ATM_ID: 6E89202E-2754-11EC-B5D1-CACB0AE4A572 ID: (Trash)/Pongo-Warhol/TLS_1.3/56100 TESTCASE_HEADLINE: Validate the updated TLS Configuration for CWIS Connection and XCP Plugin Server Ports using Nmap and Openssl Command when 802.1x EAP-TLS connection is active TLS Configurations in the device for Nmap: TLS 1.0 or later - ON GROUP: FEATURE: SUB_FEATURE: INPUT: Overall Precondition: Device side: 1.Make sure factory data reset performed in the device 2.IPv4 and IPv6 is enabled and active 3.Upgrade the MFP with latest software version Server Setup Required: 1. HTTPS repository with TLS 1.3 protocol should be configured and enabled in Ubuntu server 2. Apache webserver installed and configured to create a web site to be used for HTTP/HTTPS (SSL) repository 3.Windows 2016 server installed and configured with following roles ADDS, ADCS, DHCP, IIS ,NPS and DNS 4. Windows 2016 server configured and installed with Exchange 2013 or later for Email 5.Fedora /Ubuntu Free radius installed and configured to support 802.1x 6.Nmap scanner installed in Linux server \ Switch: Cisco catalyst L2/L3 switch enabled for 802.1x authentication \ Note: For server configuration refer the supporting document PROCEDURE: 1.Open CWIS (<Device IP>) and Login as admin 2. Navigate to Properties->Security->Remote Authentication Service->Device Digital Certificate 3.Ensure Client and Root CA is installed in the device 4. Navigate to Properties->Security->Remote Authentication Service->IEEE 802.1x 5.Enable 802.1X and Configure as below Authentication Method EAP-TLS Certificate Verification - Enabled User Name (Device Name)* Password - "Enter the password" Retype Password - "Retype the password" 6 Click Restart now and wait for the device to reboot 7.After reboot , connect the device to 802.1x enabled port 8. Capture wireshark trace from free radius server 9. In Server PC: 1.Open a Linux Server and Login as Root User. 2.Run this command :Nmap --script ssl-enum-ciphers -p 80,443,58501 <device IP address> 3.Attempt to connect to specific ports(XCP plugin port:58501) using only specific dialects of TLS with Openssl: Openssl s_client -connect <Device IP address>:58501 -tls1 Openssl s_client -connect <Device IP address>:58501 -tls1_1 Openssl s_client -connect <Device IP address>:58501 -tls1_2 Openssl s_client -connect <Device IP address>:58501 -tls1_3 OUTPUT: 8021.x feature output: 1.EAP-TLS mode connection established using TLS 1.2 with associated Cipher Suites displaying in Client Hello Packets The following radius packets should be captured in the traces a. Access-Request b. Access-Challenge c. Access-Request d. Access-Accept Nmap Report: 1.nmap port scanner tool should display this below TCP port as open.\ TCP:80 for TCP\ TCP:443 for Https, TCP 58501 for XCP plugin feature 2. TLS 1.0,TLS 1.1 and TLS 1.2 versions will be displayed with supported ciphers Status of XCP Plugin Server connection: 1. For TLS1.0: a)Device will be connected using port 58501 b) Server certificate information will be displayed for TLS 1.2 and TLS 1.3 c) Enabled TLS 1.2 and TLS 1.3 version along with SSL session information will be displayed d) TLS 1.0 and TLS 1.1 versions SSL and Server certificate information will not be displayed PROCESS: PRIORITY: TEST_TYPE: LOE: RESOURCE_HW: RESOURCE_CONSUMEABLES: RESOURCE_MEDIA: SKILL_SET: advanced TEST_CASE_TYPE: TESTCASE_SOURCE: SPEC: TLS 1.3 is automatically disabled at 802.1x authentication even if TLS 1.3 is set enabled on the device. It is because Protocol Spec for 802.1x authentication methods and TLS communication is dependent on TLS 1.2 and lower version. TLS 1.3 for 802.1x should not be enabled until Protocol specs (RFC and Microsoft) are updated for TLS 1.3. SPEC_VERSION: ATM_OWNER: ASSOCIATED_TESTCASES: TRAINING: TESTCASE_VERSION: TESTCASE_STATE: TESTCASE_PLATFORM: TESTCASE_PRODUCT: TESTCASE_APPROVALS: CDATE: 1633600412 MDATE: 1633600412, 1633600859 MUSER: w5XFF5T9, w5XFF5T9 AUTHOR: w5XFF5T9 ATM_MCOMMENTS: Imported from spreadsheet, Moved to Trash. HISTORY: ATM_LOCKED: ATM_REQLINK: ATM_REQCOUNT: 0 FILENAME: FILEDESC: FILES: QA_TEAM: APPROVE_QE: APPROVED_QE: APPROVE_SE: APPROVED_SE: APPROVE_SPAR: APPROVED_SPAR: MFF: PLANNEDTIMESTAFF: IMPLEMENTED: DATA_LOGIC: AUTOMATABLE_NOTAUTOMATABLE: