S3845cdn / CACStar Configuration Guide 2018 1 Introduction ..........................................................................................................................................................1 2 Getting Started......................................................................................................................................................2 3 4 2.1 Connecting to the LAN and Acquiring an IP Address ...............................................................
S3845cdn / CACStar Configuration Guide 2018 Thank you for choosing a Dell Color Smart Multifunction Printer S3845cdn with the CACStar CAC security option. The CACStar security option enables authenticated access to your printer via CAC or PIV smart cards. CACStar and our printer together offer flexible solution that will support your needs. This guide is designed to assist you in setting up your S3845cdn for use in your environment, compliant with MFD STIG Version 2 Release 10 (28 July 2017).
S3845cdn / CACStar Configuration Guide 2018 Figure 1: Location of MAC Address Label By default, the CACStar option acquires its IP address via DHCP, so after the MAC address is registered with the switch, you can connect the LAN cable to the port on the CACStar option, and turn the printer on. As soon as CACStar acquires an IP address, a CACStar summary page will automatically print (later, during configuration, this automatic printout can be disabled.
S3845cdn / CACStar Configuration Guide 2018 open the file in notepad. The GPResult command generates quite a bit of information. However, the information that is needed can be found by searching for the string “USER SETTINGS” (without quotes). It should look something like this: USER SETTINGS -------------CN=John Q. Public,OU=Users,OU=testlab,DC=mydomain,DC=com Last time Group Policy was applied: 12/06/2017 at 2:54:49 PM Group Policy was applied from: dc001.mydomain.
S3845cdn / CACStar Configuration Guide 2018 3 FIRST CONFIGURATION STEPS Configuration of your device is accomplished primarily via the CACStar administrative web site (https://:8443) Note: When the CACStar option is installed on the printer, the CACStar Setup file used during the installation takes care of most of the STIG compliance requirements. The printer settings that are included in the initial setup file are listed in Appendix A.
S3845cdn / CACStar Configuration Guide 2018 3.2 SETTING THE MFD AND CACSTAR ADMINISTRATOR PASSWORD By default, the administrator password for the printer and CACStar web sites is “admin”. This should be changed as soon as possible. 3.2.1 CHANGING PASSWORD ON THE MFD To change the password in the MFD: 1.
S3845cdn / CACStar Configuration Guide 2018 2. Click the [Log In] button, then select “admin”. 3.
S3845cdn / CACStar Configuration Guide 2018 4. Click the [Permissions] link on the left-hand side of the page. In the “User Accounts” section, click the entry for “Admin”.
S3845cdn / CACStar Configuration Guide 2018 5. Click the [Change Password] button. 6. Enter the current password into the “Old Password” field, and the new password into the other two fields. Click OK.
S3845cdn / CACStar Configuration Guide 2018 3.2.2 CHANGING PASSWORD ON CACSTAR To change the admin password on CACStar: 1. Open a web browser to the CACStar web site (https://:8443). Enter the username “admin” and the current password (default=”admin”) when prompted: 2. Set the administrator password in the [Administrator tab]->[Change Password sub-tab].
S3845cdn / CACStar Configuration Guide 2018 setting it. Click the [Change Password] button to activate the new password. 3.3 CONFIGURING THE LDAP SEARCH BASE ON THE MFD If you want to use either of the following functions: • • Lookup email recipients in the Active Directory address book Scan to Active Directory “Home Folder” Then you will need to enter the “Search Base” (gathered earlier) into the MFD’s LDAP configuration. Follow this procedure: 1.
S3845cdn / CACStar Configuration Guide 2018 2. Click the “Connectivity” link on the left side of the page. 3.
S3845cdn / CACStar Configuration Guide 2018 4. 3.4 Enter the gathered Search Base string into the “Search Directory Root” field. Leave all of the other settings as shown in the figure. Click OK CONFIGURING CACSTAR FOR AUTHENTICATION To configure your device to authenticate via an Active Directory server using Kerberos, we will use all the information gathered in section 2.2.
S3845cdn / CACStar Configuration Guide 2018 1. Open a web browser to the CACStar administrative web site (https://:8443) 2. Navigate to the [Connectivity tab]->[LAN Side Configuration sub-tab]. Enter the value gathered for the NTP server address in the “NTP Server IP Address” field. Click [Update].
S3845cdn / CACStar Configuration Guide 2018 3. 3.5 Navigate to the [Security Tab]->[Authentication Method sub-tab]. Enter the gathered information into the form as indicated in the diagram below. Click [Update].
S3845cdn / CACStar Configuration Guide 2018 When CACStar is configured to “root chain validation” of certificates, the appropriate CA certificates must be loaded into the CACStar appliance. As shipped from the factory, CACStar has most DOD CA certificates preinstalled, but as new CA’s are put into service, it is necessary to load updated certificates.
S3845cdn / CACStar Configuration Guide 2018 - Copy (simple copy functionality) Fax (sending of scanned documents over an analog phone line using Fax communications commands) Applications that are always CAC-enabled: - Scan to Email (usually send-to-self only, but can also allow for Global Address Book via LDAP) Scan to Network Folder (Active Directory “Home Folder” or another network folder) Print Release (the printer holds your document until you authenticate at the printer and release it.
S3845cdn / CACStar Configuration Guide 2018 The settings need to be set as shown here. If they differ, make the necessary changes to make them match. To allow emails to be sent via your network, use the SMTP server address information gathered earlier to configure the CACStar email settings.
S3845cdn / CACStar Configuration Guide 2018 Setting Description SMTP Address or Server Name The FQDN or IP address of the SMTP server. Use the SMTP server address information that you gathered here. SMTP Port Number The TCP port used for communication with the SMTP server. The default value of 25 is appropriate in most cases. User Email Address From The “from” address for sent emails will be automatically filled in by CACStar to reflect the user who generated the email.
S3845cdn / CACStar Configuration Guide 2018 Setting Description Encrypt Email Chooses whether to encrypt outgoing emails. To use this feature when not “forcing email to self”, then directory access (LDAP) must be configured, and encryption certificates for recipients in the directory must be published in the directory.
S3845cdn / CACStar Configuration Guide 2018 Setting Description Kerberos Email Authentication When “checked”, GSSAPI authentication is used when connecting to the SMTP server. Note: CACStar’s Kerberos authentication feature must be enabled before enabling this setting. Leave this setting unchecked (disabled) unless your System Administrator tells you that authentication is required for the SMTP server. For digital senders, it is unusual to require authentication to SMTP servers.
S3845cdn / CACStar Configuration Guide 2018 4.3.1 THE CACSTAR “SMB ADDRESS BOOK” The [Security]->[SMB Address Book] page of the CACStar EWS allows the administrator to define dynamic address book entries that the MFD can use by referencing specially-define server names in the MFD’s address book. As shown in the figure above, each entry in the CACStar SMB Address Book is identified by name: “SMB-Book”, where the is replaced with a number 1-99. There can be up to 99 entries in the SMB Address Book.
S3845cdn / CACStar Configuration Guide 2018 %I Identification from the PIC field of the user’s CAC card. – Available for CAC users only %u% An LDAP attribute query is made, where the attribute name is enclosed between the leading “%u” and the trailing “%”. Important: LDAP must be configured to utilize the %u expansion macro.
S3845cdn / CACStar Configuration Guide 2018 5 PRINT RELEASE The S3845 can hold submitted print jobs inside the printer until the job submitter releases them at the printer’s local User Interface. This type of job is called a “Secure Print” job.
S3845cdn / CACStar Configuration Guide 2018 Ensure that the “Specify User ID” setting is set to “Use Login Name”, and enter a PIN code to associate with stored jobs. When authenticated at the printer with your smart card, you should not require the PIN to release your jobs, but if you want to release your jobs without authenticating, the PIN will be required, so you should remember the PIN, just in case.
S3845cdn / CACStar Configuration Guide 2018 3. Scroll down to the bottom of the page, and click the “Cloning” icon. You will see a lengthy list of items that can be saved. You want all settings to be selected: 4. 5. Scroll down to the bottom, and click the [Create] button. If you get an error screen indicating that the clone file cannot be created because of an error in the Address Book, this is usually because there are no Address Book Entries to save. This is normal.
S3845cdn / CACStar Configuration Guide 2018 [Create] button to continue. 6. 6.2 A file called “cloning.zip” will be downloaded. Save this to a folder of your choosing. You may rename this file if you wish, but do not change the “.zip” extension. LOADING THE PRINTER CONFIGURATION INTO ANOTHER PRINTER To load a saved printer configuration (cloning.zip) into another printer, follow this procedure: 1. 2. Log into the printer’s web site as “admin”. Click the “Home” link on the left-hand-side of the page.
S3845cdn / CACStar Configuration Guide 2018 3. Scroll down to the bottom of the page and click the “Cloning” icon: 4. Click the [Select] button, and use the file selection dialog to select the previously saved cloning.
S3845cdn / CACStar Configuration Guide 2018 5. 6.3 Click [Install]. The clone file will be installed, and the printer will reboot: SAVING THE CACSTAR CONFIGURATION To save the CACStar configuration settings, follow this following procedure: 1.
S3845cdn / CACStar Configuration Guide 2018 2. Navigate to the [Administrator tab]->[Firmware Update sub-tab]: 3. 4. Click the [Create Config File] button. When the screen refreshes, click the [Export Config File] button. A file called “cacstar.cfg” fill be downloaded. Save this file in the same folder where you stored the printer’s cloning.zip file. 6.4 LOADING THE CACSTAR CONFIGURATION INTO ANOTHER MACHINE To load a saved CACStar configuration into another device, follow this procedure: 1.
S3845cdn / CACStar Configuration Guide 2018 2. Navigate to the [Administrator tab]->[Firmware Update sub-tab]: 3. 4. Click the [Choose File] button, and select your previously saved “cacstar.cfg” file. Click [Upload File] to install the saved configuration. You will see a screen acknowledging the configuration update.
S3845cdn / CACStar Configuration Guide 2018 5. 7 Click the [Reboot CACStar] button. The CACStar option will restart. This will take about 30 seconds. TROUBLESHOOTING This section describes the most common problems you might come across. 7.1 ERROR MESSAGES 7.1.1 PROBLEMS OCCURRING AFTER POWER-ON Error Message Text What happened? What to do about it Unable to communicate with NTP Server.
S3845cdn / CACStar Configuration Guide 2018 Error Message Text What happened? What to do about it Authentication Failed: LDAP Bind Error CACStar was unable to acquire a Kerberos ticket for the LDAP service on the LDAP server. The best course of action is to ensure that the correct FQDN of the domain controller is entered for the “LDAP Server Address” setting on the CACStar configuration, and to set “Disable reverse DNS lookups” to enabled (checked). This is usually caused by one of two things: 1. 2.
S3845cdn / CACStar Configuration Guide 2018 Error Message Text What happened? Authentication Failed: Kerberos error (PKINIT) An error occurred while communicating with the Kerberos server. Obtaining a “syslog” with the “PKCS” syslog option enabled can provide more detailed information on the failure. However, common causes are listed below: - - - 34 With “Root Certificate” checking enabled, the CA certificates required to validate certificates may be missing.
S3845cdn / CACStar Configuration Guide 2018 8 GATHERING ERROR LOGS Sometimes, when trying to diagnose a problem, a debugging log must be captured.
S3845cdn / CACStar Configuration Guide 2018 The following table describes the various logging options: Option Name Purpose Reader Connection Include information about detection and use of the card reader hardware. This setting is seldom used, and only if it is suspected that the card reader is broken Card Communication Card Container Container Parse Card Expiration 36 Include information about low-level communications with a smart card. This setting is seldom used.
S3845cdn / CACStar Configuration Guide 2018 Option Name Purpose PKCS Include information related to Kerberos Authentication This setting is useful to debug Kerberos Errors. OCSP Include information regarding OCSP verification of certificates. When using Kerberos Authentication, OCSP is normally not used, as the cardholder certificate will be validated by the Kerberos Server. PIN Include card communications related to PIN processing. This setting is seldom used.
S3845cdn / CACStar Configuration Guide 2018 The basic procedure for generating and collecting a log is: 1. 2. 3. 4. Click [Start Syslog File] Perform the operation that is being diagnosed Click [Stop Syslog File] Click [Get Syslog File]. A file called “cacstar.log” will be downloaded. This file can be viewed in wordpad, or any text editor that understands Unix-style line endings (line-feeds only at the end of a line). Note: notepad is not a suitable program for looking at log files.