobility Symposium
• BYOD and Mobile Device Management Discussed at the Wi-Fi Mobility Symposium
• Aerohive’s Devin Akin presents at the WiFi Mobility Symposium
• Ruckus Wireless’ GT Hill presents at the WiFi Mobility Symposium
• HP Labs’ Paul Congdon presents at the WiFi Mobility Symposium
• Aruba Networks’ Carlos Gomez presents at the WiFi Mobility Symposium
• WiFi Mobility Symposium Introductions
• WFD2 Introduction

Cheers,
Andrew

Mac OS X Lion Creating Wi-Fi 802.1X Profiles

Mac OS X 10.7 (Lion) does not allow manual creation or configuration of 802.1X profiles for secure authentication on Wi-Fi and Ethernet networks for typical users. In order to access an 802.1X network in Lion, users are prompted to enter credentials when joining an active network that is in range, at which time it automatically detects the authentication settings that should be used.

The 802.1X tab in the System Preferences > Network > Advanced section no longer allows manual 802.1X profile creation.

Mac OS X 10.7 (Lion) 802.1X Profile Restriction

Lion forces the use of a configuration profile which must be created from Lion Server or using the iPhone Configuration Utility (iPCU). The config file is nothing more than an XML file containing the settings and usually has a .mobileconfig extension. Since Apple has decides to stop selling the Xserver line a year ago, most administrators will rely on the iPCU.

This restriction can be problematic for engineers wishing to test various client configuration scenarios without a live network. Many enterprise environments support multiple EAP types on their authentication servers in order to support various client deployment scenarios. Therefore, an engineer may wish to switch between profiles on the fly to test multiple authentication types. Additionally, user-created 802.1X profiles only work under their own user context, and do not work for pre-login or system level network connections which are of great benefit in enterprise environments for remote management and control when users are away from their desks (e.g. overnight). Finally, it should be noted that the "auto-detection" capability during network join may not work accurately for EAP-TTLS since it assumes use of MSCHAPv2 inner authentication.

To create an 802.1X profile for Lion, download and install the iPCU:

Install the iPhone Configuration Utility

Once installed, launch it from the Applications/Utilities folder in Finder. Start by selecting Configuration Profiles on the left side, then click New.

Create A New Configuration Profile in the iPhone Configuration Utility

Give the profile a name, unique identifier, organization name, and description. Then move on to the Wi-Fi section. Configure the basics like SSID and Security Type, then select one or multiple EAP types supported on the WLAN in the Protocols tab.

Switch to the Authentication tab to configure the credentials that will be used. Most enterprise admins will want to leave the username blank and select "Use Per-Connection Password" when deploying configuration profiles to their users to prompt each user to enter their own unique password instead of hardcoding a username and password. If using EAP-TLS an identity certificate may be selected. Finally, if you are concerned about username exposure with tunneled authentication protocols, provide an anonymous outer identity value so hackers cannot compile a list of valid usernames on your network.

iPhone Configuration Utility Wi-Fi Authentication Parameters

Last, configure the trusted certificates and server certificate names in the trust tab. This allows administrators to define which authentication servers or naming conventions are allowed to authenticate users. This also prevents users from being prompted to trust servers at the time of authentication.

When the Wi-Fi payload and configuration profile is completely finished, select either Share or Export. Share allows you to send the profile via email, whereas Export allows you to export the file to your local filesystem for distribution at a later time.

Note - See this Apple help document for further instructions on using the iPCU.

To install the configuration profile, locate the file (.mobileconfig extension) and double-click it.

Install the iPCU Configuration Profile

You will be prompted to fill-in any per-user authentication fields left blank by the administrator. The profiles can be viewed later in the System Preferences > Profiles section. This is also where you can delete previously installed profiles. The associated 802.1X profile is also visible in System Preferences > Network > Advanced > 802.1X.

802.1X Profile Successfully Installed

This method is not as easy for on-the-fly testing, but should allow administrators to accomplish all necessary tasks.

Cheers,
Andrew