Upload
others
View
25
Download
3
Embed Size (px)
Citation preview
Wireless Best Practices December 20, 2011 2:40 PM
Page 1 of 94
Wireless Networking
Best Practices Version 2.0
About This Document
This document is meant to serve as a guide for implementing MICROS wireless
Hardware following Payment Application Data Security Standards (PA-DSS).
This document is to be used as an implementation guide supplement.
Copyright 2011
MICROS Systems, Inc.
Columbia, MD USA
All Rights Reserved
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 2 of 94
Declarations
Warranties
Although the best efforts are made to ensure that the information in this
document is complete and correct, MICROS Systems, Inc. makes no warranty
of any kind with regard to this material, including but not limited to the implied
warranties of marketability and fitness for a particular purpose.
Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any form or by
any means, electronic or mechanical, including photocopying, recording, or
information recording and retrieval systems, for any purpose other than for
personal use, without the express written permission of MICROS Systems, Inc.
MICROS Systems, Inc. shall not be liable for errors contained herein or for
incidental or consequential damages in connection with the furnishing,
performance, or use of this document.
Trademarks
Adobe FrameMaker is a registered trademark of Adobe Systems Incorporated.
The following are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other
countries; Operating Systems - Windows® 7, Microsoft Windows Server® 2008 R2 (Release 2), Microsoft Windows
Server® 2008, Microsoft Windows Server® 2003 and Windows® XP. Database Platforms - Microsoft SQL Server®
2008 R2 (Release 2), Microsoft SQL Server® 2008 and Microsoft SQL Server® 2005. Other products - Microsoft
Excel, Win32 and Windows® CE.
The following are registered trademarks of the Oracle® Corporation; Database Platforms - Oracle® 11g R2 (Release
2), Oracle® 11g and Oracle® 10g.
Visio is a registered trademark of Visio Corporation.
All other trademarks are the property of their respective owners.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 3 of 94
Who Should
Be Reading
This
Document
What the
Reader Should
Already Know
This document is intended for the following audiences:
� MICROS Installers/Programmers
� MICROS Dealers
� MICROS Customer Service
� MICROS Training Personnel
� MIS or IT Personnel
This document assumes the reader has the following knowledge or expertise:
� Operational understanding of PCs
� Understanding of basic network concepts
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 4 of 94
The PCI DSS Wireless Guideline Informational Supplement version 2.0 references several security
methods. This document will specify the highest possible security method for each device. However, it
is sometimes not practical to use all the recommendations specified in the supplement. See Below:
From Section 4.4.1 Summary of Recommendations:
A. WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption is recommended
for WLAN networks.
B. It is recommended that WPA2 Personal mode be used with a minimum 13-character random
passphrase and AES encryption.
C. Pre-Shared Keys should be changed on a regular basis
D. Centralized management systems that can control and configure distributed wireless networks are
recommended.
E. The use of WEP in the CDE is prohibited for all deployment after June 30, 2010.
PCI Wireless requirements can be broken down into two primary categories.
1. Generally applicable wireless requirements. These are requirements that all organizations should
have in place to protect their networks from attacks via rogue or unknown wireless access points
(APs) and clients. They apply to organizations regardless of their use of wireless technology and
regardless of whether the wireless technology is a part of the CDE or not. As a result, they are
generally applicable to organizations that wish to comply with PCI DSS.
2. Requirements applicable for in-scope wireless networks: These are requirements that all
organizations that transmit payment card information over wireless technology should have in
place to protect those systems. They are specific to the usage of wireless technology that is in
scope for PCI DSS compliance, namely the Cardholder Data Environment (CDE). These
requirements apply in addition to the universally applicable set of requirements.
This document will assume that all Access Points will operate inside the CDE scope as explained in
the PCI DSS Wireless Implementation Guide 2.0.
For wireless environments, change wireless vendor defaults, including but not limited to:
• Wireless Equivalency Privacy (WEP) keys
• Default Services Set Identifiers (SSID)
• Default Passwords
• SNMP Community Strings
• Disable SSID Broadcasts
• Enable Wi-Fi protected access (WPA or WPA2) technology for encryption EAP
authentication when WPA-capable
Important Security Warning:
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 5 of 94
Default settings must be changed before the site goes live to maintain PCI compliancy.
All wireless encryption keys must be changed at least once a year to maintain PCI compliancy.
For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected
access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired
equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN.
If WEP is used, do the following:
• Use with a minimum 104-bit encryption key and 24 bit-initialization value
• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or
SSL/TLS
• Rotate shared WEP keys quarterly (or automatically if the technology permits)
• Rotate shared WEP keys whenever there are changes in personnel
• Restrict access based on media access code (MAC) address
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 6 of 94
Wireless Networking Best Practices
Table of Contents
Configuring the Wireless Workstation 4 .............................................................................................. 7
Configuring the Wireless Workstation 4 LX ...................................................................................... 10
Configuring the Wireless Keyboard Workstation 270........................................................................ 13
Configuring the Wireless Workstation 5 ............................................................................................ 16
Configuring the Windows CE Wireless Workstation 5a .................................................................... 19
Configuring the POSReady 2009 Wireless Workstation 5a ............................................................... 25
Configuring the Dual-Core Windows 7® Wireless Workstation 5a .................................................. 28
Configuring the POSReady 2009 Wireless PCWS 2015 .................................................................... 33
Configuring the Windows 7 Wireless PCWS 2015 ............................................................................ 42
Configuring the Wireless PCWS 2010 with Windows XP Professional® ......................................... 46
Configuring the Wireless PCWS 2010 with Windows Server 2003® ............................................... 49
Configuring the PPT8846 to use PEAP Authentication ..................................................................... 52
Configuring the Symbol MC50 to use PEAP Authentication ............................................................ 57
Configuring the Symbol MC70 .......................................................................................................... 62
Configuring the Motorola MC55 ........................................................................................................ 66
Configuring the Motorola MC55a ...................................................................................................... 69
Configuring the Symbol AP5131 Access Point .................................................................................. 72
Configuring the Symbol WS2000 Wireless Switch............................................................................ 84
Configuring the Symbol RFS4000 Wireless Switch .......................................................................... 89
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 7 of 94
Configuring the Wireless Workstation 4
It is possible to have a Wireless Workstation 4 (WS4) with one of the following configurations.
1. Cisco PCMCIA WLAN Card Aironet 350. MICROS part # 400624-001
• Only capable of 128 Bit WEP encryption.
• This configuration is not PCI complaint
• To become complaint upgrade to 400633-110 See number 4 below
2. Linksys PCMCIA WLAN Card. MICROS part # 400624-701
• Only capable of 128 Bit WEP encryption.
• This configuration is not PCI complaint
• To become complaint upgrade to 400633-110 See number 4 below
3. Microsoft MN-520 PCMCIA WLAN Card. MICROS Part # 400624-101
• This card is capable of using WPA-PSK.
• This configuration is not PCI compliant because WPA2 is required.
4. KIT, MINI-PCI UPGRADE, WS4, KWS4. MICROS part # 400633-110
• This card is capable of using WPA-Enterprise.
• This configuration is PCI compliant when using WPA encryption PEAP authentication and
placed behind a Firewall
• See Procedure 1 below
Criteria:
1. The WS4 and the server must have CAL version 1.0.2.27 or higher installed. CAL can be down-
loaded from the Micros web site at
http://www.micros.com/members/product_support/hardware/drivers/
2. An Access Point capable of using WPA encryption
3. RADIUS Server. e.g. Internet Authentication Service
4. Must use a static IP address
5. Keyboard (PS/2 or USB)
Summary:
This document will explain the steps necessary to connect a Wireless WS4 for PCI compliance.
Certain assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 8 of 94
See Misc. Document MD0011-12 located on the Hardware Portal for instructions installing the card.
1. With the card installed according to the instructions in step 1, power-on the Workstation. If the
card has never been configured, the WS4 will display a Wireless Configuration dialog box on the
desktop. See Figure 1.
2. Double click the [Add New…] selection to open the Wireless Network Properties dialog box
(Figure 2.)
Procedure 1: Configuring the MICROS Mini-PCI wireless network card
Figure 1
1. Enter the SSID for your AP.
2. Select TKIP for the Encryption
3. Select WPA for the Authentication
4. Select PEAP as the 802.1X protocol
5. Select Properties and unselect the
Validate Server check box.
6. Press [OK] to close and save
7. Press [OK] to close and save
8. Highlight your AP and press
[Connect]
Figure 2
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 9 of 94
3. Once you have association, you can leave the Wireless network card on DHCP (The default
setting) or you can set a static address by going to START|SETTINGS|NETWORK AND
DIAL-UP CONNECTIONS. Double click the ISLP21 icon and enter a static IP address, subnet
mask, and gateway if using a router.
4. Run the MICROS CAL normally.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 10 of 94
Configuring the Wireless Workstation 4 LX
It is possible to have a Wireless Workstation 4LX with one of the two configurations below.
1. Mini-PCI Card Eazix, MICROS part #400633-110 (Discontinued)
• This card is capable of using WPA2 encryption
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
• See Procedure 1 below
2. Mini-PCI Card Abocom MICROS part #400624-150
• This card is capable of using WPA2 encryption
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
• See Procedure 1 below
Criteria:
1. The WS4 LX and the server must have a minimum CAL version 6.1.3.68 installed. CAL can be
downloaded from the Micros web site at
http://www.micros.com/members/product_support/hardware/drivers/
2. A WPA2 compatible Access Point
3. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless WS4 LX for PCI compliance.
In this document we use the highest encryption level available to the device. It is recommended that
the WS4LX always be used at a minimum of WPA2 encryption. Certain assumptions are made as
this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 11 of 94
1. See the Workstation 4LX Setup Guide (Part #100016-162) located on the Hardware Portal for
instructions on installing the MICROS Mini-PCI Wireless card.
2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card
has never been configured, the WS4 LX will display a Wireless Configuration dialog box on the
desktop asking you to configure the wireless network. See Figure 3
3. Double click the [Add New…] selection to open the Wireless Network dialog box. See Figure 4.
Procedure 1: Configuring the WS4 LX for use with the MICROS wireless mini-PCI
card. Part # 400633-110 or 400624-150
Figure 3
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 12 of 94
4. Once you have association, you can leave the Wireless network card on DHCP (The default set-
ting) or you can set a static address by going to START|SETTINGS|NETWORK AND DIAL-UP
CONNECTIONS. Double click the Wireless Card icon and enter a static IP address, subnet mask
and gateway if using a router.
5. Run the MICROS CAL normally.
Figure 4
1. Enter the SSID for your Access Point.
Case Sensitive
2. Select AES for the Encryption
3. Select WPA2-PSK for the
Authentication
4. Enter a Network key. This is a
“passphrase” and must match the
WPA2-PSK “passphrase” of your AP.
Please use a strong password policy that
includes upper and lower case, numeric
and special characters.
5. Press [OK] to close and save.
6. Highlight your AP and press [Connect]
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 13 of 94
Configuring the Wireless Keyboard Workstation 270
It is possible to configure the KW270 with the Sagrad USB Wireless Card (MD0018-002)
Part used to make the KW270 Wireless:
MICROS Part #: MD0018-002
Description: Sagrad USB Wireless Card.
• Capable of WPA & WPA2 Personal and Enterprise
• This configuration is PCI compliant when using WPA encryption PEAP authentication and
placed behind a Firewall
Criteria:
1. The KW270 and the server must have CAL version X.X.X.X or higher installed. CAL can be
downloaded from the Micros web site at
http://www.micros.com/members/product_support/hardware/drivers/
2. An Access Point capable of using WPA2 encryption
3. RADIUS Server. e.g. Internet Authentication Service
4. Must use a static IP address
5. Keyboard (PS/2 or USB)
Summary:
This document will explain the steps necessary to connect a Wireless KW270 for PCI compliance.
Certain assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 14 of 94
1. Consult the instructions that come with the Sagrad USB Wireless Card MD0018-002, supplied
with the kit for installing the card
2. With the card installed according to the instructions in Step 1, Power-On the KW270. If the card
has never been configured, the KW270 will display a Wireless Configuration dialog box on the
desktop. See Figure 5.
3. If your Wireless network appears in the list, double click it, otherwise double click the “Add
New…” selection to open the Wireless Network dialog box. See Figure 6.
Procedure 1: Configuring the Sagrad USB Wireless Card (MD0018-002)
1. Enter the SSID of your Access Point.
Case sensitive
2. Select AES for the Encryption
3. Select WPA2 for the Enterprise
Authentication
Figure 5
Figure 6
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 15 of 94
4. In order to see the rest of the dialog box on the KW270 Screen, move the “Wireless Network
Properties” window up as far as possible, so that it matches Figure 7.
5. Once you have association, you can leave the Wireless
network card on DHCP (The default setting) or you can
set a static address by going to
“START|SETTINGS|NETWORK AND DIAL-UP
CONNECTIONS.” Double click the “RT2501USB1”
icon and enter a static IP address, subnet mask and
gateway if using a router.
6. Run the MICROS CAL normally.
1. Select the now visible PEAP as your
IEEE 802.1X authentication. PEAP is a
security method that requires a user
name and password before being able to
join the network.
2. Select the “Properties” button. See
Figure 8 if you are using a certificate to
validate the RADIUS Server, enter the
certificate now. If you are not using a
certificate, uncheck the “Validate Serv-
er” box.
3. Press “OK” to close and save
4. Press “OK” on the top right of the
“Wireless Network Properties” dialogue
box to save.
5. Highlight your AP and press “Connect”
Figure 7
Figure 8
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 16 of 94
Configuring the Wireless Workstation 5
It is possible to have a Wireless Workstation 4LX with one of the two configurations below.
Mini-PCI Card Eazix, MICROS part # = 400633-110 (Discontinued)
This card is capable of using WPA2 encryption.
This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall
See Procedure 1 below
Mini-PCI Card Abocom MICROS part # 400633-220
This card is capable of using WPA2 encryption.
This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall
See Procedure 1 below. Both cards are configured identically.
Criteria:
The WS5 must have a minimum CAL version 7.1.3.68 installed. CAL can be downloaded from the
Micros web site at http://www.micros.com/members/product_support/hardware/drivers/
A 802.11i compatible Access Point
USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless WS5 for PCI compliance. In this
document we use the highest encryption level available to the device. It is recommended that the WS5
always be used at a minimum of WPA2 encryption. Certain assumptions are made as this document is
for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 17 of 94
1. See the Workstation 5 Setup Guide (Part #100016-165) located on the Hardware Portal for
instructions on installing the MICROS Mini-PCI Wireless card.
2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card
has never been configured, the WS5 will display a Wireless Configuration dialog box on the
desktop asking you to configure the wireless network. See Figure 9.
3. Double click the [Add New…] selection to open the Wireless Network dialog box. See Figure 10.
Procedure 1: Configuring the WS5 for use with the MICROS wireless mini-PCI card.
Part # 400633-110
Figure 9
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 18 of 94
4. Once you have association, you can leave the Wireless network card on DHCP (The default
setting) or you can set a static address by going to START|SETTINGS|NETWORK AND
DIAL-UP CONNECTIONS. Double click the Wireless Network Connection icon and enter a
static IP address, subnet mask and gateway if using a router.
5. Run the MICROS CAL normally.
Figure 10
1. Enter the SSID for your Access Point.
Case Sensitive
2. Select AES for the Encryption
3. Select WPA2-PSK for the
Authentication
4. Enter a Network key. This is a
“passphrase” and must match the
WPA2-PSK “passphrase” of your AP.
Please use a strong password policy
that includes upper and lower case,
numeric and special characters.
5. Press [OK] to close and save.
6. Highlight your AP and press [Connect]
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 19 of 94
Configuring the Windows CE Wireless Workstation 5a
It is possible to configure the Workstation 5a with the same Mini-PCI wireless card as that used in the
PCWS 2010, WS5 and WS4 LX Workstations.
Part used to make the WS5a Wireless:
MICROS part #: 400633-115 or 400633-220
• Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a .
• This card is capable of using WPA2 encryption with AES.
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
See Procedure 1 below
Criteria:
1. Read the PCI DSS Wireless Guideline Whitepaper Version 1.2.
2. The WS5a must have a minimum CAL version 13.1.3.68 installed. CAL can be downloaded from
the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/
3. The Wireless WS5a must use MICROS part # 400633-115 or 400633-220
4. A WPA2-AES compatible Access Point
5. If using PEAP, an Authentication device e.g. IAS Server or the WS2000
6. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless WS5a for PCI compliance. In
this document we use the highest encryption level available to the device. It is recommended that the
WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is
for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 20 of 94
Security Method 1:
(WPA2-PSK) Wi-Fi Protected Access 2 with Pre-Shared Key
Follow this procedure if you are using the 802.11i WPA2-Personal security method.
NOTE:
PCI DSS Wireless Guideline Whitepaper Version 1.2 section 4.4.1 states:
• It is recommended that WPA2 Personal mode be used with a minimum 13-character random
passphrase and AES encryption.
• Pre-Shared Keys should be changed on a regular basis
1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing
the MICROS Mini-PCI Wireless card.
2. With the card installed according to the instructions in step 1, Power-On the Workstation. If the
card has never been configured, the WS5a will display a Wireless Configuration dialog box on the
desktop asking you to configure the wireless network. See Figure 11
3. Double click the [Add New…] selection to open the Wireless Network dialog box. See Figure 12.
Procedure 1: Configuring the WS5 for use with the MICROS wireless mini-PCI card.
Part # 400633-220
Figure 11
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 21 of 94
4. Once you have association, you can leave the Wireless network card on DHCP (The default
setting) or you can set a static address by going to START|SETTINGS|NETWORK AND
DIAL-UP CONNECTIONS. Double click the PCI-E1Y51CE61 icon and enter a static IP address,
subnet mask and gateway if using a router.
5. Run the MICROS CAL normally.
1. Enter the SSID for your Access Point.
Case Sensitive
2. Select AES for the Encryption
3. Select WPA2-PSK for the
Authentication
4. Enter a Network key. This is a
“passphrase” and must match the
WPA2-PSK “passphrase” of your AP.
Please use a strong password policy
that includes upper and lower case,
numeric and special characters.
5. Press [OK] to close and save.
6. Highlight your AP and press [Connect]
Figure 12
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 22 of 94
Security Method 2:
(WPA2) Wi-Fi Protected Access 2 and PEAP Authentication Follow this procedure if you are using the PCI recommended 802.11i WPA2-Enterprise security
method.
1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing
the MICROS Mini-PCI Wireless card.
2. With the card installed according to the instructions in step 1, Power-On the Workstation. If the
card has never been configured, the WS5a will display a Wireless Configuration dialog box on the
Desktop asking you to configure the wireless network. See Figure 13.
3. If your Wireless network appears in the list, double click it, otherwise double click the [Add
New…] selection to open the Wireless Network dialog box. See Figure 14.
Procedure 1: Configuring the WS5 for use with the MICROS wireless mini-PCI card.
Part # 400633-220
Figure 13
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 23 of 94
Figure 14
1. Enter the SSID for your Access Point.
Case Sensitive
2. Select AES for the Encryption
3. Select WPA2 for the Enterprise
Authentication
4. Select PEAP as your IEEE 802.1X
authentication. PEAP is a security
method that requires a user name and
password before being able to join the
network.
5. Select the Properties button. See
Figure 15 if you are using a certificate
to validate the RADIUS Server, enter
the certificate now. If you are not
using a certificate, uncheck the
Validate Server.
6. Press [OK] to close and save
7. Press [OK] to close and save
8. Highlight your AP and press [Connect]
Figure 15
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 24 of 94
4. Once you have association, you can leave the Wireless network card on DHCP (The default set-
ting) or you can set a static address by going to START|SETTINGS|NETWORK AND DIAL-UP
CONNECTIONS. Double click the PCI-E1Y51CE61 icon and enter a static IP address, subnet
mask and gateway if using a router.
5. Run the MICROS CAL normally.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 25 of 94
Configuring the POSReady 2009 Wireless Workstation 5a
It is possible to configure the Workstation 5a with the same Mini-PCI wireless card as that used in the
PCWS 2010, WS5 and WS4 LX Workstations.
Part used to make the WS5a Wireless:
MICROS part #: 400633-220
Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a
• This card is capable of using WPA2 encryption with AES.
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
Criteria:
1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0
2. The WS5a must have a minimum CAL version 13.1.3.68 installed. CAL can be downloaded from
the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/
3. The Wireless WS5a must use MICROS part #400633-220
4. A WPA2-AES compatible Access Point
5. If using a PEAP Authentication device e.g. IAS Server or the WS2000
6. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless WS5a for PCI compliance. In
this document we use the highest encryption level available to the device. It is recommended that the
WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is
for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 26 of 94
(WPA-PSK) Wi-Fi Protected Access with Pre-Shared Key
Follow this procedure if you are using the 802.11i WPA2-Personal security method
NOTE:
PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states
• It is recommended that WPA2 Personal mode be used with a minimum 13-character random
passphrase, with AES encryption
• Pre-Shared Keys should be changed on a regular basis
1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing
the MICROS Mini-PCI Wireless card.
2. With the card installed go to “Start|Settings|Network Connections
3. Right click on the “Wireless Network Connection” icon and select “Properties.” See Figure 16.
4. Select the “Wireless Networks” tab. See Figure 17.
5. Click the “Add” button. See Figure 18.
Configuring the WS5a POSReady for use with the MICROS wireless mini-PCI card.
Part # 400633-220
Figure 16
Figure 17
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 27 of 94
6. If you are using DHCP, you can click “OK” and let the WS5a make an association with the Acces
Point designated in Step 4. If you are using a static IP address, do not press “OK”, instead high-
light “Internet Protocol (TCP/IP) and click “Properties.” The Internet Protocol Properties box
will open. Highlight the “Use the following IP address” radio button and manually enter proper
IP, subnet and gateway addresses.
7. Press “OK”
8. Press “OK”
9. You should now have an association with your AP. The taskbar icon should look like Figure 19.
10. Run the MICROS CAL normally.
Wireless network card is associated
1. Enter the SSID of your Access Point
(Case Sensitive)
2. Select WPA2-PSK and TKIP
3. Enter the secure Passphrase that
matches the one entered on your
Access Point
4. Click “OK”
Figure 18
Figure 19
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 28 of 94
Configuring the Dual-Core Windows 7® Wireless Workstation 5a
It is possible to configure the Workstation 5a with the same Mini-PCI wireless card as that used in the
PCWS 2010, WS5 and WS4 LX Workstations.
Part used to make the WS5a Wireless:
MICROS part #: 400633-220
Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a
• This card is capable of using WPA2 encryption with AES.
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
Criteria:
1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0
2. The WS5a must have a minimum CAL version 13.1.3.115 installed. CAL can be downloaded from
the
3. Micros web site at http://www.micros.com/members/product_support/hardware/drivers/
4. The Wireless WS5a must use MICROS part #400633-220
5. A WPA2-AES compatible Access Point
6. If using PEAP, an Authentication device e.g. IAS Server or the WS2000
7. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless WS5a for PCI compliance. In
this document we use the highest encryption level available to the device. It is recommended that the
WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is
for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 29 of 94
Figure 20
(WPA-PSK) Wi-Fi Protected Access with Pre-Shared Key
Follow this procedure if you are using the 802.11i WPA2-Personal security method
NOTE:
PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states
• It is recommended that WPA2 Personal mode be used with a minimum 13-character random
passphrase, with AES encryption
• Pre-Shared Keys should be changed on a regular basis
1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing
the MICROS Mini-PCI Wireless card.
2. With the card installed go to “Start|Control Panel” and click “Network and Internet”
3. Click on “Network and Sharing Center”
4. Click “Set up a new connection or network,” highlight “Manually connect to a wireless network”
and press “Next.” See Figure 20.
*NOTE: Windows recommends against connecting to APs that do not broadcast, however, the PCI
Whitepaper v2.0 Section 4.2.1 states that while suppressing SSID is not required, broadcasting an
Configuring the DC WS5a Win7 for use with the MICROS wireless mini-PCI card.
Part # 400633-220
1. Enter the SSID of your Access
Point (Case Sensitive)
2. Select WPA2-Personal and AES
Encryption type
3. Check “Hide characters”
4. Enter the secure Passphrase that
matches the one entered on your
Access Point
5. Check “Connect even if the
network is not broadcasting”*
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 30 of 94
Figure 21
Figure 22
SSID that advertises the organization’s name or is easily identifiable with the organization is not
recommended. Default SSID values should always be changed.
5. Click “Next”
6. If you are using DHCP, your wireless card will associate with the AP now. If you are using a
static IP, click on the “Wireless Network Connection (SSID)” in the Network and Sharing Center
window and click “Properties.” Highlight “Internet Protocol Version 4 (TCP/IPv4)” and click
“Properties.” The Internet Protocol Properties box will open. Highlight the “Use the following
IP addresses” radio button and manually enter proper IP, subnet and gateway addresses.
7. Press “OK” twice.
8. You will now be associated with your AP. The taskbar icon should look like Figure 21.
9. If the taskbar icon looks like Figure 22 then you need to ensure that you are connected with your
AP.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 31 of 94
Figure 23
10. Right click on the Wireless Connection Icon in the task bar and select “Open Network and Sharing
Center.” Click on “Wireless Network Connection (SSID)” shown in Figure 23.
11. Click “Details”
12. Look at the Value for “IPv4 Address” and verify that you have attained an IP address from the AP
that fits within the proper IP Address Schema for your network. See Figure 24.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 32 of 94
Figure 24
13. Click “Close” twice and close the “Network and Sharing Center” window.
14. Run the MICROS CAL normally.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 33 of 94
Configuring the POSReady 2009 Wireless PCWS 2015
Currently, only the SparkLAN WMIR-200N (P/N # 400633-225) is compatible with the PCWS 2015
Part used to make the WS5a Wireless:
MICROS part #: 400633-225
Description: WIRELESS (802.11a/b/g/n) UPGRADE KIT WS5/WS5A/PCWS2015 ,INCLUDES
MINI-PCI CARD,ANTENNAS AND INSTALLATION INSTRUCTIONS
• This card is capable of using WPA2 with AES encryption.
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
Criteria:
1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0
2. The PCWS 2015 must have a minimum CAL version 3.1.3.115 installed. CAL can be
downloaded from the Micros web site at
3. http://www.micros.com/members/product_support/hardware/drivers/
4. The Wireless PCWS2015 must use MICROS part #400633-225
5. A WPA2-AES compatible Access Point
6. If using PEAP, an Authentication device e.g. IAS Server or the WS2000
7. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless PCWS2015 for PCI compliance.
In this document we use the highest encryption level available to the device. It is recommended that
the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this
document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 34 of 94
Figure 25
Follow this procedure if you are using the 802.11i WPA2-Personal security method
NOTE:
PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states
• It is recommended that WPA2 Personal mode be used with a minimum 13-character random
passphrase, with AES encryption
• Pre-Shared Keys should be changed on a regular basis
Configuring the WS5a POSReady for use with the MICROS wireless mini-PCI card. Part #
400633-220
1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing
the MICROS Mini-PCI Wireless card.
2. With the card installed go to “Start|Settings|Network Connections
3. Right click on the “Wireless Network Connection” icon and select “Properties” See Figure 25.
Procedure 1: Configuring the POSReady 2009 PCWS 2015 (WPA2-PSK) Wi-Fi
Protected Access with Pre-Shared Key using the Windows Wireless Zero Configuration
(WZC) Service
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 35 of 94
4. Select the “Wireless Networks” tab. See Figure 26.
5. Click the “Add” button. See Figure 27.
Figure 26
1. Enter the SSID of your
Access Point (Case Sensi-
tive)
2. Select WPA2-PSK and
TKIP
3. Enter the secure Passphrase
that matches the one entered
on your Access Point
4. Click “OK”
Figure 27
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 36 of 94
6. If you are using DHCP, you can click “OK” and let the WS5a make an association with the Access
Point designated in Step 4. If you are using a static IP address, do not press “OK”, instead high-
light “Internet Protocol (TCP/IP) and click “Properties.” The Internet Protocol Properties box
will open. Highlight the “Use the following IP address” radio button and manually enter proper
IP, subnet and gateway addresses.
7. Press “OK”
8. Press “OK”
9. You should now have an association with your AP. The taskbar icon should look like Figure 28.
10. Run the MICROS CAL normally.
Figure 28
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 37 of 94
Follow this procedure if you are using the 802.11i WPA2-Personal security method
NOTE:PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states
• It is recommended that WPA2 Personal mode be used with a minimum 13-character random
passphrase, with AES encryption
• Pre-Shared Keys should be changed on a regular basis
This Procedure applies when, during the Mini-PCI Wireless Card driver installation, the option to use
the Ralink WLAN Utility was chosen.
Configuring the WS5a POSReady for use with the MICROS wireless mini-PCI card. Part #
400633-220
1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing
the MICROS Mini-PCI Wireless card.
2. When the installation of the driver and software is complete, the Ralink WLAN Utility will launch
automatically
3. Click on the “Profile” tab at the top of the screen, seen in Figure 29.
4. Click the “Add” button
Procedure 2: Configuring the POSReady 2009 PCWS 2015 (WPA2-PSK) Wi-Fi
Protected Access with Pre-Shared Key using the Ralink WLAN Utility and Ralink
Configuration Tool
Figure 29
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 38 of 94
5. Enter the SSID of the Access Point you wish to connect to, seen in Figure 30.
6. Click the “Auth. \Encry.” Tab to setup the correct Authentication and Encryption types for your
AP.
Figure 30
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 39 of 94
7. If your AP is using WPA2-PSK Personal Mode, select that for Authentication and choose AES for
Encryption, as seen in Figure 31. Enter the Secure Passphrase that matches the one setup on the
AP in the “WPA Preshared Key” field.
8. If your AP is setup with WPA2 Enterprise Mode, using AES Encryption and EAP Authentication,
select WPA2 for Authentication and AES for Encryption, and click the “802.1x” tab to continue
the setup.
Figure 31
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 40 of 94
9. Click on the Client Certificate, seen in Figure 32, and check the Use Client certificate box.
10. Select your certificate from the drop down list and click “OK”
Figure 32
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 41 of 94
11. Highlight the Profile you have created and click the “Activate” button, as seen in Figure 33.
12. If you are using DHCP, verify that you have an IP address, Sub Mask, and Default Gateway
assigned. If so, you are associated with the AP and can close the Ralink Configuration Utility and
run the MICROS CAL.
13. If you are using a static IP address, close the Ralink Configuration Utility, and go to “Start|
Settings| Network Connections.” Right click on the Wireless Network Connection, and select
“Properties.” Highlight “Internet Protocol (TCP/IP) and click “Properties.” The Internet
Protocol Properties box will open. Highlight the “Use the following IP address” radio button and
manually enter proper IP, subnet and gateway addresses.
14. Press “OK”
15. Press “OK”
16. You should now have an association with your AP. The taskbar icon should look like Figure 34.
17. Run the MICROS CAL normally.
Figure 33
Figure 34
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 42 of 94
Configuring the Windows 7 Wireless PCWS 2015
Currently, only the SparkLAN WMIR-200N (P/N # 400633-225) is compatible with the PCWS 2015
Part used to make the WS5a Wireless:
MICROS part #: 400633-225
Description: WIRELESS (802.11a/b/g/n) UPGRADE KIT WS5/WS5A/PCWS2015 ,INCLUDES
MINI-PCI CARD,ANTENNAS AND INSTALLATION INSTRUCTIONS
• This card is capable of using WPA2 with AES encryption.
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
Criteria:
1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0
2. The PCWS 2015 must have a minimum CAL version 3.1.3.115 installed. CAL can be downloaded
from the Micros web site at
3. http://www.micros.com/members/product_support/hardware/drivers/
4. The Wireless PCWS2015 must use MICROS part #400633-225
5. A WPA2-AES compatible Access Point
6. If using PEAP, an Authentication device e.g. IAS Server or the WS2000
7. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless PCWS2015 for PCI compliance.
In this document we use the highest encryption level available to the device. It is recommended that
the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this
document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 43 of 94
(WPA-PSK) Wi-Fi Protected Access with Pre-Shared Key
Follow this procedure if you are using the 802.11i WPA2-Personal security method
NOTE: PCI DSS Wireless Guideline Whitepaper Version 2.0 Section 4.4.1 states
• It is recommended that WPA2 Personal mode be used with a minimum 13-character random
passphrase, with AES encryption for WPA2
• Pre-Shared Keys should be changed on a regular basis
1. See the PCWS 2015 Setup Guide located on the Hardware Portal for instructions on installing the
MICROS Mini-PCI Wireless card.
2. With the card installed go to “Start|Control Panel” and click “Network and Internet”
3. Click on “Network and Sharing Center”
4. Click “Set up a new connection or network,” highlight “Manually connect to a wireless network”
and press “Next.” See Figure 35.
*NOTE: Windows recommends against connecting to APs that do not broadcast, however, the PCI
Whitepaper v2.0 Section 4.2.1 states that while suppressing SSID is not required, broadcasting an
Configuring the PCWS 2015 Win7 for use with the MICROS wireless mini-PCI card.
Part # 400633-220
1. Enter the SSID of your Access
Point (Case Sensitive)
2. Select WPA2-Personal and AES
Encryption type
3. Check “Hide Characters”
4. Enter the secure Passphrase that
matches the one entered on your
Access Point
5. Check “Connect even if the
network is not broadcasting”*
Figure 35
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 44 of 94
SSID that advertises the organization’s name or is easily identifiable with the organization is not
recommended. Default SSID values should always be changed.
5. Click “Next”
6. If you are using DHCP, your wireless card will associate with the AP now. If you are using a
static IP, click on the “Wireless Network Connection (SSID)” in the Network and Sharing Center
window and click “Properties.” Highlight “Internet Protocol Version 4 (TCP/IPv4)” and click
“Properties.” The Internet Protocol Properties box will open. Highlight the “Use the following
IP addresses” radio button and manually enter proper IP, subnet and gateway addresses.
7. Press “OK” twice.
8. You will now be associated with your AP. The taskbar icon should look like Figure 36.
9. If the taskbar icon looks like Figure 37 then you need to ensure that you are connected with your
AP.
10. Right click on the Wireless Connection Icon in the task bar and select “Open Network and Sharing
Center.” Click on “Wireless Network Connection (SSID)” Shown in Figure 38.
Figure 36
Figure 37
Figure 38
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 45 of 94
11. Click “Details”
12. Look at the Value for “IPv4 Address” and verify that you have attained an IP address from the
AP that fits within the proper IP Address Schema for your network. See Figure 39.
13. Click “Close” twice and close the “Network and Sharing Center” window.
14. Run the MICROS CAL normally.
Figure 39
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 46 of 94
Configuring the Wireless PCWS 2010 with Windows XP Professional®
It is possible to configure the PCWS2010 with the same Mini-PCI wireless card as that used in the
WS4, WS4 LX and WS5.
Part used to make the PCWS 2010 Wireless:
MICROS part #: 400633-110
Description: KIT,MINI-PCI UPGRADE, 2010, WS4 LX, PCWS 2010.
• This card is capable of using WPA2 encryption.
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
See Procedure 1 below
Criteria:
1. The PCWS 2010 must have a minimum CAL version 3.1.3.56 installed. CAL can be downloaded
from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/
2. The Wireless PCWS 2010 must use MICROS part # 400633-110
3. A WPA2 compatible Access Point
4. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless PCWS 2010 for PCI compliance.
In this document we use the highest encryption level available to the device. It is recommended that
the PCWS 2010 always be used at a minimum of WPA2 encryption. Certain assumptions are made as
this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 47 of 94
1. See the PCWS 2010 Setup Guide (Part #100016-144) located on the Hardware Portal for
instructions on installing the MICROS Mini-PCI Wireless card.
2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card
has never been configured, the PCWS 2010 display a message indicating that it has found “new
Hardware”. Browse to the C:\B\MINI PCI LAN Drivers folder and let the install utility setup the
drivers. After the drivers are loaded, go to “Start|Settings|Network Connections”. When the dialog
box opens, highlight the “Wireless Network Connection” icon and select the “Change settings of
this connection”. See Figure 40.
3. Select the “Wireless Networks” tab. See Figure 41.
4. Click [Add…]. See Figure 42.
Procedure 1: Configuring the PCWS 2010 for use with the MICROS wireless mini-PCI
card. Part # 400633-110
Figure 40
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 48 of 94
8. If you are using DHCP, you can click [OK] and let the PCWS 2010 make an association with the
Access Point designated in step 4. If you are using a static IP address, do not press [OK], instead
highlight “Internet Protocol (TCP/IP) and click “properties”. The Internet Protocol Properties box
will open. Highlight the “Use the following IP address” radio button and manually enter proper IP,
subnet and gateway addresses.
9. Press [OK]
10. Press [OK]
11. You should now have an association with your AP. The taskbar icon should look like Figure 43.
12. Run the MICROS CAL normally.
Wireless Network Card
is associated
1. Enter the SSID
of your Access
Point (Case
Sensitive)
2. Select
WPA2-PSK and
AES
3. Enter the secure
Passphrase that
matches the one
entered on your
AP
4. Click [OK]
Figure 42
Figure 41
Figure 43
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 49 of 94
Configuring the Wireless PCWS 2010 with Windows Server 2003®
It is possible to configure the PCWS2010 with the same Mini-PCI wireless card as that used in the
WS4, WS4 LX and WS5.
Part used to make the PCWS 2010 Wireless:
MICROS part #: 400633-110
Description: KIT,MINI-PCI UPGRADE,PCWS 2010, WS4 LX, WS5.
• This card is capable of using WPA2 encryption.
• This configuration is PCI compliant when using WPA2 encryption and placed behind a
Firewall
See Procedure 1 below
Criteria:
1. The PCWS 2010 must have a minimum CAL version 3.1.3.56 installed. CAL can be downloaded
from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/
2. The Wireless PCWS 2010 must use MICROS part # 400633-110
3. A WPA2 compatible Access Point
4. USB Keyboard
Summary:
This document will explain the steps necessary to connect a Wireless PCWS 2010 for PCI compliance.
In this document we use the highest encryption level available to the device. It is recommended that
the PCWS 2010 always be used at a minimum of WPA2 encryption. Certain assumptions are made as
this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 50 of 94
1. See the PCWS 2010 Setup Guide (Part #100016-144) located on the Hardware Portal for instruc-
tions on installing the MICROS Mini-PCI Wireless card.
2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card
has never been configured, the PCWS 2010 display a message indicating that it has found “new
Hardware”. Browse to the C:\B\MINI PCI LAN Drivers folder and let the install utility setup the
drivers. After the drivers are loaded, go to “Start|Settings|Network Connections”. When the dialog
box opens, highlight the “Wireless Network Connection” icon and select File| Properties. See
Figure 44.
3. Select the “Wireless Networks” tab. See Figure 45.
4. Click [Add…]. See Figure 46.
5. If you are using DHCP, you can click [OK] and let the PCWS 2010 make an association with the
Access Point designated in step 4. If you are using a static IP address, do not press [OK], instead
choose the [General] Tab, and highlight “Internet Protocol (TCP/IP) and click “properties” The
Procedure 1: Configuring the PCWS 2010 for use with the MICROS wireless mini-PCI
card. Part # 400633-110
Figure 44
1. Enter the SSID
of your Access
Point (Case
Sensitive)
2. Select
WPA2-PSK and
AES
3. Enter the secure
Passphrase that
matches the one
entered on your
AP
4. Click [OK]
Figure 46
Figure 45
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 51 of 94
Internet Protocol Properties box will open. Highlight the “Use the following IP address” radio
button and manually enter proper IP, subnet and gateway addresses.
6. Press [OK]
7. Press [OK]
8. You should now have an associate with your AP. The taskbar icon will look like Figure 47.
9. Run the MICROS CAL normally.
Wireless Network Card
is associated
Figure 47
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 52 of 94
Configuring the PPT8846 to use PEAP Authentication
The Symbol PPT8846 is certified to work with MICROS versions or higher:
• RES 3.2, 4.0
• 9700 2.7
• Simphony (Check the release notes)
The PPT8846 runs Pocket PC 2003 (Windows CE 4.21) which is capable of utilizing the WPA
encryption security standard. The PCI-DSS Wireless recommendations (802.1x Authentication) can
be met with the use of a third-party utility called Aegis. The Aegis utility is available for download
from the Motorola website at http://support.symbol.com or the micros portal at:
http://portal.micros.com/sites/hardware. . The manuals for Aegis are also included in the same zip file
as this document. For more information please reference those manuals.
Criteria:
The PPT8846 must have:
1. A minimum platform version of 33 or higher
2. A WPA and 802.1x compatible Access Point
3. Fully charged battery
Summary:
This document will explain the steps necessary to connect a Symbol PPT8846 for Wireless PCI
compliant recommendations. In this document we use the highest encryption level available to the
device. It is recommended that the PPT8846 always be used with 802.1X authentication. Certain
assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 53 of 94
1. Read the product warranty information that came with your Symbol PPT8846.
2. Attach the battery to the PPT8846 according to the enclosed instructions.
3. Charge the battery for several hours to make sure you have sufficient battery time to configure the
PPT8846 and download the application.
Install the Aegis 802.1X Client
(Once the Aegis Utility is installed and running there is no need to configure the Built-in Mobile
Companion)
1. Obtain a copy of the Aegis client (AEGIS 2.1.13-0 WM 2003 PPT8800.cab) from the micros
hardware portal or packaged with this document. Copy the Aegis Utility to the \Application folder
of the PPT8846. Also copy the following files to the \Application folder
a. AegisCopy.cpyAEGISPPT8846.reg
b. SaveAegis.lnk
c. AegisScript.spt
d. AegisLicense.reg
e. SimScriptWM.exe
2. On the PPT8846, browse the \Application folder and tap the
AEGIS 2.1.13-0 WM 2003 PPT8800.cab file to install Aegis.
3. Perform a Cold Boot on the PPT8846. See the instructions at
the end of this section.
4. Go through the startup wizard. A message will display
indicating that “This is the first time the Aegis Client has run
…” Press OK to this message.
5. The Aegis client opens. See Figure 48.
6. If you are going to use more than one network, you can create
multiple profiles. Otherwise the profile name can be left at
default. For the Authentication type, select PEAP. See Figure
48. Enter your PEAP user name and password into the
Identity and password fields. This user name must correspond
to the user on your RADIUS Server. See Figure 48.
NOTE: “A strong, alphanumeric password must be created
with a minimum length of eight characters that includes upper and lower case letters, numbers, and
special characters.
Configuring the Symbol PPT8846 for PEAP
Figure 48
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 54 of 94
7. Choose EAP-MSCHAP v2 from the protocol list box.
8. Select the Server tab. See Figure 49.
9. Place a check mark at: “Do not validate server
certificate chain”. This will prevent the Aegis utility
from looking for a certificate. If you are using
certificates, do not check this box. See Figure 49.
10. Press OK. You will receive a message indicating that
you must restart the client. Press OK again. If the utility
closes it can be re-opened by tapping the Icon in the
lower right corner. A Four-Button press may be
required to get around the POSLoader. See instructions
for this process at the bottom of this section.
11. When the Start Icon appears. Press START| Today to
enter the Today screen
12. Open the Aegis utility by tapping the Aegis utility in
the lower right corner of the today screen.
13. Tap the “Spectrum24 LA41…” label on the Aegis
screen. Another window will open. See Figure 50.
14. Select Configure See Figure 51.
15. In the Available Network list, highlight you access point and press “move to configured” or click
Add if your access point is not on the list.
Figure 49
Figure 50
Figure 51
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 55 of 94
16. Select “Properties” to edit the access point details. See Figure 52.
17. Select the Authentication Profile created in step 5 and corresponds to your PEAP network.
18. Select WPA Settings tab. See Figure 53.
19. In the WPA Mode list box, choose “WPA 802.1X”
20. In the Encryption list box, choose AES.
21. Click OK
22. Restart the client, Choose Client|Restart to restart the utility. The utility should start
“Authenticated” when connected. If you do not get an “Authenticated” message, go back and
double check everything
Figure 52
Figure 53
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 56 of 94
Once Connected to the Network
1. Close the Aegis client. Do not Exit. Exiting will disable the utility and remove the PPT8846 from
the network.
2. Save your settings with Start, Save Aegis. Pressing this utility will make your device Cold Boot
persistent. It is highly recommended that you run this utility after every change to the network.
3. Cold Boot the PPT8846
4. Run the POSLoader as normal except DO NOT configure the Wireless settings. Just skip that
section.
5. At the “Configure Network Adapters” window, tap “802.11b Wireless LAN”.
6. Configure the IP scheme appropriately to your network.
7. Continue the POSLoader wizard. Enter the Server IP address and the HHT name.
8. The loader will force a reboot and continue.
Performing a Four-Finger Press to Exit the MICROS Application
When the PPT8846 shipped from micros is booted the POSLoader will take over. It is possible to exit
from the POSLoader while on the very first splash screen.
One at a time, press the following buttons: F1, F4, Function, and F1 (again). This will cause the Start
Icon display in the top left corner. You can navigate anywhere from the Start button.
Performing a Cold Boot
Remove the back cover and depress the small white “reset” button while simultaneously depressing
the Function button. Replace the back cover and hit the red Power button (Lower left-hand side.)
Making Aegis Persistant
Once the network is configured and communicating, run the “Save Aegis” utility located on the start
menu. Make a good practice of re-running this utility every time you reconfigure your network
settings.
You did this procedure in the first two steps of the Once Connected to the Network section.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 57 of 94
Configuring the Symbol MC50 to use PEAP Authentication
The Symbol MC50 is certified to work with MICROS versions or higher:
• RES 4.0
• 9700 3.0 SP10
• Simphony 1.x
The MC50 runs Pocket PC 2003 (Windows CE 4.21) which is capable of utilizing the WPA
encryption security standard. The PCI-DSS Wireless recommendations (802.1x Authentication) can
be met with the use of a third-party utility called Aegis. The Aegis utility is available for download
from the Motorola website at http://support.symbol.com or the micros portal at:
http://portal.micros.com/sites/hardware. The manuals for Aegis are also included in the same zip file
as this document. For more information please reference those manuals.
Criteria:
1. The MC50 must be on a minimum platform version of 19i or higher
2. A WPA and 802.1x compatible Access Point
3. Fully charged Battery
Summary:
This document will explain the steps necessary to connect a Symbol MC50 for Wireless PCI
compliant recommendations. In this document we use the highest encryption level available to the
device. It is recommended that the MC50 always be used with 802.1X authentication. Certain
assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 58 of 94
1. Read the product warranty information that came with your Symbol MC50.
2. Attach the battery to the MC50 according to the enclosed instructions.
3. Charge the battery for several hours to make sure you have sufficient battery time to configure the
MC50 and download the application.
Install the Aegis 802.1X Client
(Once the Aegis Utility is installed and running there is no
need to configure the Built-in Mobile Companion)
1. Obtain a copy of the Aegis client (AEGIS 2.1.13-0 WM
2003 PPT8800.cab) from the micros hardware portal or
packaged with this document. Copy the Aegis Utility to
the \Application folder of the MC50. Also copy the
following files to the \Application folder
a. AegisCopy.cpy
b. SaveAegis.lnk
c. AegisScript.spt
d. AegisLicense.reg
e. SimScriptWM.exe
2. On the MC50, browse the \Application folder and tap
the AEGIS 2.1.13-0 WM 2003 PPT8800.cab file to
install Aegis.
3. Cold Boot the MC50 to force the Aegis utility to run.
The Aegis client will pop open a message indicating
that “ If this is the first time…”, Press OK
4. The Aegis Client will open. See Figure 54.
5. If you are going to use more than one network, you can create multiple profiles. Otherwise the
profile name can be left at default. For the Authentication type, select PEAP. See Figure 54. Enter
your PEAP user name and password into the Identity and password fields. This user name must
correspond to the user on your RADIUS Server. See Figure 54. NOTE: “A strong, alphanumeric
password must be created with a minimum length of eight characters that includes upper and lower
case letters, numbers, and special characters.
6. Choose EAP-MSCHAP v2 from the protocol list box.
7. Select the Server tab. See Figure 55.
8. Place a check mark at: “Do not validate server certificate chain”. This will prevent the Aegis utility
from looking for a certificate. If you are using certificates, do not check this box. See Figure 55.
Configuring the Symbol MC50 for PEAP
Figure 54
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 59 of 94
9. Press OK. You will receive a message indicating
that you must restart the client. Press OK again. If the
utility closes it can be re-opened by tapping the Icon in
the lower right corner.
10. Tap the “Pegasus WLAN CF…” label on the
Aegis screen. Another window will open. See Figure
56.
11. Select Configure. See Figure 57.
12. In the Available Network list, highlight you
access point and press “move to configured” or click
Add if your access point is not on the list.
13. Select “Properties” to edit the access point
details. See Figure 58.
14. Select the Authentication Profile created in step
5 and corresponds to your PEAP network.
15. Select WPA Settings tab. See Figure 59.
16. In the WPA Mode list box, choose “WPA
802.1X”
17. In the Encryption list box, choose AES.
18. Click OK
19. Restart the client, Choose Client|Restart to restart
the utility. The utility should start “Authenticated”
when connected. If you do not get an
“Authenticated” message, go back and double check
everything.
Once the network is configured, run the “Save Aegis”
utility located on the start menu. Make a good practice
of re-running this utility every time you reconfigure your
network settings
Figure 55
Figure 56
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 60 of 94
Figure 57
Figure 58
Figure 59
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 61 of 94
Performing a Cold Boot
Hold down the Power button and right Scan/Action button, then press and release the reset button
located below the battery release on the back of the mobile computer. Release the Power button and
right Scan/Action button. See Figure 60.
Performing a Warm Boot
Press the reset button located below the battery release on the back of the mobile computer.
Closing the CAL Client
The CAL client is forced to start every time a reboot occurs. You can by-pass the CAL screen by
using the following method:
1. When the CAL is at the “Version Window,” press the green phone key
2. Press the calendar key
3. Press the red phone key
The CAL will disappear. You can restart it again with a Warm boot.
Figure 60
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 62 of 94
Configuring the Symbol MC70
The Symbol MC70 is certified to work with MICROS versions or higher:
• RES – 4.4
• 9700 - 3.1 SP4 and 3.2 SP1
• Simphony - 1.0 (Check documentation for Service Pack level)
The Symbol MC70 uses Windows Mobile 5.0 (OS Version 05.01.0478) which is capable of utilizing
the WPA and WPA2 encryption security standards. The MC70 is shipped from MICROS with the
CAL pre-loaded.
Criteria:
1. The MC70 must be on a minimum OEM Version of 4.39.0000.
2. A WPA2 compatible Access Point
3. Fully charged battery
Summary:
This document will explain the steps necessary to connect a Symbol MC70 for PCI compliance. It is
recommended that the MC70 always be used at a minimum of WPA2 encryption. Certain assumptions
are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 63 of 94
1. Read the product warranty and enclosed documentation that shipped with your Symbol MC70.
2. Attach the battery to the MC70 according to the enclosed instructions.
3. Charge the battery for several hours to make sure you have sufficient battery time to configure the
MC70 and download the application.
4. Click the Fusion (Instead of the Mobile Companion that was used in the past. Motorola\Symbol
has changed to a similar utility called “Fusion”) icon located in the lower right corner of the
“Today” screen. See Figure 61.
5. Tap the Fusion icon and select “Manage Profiles”.
The Manage Profiles window will open.
6. Hold the stylus on the empty space in the Window
and select “Add”. See Figure 62.
7. The “Profile Entry” window will open. Enter the
name and ESSID of the Access Point. See Figure 63.
8. Click Next
9. Enter you Operating Mode and Country. The
Operating Mode choices are “Infrastructure” or
“Ad-Hoc”. Choose “Infrastructure” if you are
connecting to an Access Point or Access Port. Select
“Ad-Hoc” if you are only connecting mobile device
to mobile device. See Figure 64.
10. Click Next
11. Select the Authentication type required. Some sites
require a stronger security than WPA2_PSK. At
these sites there will be an Authentication device that
will require you to type a password or provide a certificate.
12. Click Next
13. The Encryption window will open. Select AES. See Figure 65.
14. Click Next
15. The Pass Phrase Window will open. Enter the WPA2 Pre-Shared Key Pass Phrase that matches
your Infrastructure. See Figure 66.
NOTE: “A strong, alphanumeric password must be created with a minimum length of eight characters
that includes upper and lower case letters, numbers and special characters.
16. Click Next
Configuring the Symbol MC70 for use on a MICROS system
Figure 61
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 64 of 94
17. The “IP Address Entry Window will open. Select Static or
DHCP depending upon your needs and which product you
will be using. In most cases a RES site will use a Static IP
address and a 9700 or Simphony site will use a DHCP
address.
18. Click next. If you selected DHCP above a “Transmit
Power” window will open. If you selected Static above an
“IP address Entry” window will open. If you selected
Static above enter the appropriate IP address and Subnet
Mask for your system.
19. Click Next to leave the “Transmit Power” set to
“Automatic”.
20. The “Battery Usage” window will open. You can leave the
default setting of “Fast Power Save” or choose and
alternative.
21. Click Finish
22. Click [OK] to close the Fusion utility.
23. There will be a 60 second delay until you get a “Network
Connect” response on the desktop. This will mean that you
are successfully connected. See Figure 67.
Figure 63
Figure 62
Figure 64
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 65 of 94
Figure 65
Figure 66
Figure 67
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 66 of 94
Configuring the Motorola MC55
The Motorola MC55 is certified to work with MICROS versions or higher:
• RES – 4.6
• 9700 - 3.5
• Simphony - 1.x (Check documentation for Service Pack level)
The Motorola MC55 uses Windows Mobile 6.1 (OS Version 05.02.20758) which is capable of
utilizing the WPA and WPA2 encryption security standards. The MC55 is shipped from MICROS
with the CAL pre-loaded.
Criteria:
1. The MC55 must be on a minimum OEM Version of 1.27.0006.
2. A WPA2 compatible Access Point
3. Fully charged battery
Summary:
This document will explain the steps necessary to connect a Motorola MC55 for PCI compliance. It is
recommended that the MC55 always be used at a minimum of WPA2-PSK encryption. Certain
assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 67 of 94
1. Read the product warranty and enclosed documentation
that shipped with your Motorola MC55.
2. Attach the battery to the MC55 according to the enclosed
instructions.
3. Charge the battery for several hours to make sure you
have sufficient battery time to configure the MC55 and
download the application.
4. Click the Fusion icon located in the lower right corner of
the “Today” screen. See Figure 68.
5. Tap the Fusion icon and select “Manage Profiles”. The
Manage Profiles window will open.
6. Hold the Stylus on the Profile “Motorola Wireless Out of
Box Magic” and select Delete to remove this Profile. If
this profile does not exist, go to step 7.
7. Hold the stylus on the empty space in the Window and
select “Add.” See Figure 69.
8. The “Profile Entry” window will open. Enter the name
and ESSID of the Access Point. See Figure 70.
9. Click Next
Configuring the Motorola MC55 for use on a MICROS System
Figure 68
Figure 69
Figure 70
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 68 of 94
10. Enter you Operating Mode and Country. The Operating Mode choices are “Infrastructure” or
“Ad-Hoc”. Choose “Infrastructure” if you are connecting to an Access Point or Access Port. Select
“Ad-Hoc” if you are only connecting mobile device to mobile device.
11. Click Next
12. Select the Security Mode used by your Infrastructure.
At a minimum, WPA2-Personal must be used.
13. Select the Authentication type if required. Some sites
require a stronger security than WPA2-PSK. At these
sites there will be an Authentication device that will
require you to type a password or provide a certificate.
If you are using WPA2-Personal only, leave
Authentication type at “None”.
14. Click Next
15. The Encryption window will open. Select AES. See
Figure 71.
16. Choose Pass-phrase or Hexadecimal Keys are an entry
method. Click Next.
17. The Pass-phrase Window will open. Enter the WPA
Pre-Shared Key Pass-phrase or Hexadecimal key that
matches your Infrastructure. See Figure 72.
18. Click Next. The “IP Address Entry Window will open.
Select Static or DHCP depending upon your needs and
which product you will be using. In most cases a RES
site will use a Static IP address and a 9700 or
Simphony site will use a DHCP address.
19. Click next. If you selected DHCP above a “Transmit
Power” window will open. If you selected Static above
an “IP address Entry” window will open. If you
selected Static above enter the appropriate IP address
and Subnet Mask for your system.
20. Click Next to leave the “Transmit Power” set to
“Automatic”.
21. The “Battery Usage” window will open. You can leave
the default setting of “Fast Power Save” or choose and
alternative.
22. Click Save
23. Click [OK] to close the Fusion utility.
24. Warm Boot the MC55 and allow the micros CAL to
run as normal.
Figure 71
Figure 72
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 69 of 94
Configuring the Motorola MC55a
The Motorola MC55 is certified to work with MICROS versions or higher:
• RES – 4.6
• 9700 - 3.5
• Simphony - 1.x (Check documentation for Service Pack level)
The Motorola MC55a uses Windows Mobile 6.5 (OS Version 05.02.23121) which is capable of
utilizing the WPA and WPA2 encryption security standards. The MC55a is shipped from MICROS
with the CAL pre-loaded.
Criteria:
1. The MC55a must be on a minimum OEM Version of 1.34.0005.
2. The MC55a must have a minimum CAL version 15.1.3.115 installed. CAL can be downloaded
from the Micros web site at
3. A WPA2 compatible Access Point
4. A Fully charged battery
Summary:
This document will explain the steps necessary to connect a Motorola MC55a for PCI compliance. It is
recommended that the MC55a always be used at a minimum of WPA2-PSK encryption. Certain
assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 70 of 94
1. Read the product warranty and enclosed documentation that shipped with your Motorola MC55a.
2. Attach the battery to the MC55a according to the enclosed instructions.
3. Charge the battery for several hours to make sure you have sufficient battery time to configure the
MC55a and run CAL
4. Highlight the Wi-Fi row on the “Home” screen, and click the Fusion Menu button at the bottom of
the screen, seen in Figure 73
5. Click the “Manage Profiles” button
6. Hold the stylus on the profile “Motorola Wireless Out of Box Magic” and select Delete to remove
this profile. If this profile does not exist go to step 7.
7. Hold the stylus on the empty space in the window and select “Add,” as seen in Figure 74.
8. The “Wireless Lan Profile Entry” window will open, enter a Profile Name and the ESSID (case
sensitive) of the Access Point you are connecting to, see Figure 75.
9. Click Next
10. Select your Operating Mode and Country, the default is “Infrastructure” for connecting to an
Access Point. Select “Ad-Hoc” if you are only connecting mobile device to mobile device.
11. Click Next
Configuring the Motorola MC55a for use on a MICROS system
Figure 73
Figure 74
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 71 of 94
12. Select the Security Mode used by your Infrastructure.
At a minimum, WPA2-Personal must be used.
13. Select the Authentication type if required. Some
sites require a stronger security than WPA2-PSK. At
these sites there will be an Authentication device that
will require you to type a password or provide a
certificate. If you are using WPA2-Personal only,
leave Authentication type at “None”
14. Click Next
15. At the Encryption window in, Figure 76, select AES
for Encryption type.
16. Click the Pass-phrase radio button and make sure the
check box next to “For added security – Mask
characthers entered” is selected.
17. Click Next
18. Enter the WPA Pre-Shared Key pass-phrase that
matches your infrastructure.
19. Click Next
20. At the IP Address window, un-check “Obtain Device
IP Address Automatically” if you are using a static IP.
Click Next to enter your IP, Subnet and Gateway
information. If you are using DHCP leave the box
checked and click Next
21. Click Next to leave the Transmit Power set to
“Automatic”
22. Click Save to leave the Battery Usage Mode set to
“Fast Power Save,” or choose an alternative.
23. Click OK to close the Manage Profile Fusion
Window.
24. Warm Boot the MC55a and allow the MICROS CAL
to run as normal.
77
Figure 75
Figure 76
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 72 of 94
Configuring the Symbol AP5131 Access Point
Criteria:
1. This Access Point must be on a minimum firmware version of 1.1.1.0-020R.
2. A Firewall must separate the AP5131 from the MICROS Server. This can be accomplished by
either:
a. Use of an external firewall
b. Use of the internal firewall as described in this section
Summary:
This document will explain the steps necessary to connect a Symbol AP5131 Access Point for PCI
compliance. In this document we use the highest encryption level available to the device. It is
recommended that the AP5131 always be used at a minimum of WPA2-PSK encryption. Certain
assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 73 of 94
1. Read the product warranty information that came with your Symbol AP5131.
2. Gain access to the configuration utility on the AP5131 according to the manufacturer’s
instructions. This can be done over a Serial cable and HyperTerminal or via a Web Browser. If
using a web browser, you must use a secure connection of either https or SSH.
3. Once you have gained access to the AP5131 and entered the administrator password, Enter the
name of this Access Point in the System Name field. See Figure 78.
4. Click [Apply]
5. Double Click “[Network Configuration]”
6. Click “LAN” See Figure 79.
Configuring the Symbol AP5131 for use on a MICROS System
Figure 78
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 74 of 94
Figure 79
Figure 80
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 75 of 94
7. Configure the LAN to have 2 subnets. One named WIRED that uses the Ethernet Port, as shown
in Figure 79.
8. The other named WIRELESS that is mapped to the WLAN. Click [WLAN Mapping] and
configure it as shown in Figure 80.
9. Click OK on the Mapping Configuration screen.
10. Click [Apply] to save your LAN configuration.
11. Select the WIRED LAN, see Figure 81.
12. Enter the IP information for your WIRED network
13. Click [Apply]
Figure 81
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 76 of 94
14. Select the WIRELES LAN, see Figure 82.
15. Enter your IP information for your WIRELESS network
16. Click [Apply]
Figure 82
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 77 of 94
17. Select the Firewall, see Figure 83.
18. Make sure that “Disable Firewall” is NOT checked.
19. Under Configurable Firewall Filters, check all settings EXCEPT “MIME Flood Attack Check”.
This rule incorrectly drops packets associated with running Manager Procedures.
20. Click [Apply]
Figure 83
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 78 of 94
21. Select Firewall-Subnet Access, see Figure 84.
22. Select the intersection of From WIRELESS and To WIRED
23. In the Rules section, select Deny all protocols, except
24. Make sure that all the standard protocols along the left are unchecked
25. Use the [Add] button to create the exceptions as shown above. The exceptions pertain directly to
the micros application. Contact the micros helpdesk for application ports.
26. Continue using the [Add] button to create the exceptions list. In this case it is RES. See Figure 85.
Figure 84
Figure 85
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 79 of 94
27. Click [Apply]
28. Select Firewall-Subnet Access, see Figure 86.
29. Select the intersection of From WIRED and To WIRELESS
30. In the Rules section, select Deny all protocols, except
31. Make sure that all the standard protocols along the left are unchecked
32. Use the [Add] button to create the exceptions as shown above
33. Click [Apply]
Figure 86
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 80 of 94
34. Create or Edit an existing Wireless Configuration. See Figure 87.
35. Enter the ESSID and Device Name.
36. Click [Apply]
Figure 87
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 81 of 94
37. Click “Security” to enter the Wireless Security Configuration menu. See Figure 88.
38. Create or Edit an existing Policy
Figure 88
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 82 of 94
39. Select the WPA2/CCMP radio button
40. Select the “ASCII PassPhrase” radio button
41. Enter your secret pass phrase using a strong password. See Figure 89.
NOTE: use a strong password. A strong, alphanumeric password must be created with a minimum
length of eight characters that includes upper and lower case letters, numbers, and special cha-
racters.
42. Click “AP-5131 Access” to enter the AP-5131 Access menu. See Figure 90.
43. Uncheck the following items from both the LAN and WAN columns. Leaving only:
a. Applet https (Port 443) and SSH (Port 22) secure access methods.
b. Applet http (Port 80) uncheck
c. CLI Telnet (Port 23) uncheck
d. SNMP (Port 161) uncheck
NOTE: Removing these items will limit the means in which the AP-5131 can be managed. You
must use one of these (https or SSH) secure methods to manage the access point for all future
management sessions
Figure 89
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 83 of 94
44. Set the “Applet Timeout for http/s access to 2 Minutes. See Figure 90.
45. Click [Apply]. All future management sessions must be done over a secure connection using https of
SSH. For example, instead of typing http://10.0.0.0 to access the AP-5131, you must use
https://10.0.0.0
46. Click [Apply] to save your settings.
47. Exit the configuration and proceed with normal network setup.
Figure 90
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 84 of 94
Configuring the Symbol WS2000 Wireless Switch
Criteria:
1. This Wireless Switch must be on a minimum firmware version of 2.2.0.0-021R.
2. The Firewall must be enabled and blocking no MICROS applications
Summary:
This document will explain the steps necessary to connect a Symbol Wireless Switch 2000 for PCI
compliance. In this document we use the highest encryption level available to the device. It is
recommended that the WS2000 always be used at a minimum of WPA2-PSK encryption. Certain
assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 85 of 94
1. Read the product warranty information that came with your Symbol WS2000.
2. Gain access to the configuration utility on the WS2000 according to the manufacturer’s instruc-
tions. This can be done over a Serial cable and HyperTerminal or via Internet Explorer.
3. Once you have gained access to the WS2000 and entered the administrator password, enter the
name of this WS2000 in the System Name field. See Figure 91.
4. Click [Apply]
5. Double Click “[Network Configuration]”
6. Click “Lan”
7. Select a Subnet. See Figure 92.
Configuring the Symbol WS2000 for use on a MICROS System
Figure 91
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 86 of 94
8. Enter the IP information for your network
9. Click [Apply]
10. Double Click “Wireless”
11. Double Click the first SSID. See Figure 93.
12. Enter the ESSID of this Wireless Switch.
13. Check the “secure Beacon” check box to disable the broadcast beacon.
14. Click Apply.
15. Click the security for this SSID. See Figure 94.
Figure 92
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 87 of 94
Figure 93
Figure 94
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 88 of 94
16. Select theWPA2-CCMP (802.11i) radio button.
17. Select the highlighted [WPA2-CCMP Se…] button. See Figure 94.
18. Enter the ASCII Passphrase. See Figure 95.
NOTE: use a strong password. A strong, alphanumeric password must be created with a minimum
length of eight characters that includes upper and lower case letters, numbers, and special cha-
racters.
19. Click [OK]
20. Click [Apply]
21. Click “Firewall”
22. Make sure the Firewall is “Enabled”
23. Create Firewall rules that meet your network requirements.
Figure 95
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 89 of 94
Configuring the Symbol RFS4000 Wireless Switch
Criteria:
1. This Switch must be on a minimum firmware version of 5.0.3.9-001R.
2. The Firewall must be enabled and blocking all non-MICROS applications.
Summary:
This document will explain the steps necessary to connect a Symbol RFS4000 Wireless Switch for
PCI compliance. In this document we use the highest encryption level available to the device. It is
recommended that the RFS4000 always be used at a minimum of WPA2-PSK encryption. Certain
assumptions are made as this document is for reference only.
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 90 of 94
1. Read the product warranty information that came with your Symbol RFS4000.
2. Gain access to the configuration utility on the AP5131 according to the manufacturer’s
instructions. This can be done over a Serial cable and HyperTerminal or via a Web Browser. If
using a web browser, you must use a secure connection of either https or SSH.
3. Once you have gained access to the RFS4000 and entered the administrator password, navigate to
the “Configuration” tab.
4. Select “Wireless,” on the right side of the screen all of the Wireless LAN Access Points setup for
the switch will be displayed. Click “Add”
5. The WLAN setup screen will appear as seen in Figure 96.
Configuring the Symbol RFS4000 for use on a MICROS system.
1. Enter a name for this
WLAN
2. Enter the SSID of your
Access Point
3. Uncheck “Broadcast
SSID”
4. Uncheck “Answer
Broadcast Probes”
5. Enter the name of the
VLAN that this WLAN
will be assigned to
Figure 96
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 91 of 94
6. Click the “Security” link as seen in Figure 97, and click the EAP radio button for
“Authentication Type”
Figure 97
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 92 of 94
7. Leave the default settings for the Captive Portal enforcement policy set to off
8. Select WPA2-CCMP Encryption type for the highest possible encryption as recommended in PCI
Whitepaper V2.0 section 4.4.1. Once the check-box is clicked you will see the Encryption
settings below as in Figure 98.
1. Enter the ASCII Passphrase.
NOTE: Use a strong alphanumeric
password, with a minimum length
of eight characters that includes
upper and lower case letters,
numbers and special characters
Figure 98
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 93 of 94
9. Click “OK”
10. Click “Firewall”
11. Select Inbound and Outbound IP Firewall rules that apply for your network, you can create new
rules or edit the selected ones from this screen by Clicking the “Create” or “Edit” icons next to the
dropdown boxes, as seen in Figure 99.
Figure 99
Wireless Networking Best Practices
Wireless Networking Best Practices December 20, 2011 2:40 PM
Page 94 of 94
12. Make sure the Firewall is enabled for the whole device by clicking on “Security” under the
“Configuration” tab at the top of the screen.
13. Expand the Wireless Firewall selection as seen in Figure 100.
14. Highlight “Firewall Policy,” select the default policy and click “Edit”
15. Make sure the Firewall is set to “Enabled”
16. You can add, and edit IP Firewall Rules and MAC Firewall Rules as mentioned previously in step
11.
17. Once the Firewall rules have been configured for your network click the “Save” button at the top
right of the screen
18. Exit the configuration and proceed with normal network setup
Figure 100