Wireless Networking Best Practices - DCRS SolutionsWireless Networking Best Practices Wireless...

Wireless Best Practices December 20, 2011 2:40 PM

of 94

Wireless Networking

Best Practices Version 2.0

About This Document

This document is meant to serve as a guide for implementing MICROS wireless

Hardware following Payment Application Data Security Standards (PA-DSS).

This document is to be used as an implementation guide supplement.

Copyright 2011

MICROS Systems, Inc.

Columbia, MD USA

All Rights Reserved

Wireless Networking Best Practices

Wireless Networking Best Practices December 20, 2011 2:40 PM

of 94

Declarations

Warranties

Although the best efforts are made to ensure that the information in this

document is complete and correct, MICROS Systems, Inc. makes no warranty

of any kind with regard to this material, including but not limited to the implied

warranties of marketability and fitness for a particular purpose.

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by

any means, electronic or mechanical, including photocopying, recording, or

information recording and retrieval systems, for any purpose other than for

personal use, without the express written permission of MICROS Systems, Inc.

MICROS Systems, Inc. shall not be liable for errors contained herein or for

incidental or consequential damages in connection with the furnishing,

performance, or use of this document.

Trademarks

Adobe FrameMaker is a registered trademark of Adobe Systems Incorporated.

The following are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other

countries; Operating Systems - Windows® 7, Microsoft Windows Server® 2008 R2 (Release 2), Microsoft Windows

Server® 2008, Microsoft Windows Server® 2003 and Windows® XP. Database Platforms - Microsoft SQL Server®

2008 R2 (Release 2), Microsoft SQL Server® 2008 and Microsoft SQL Server® 2005. Other products - Microsoft

Excel, Win32 and Windows® CE.

The following are registered trademarks of the Oracle® Corporation; Database Platforms - Oracle® 11g R2 (Release

2), Oracle® 11g and Oracle® 10g.

Visio is a registered trademark of Visio Corporation.

All other trademarks are the property of their respective owners.



of 94

Who Should

Be Reading

This

Document

What the

Reader Should

Already Know

This document is intended for the following audiences:

� MICROS Installers/Programmers

� MICROS Dealers

� MICROS Customer Service

� MICROS Training Personnel

� MIS or IT Personnel

This document assumes the reader has the following knowledge or expertise:

� Operational understanding of PCs

� Understanding of basic network concepts



of 94

The PCI DSS Wireless Guideline Informational Supplement version 2.0 references several security

methods. This document will specify the highest possible security method for each device. However, it

is sometimes not practical to use all the recommendations specified in the supplement. See Below:

From Section 4.4.1 Summary of Recommendations:

A. WPA or WPA2 Enterprise mode with 802.1X authentication and AES encryption is recommended

for WLAN networks.

B. It is recommended that WPA2 Personal mode be used with a minimum 13-character random

passphrase and AES encryption.

C. Pre-Shared Keys should be changed on a regular basis

D. Centralized management systems that can control and configure distributed wireless networks are

recommended.

E. The use of WEP in the CDE is prohibited for all deployment after June 30, 2010.

PCI Wireless requirements can be broken down into two primary categories.

1. Generally applicable wireless requirements. These are requirements that all organizations should

have in place to protect their networks from attacks via rogue or unknown wireless access points

(APs) and clients. They apply to organizations regardless of their use of wireless technology and

regardless of whether the wireless technology is a part of the CDE or not. As a result, they are

generally applicable to organizations that wish to comply with PCI DSS.

2. Requirements applicable for in-scope wireless networks: These are requirements that all

organizations that transmit payment card information over wireless technology should have in

place to protect those systems. They are specific to the usage of wireless technology that is in

scope for PCI DSS compliance, namely the Cardholder Data Environment (CDE). These

requirements apply in addition to the universally applicable set of requirements.

This document will assume that all Access Points will operate inside the CDE scope as explained in

the PCI DSS Wireless Implementation Guide 2.0.

For wireless environments, change wireless vendor defaults, including but not limited to:

• Wireless Equivalency Privacy (WEP) keys

• Default Services Set Identifiers (SSID)

• Default Passwords

• SNMP Community Strings

• Disable SSID Broadcasts

• Enable Wi-Fi protected access (WPA or WPA2) technology for encryption EAP

authentication when WPA-capable

Important Security Warning:



of 94

Default settings must be changed before the site goes live to maintain PCI compliancy.

All wireless encryption keys must be changed at least once a year to maintain PCI compliancy.

For wireless networks transmitting cardholder data, encrypt the transmissions by using WiFi protected

access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely exclusively on wired

equivalent privacy (WEP) to protect confidentiality and access to a wireless LAN.

If WEP is used, do the following:

• Use with a minimum 104-bit encryption key and 24 bit-initialization value

• Use ONLY in conjunction with WiFi protected access (WPA or WPA2) technology, VPN, or

SSL/TLS

• Rotate shared WEP keys quarterly (or automatically if the technology permits)

• Rotate shared WEP keys whenever there are changes in personnel

• Restrict access based on media access code (MAC) address



of 94


Table of Contents

Configuring the Wireless Workstation 4 .............................................................................................. 7

Configuring the Wireless Workstation 4 LX ...................................................................................... 10

Configuring the Wireless Keyboard Workstation 270........................................................................ 13

Configuring the Wireless Workstation 5 ............................................................................................ 16

Configuring the Windows CE Wireless Workstation 5a .................................................................... 19

Configuring the POSReady 2009 Wireless Workstation 5a ............................................................... 25

Configuring the Dual-Core Windows 7® Wireless Workstation 5a .................................................. 28

Configuring the POSReady 2009 Wireless PCWS 2015 .................................................................... 33

Configuring the Windows 7 Wireless PCWS 2015 ............................................................................ 42

Configuring the Wireless PCWS 2010 with Windows XP Professional® ......................................... 46

Configuring the Wireless PCWS 2010 with Windows Server 2003® ............................................... 49

Configuring the PPT8846 to use PEAP Authentication ..................................................................... 52

Configuring the Symbol MC50 to use PEAP Authentication ............................................................ 57

Configuring the Symbol MC70 .......................................................................................................... 62

Configuring the Motorola MC55 ........................................................................................................ 66

Configuring the Motorola MC55a ...................................................................................................... 69

Configuring the Symbol AP5131 Access Point .................................................................................. 72

Configuring the Symbol WS2000 Wireless Switch............................................................................ 84

Configuring the Symbol RFS4000 Wireless Switch .......................................................................... 89



of 94

Configuring the Wireless Workstation 4

It is possible to have a Wireless Workstation 4 (WS4) with one of the following configurations.

1. Cisco PCMCIA WLAN Card Aironet 350. MICROS part # 400624-001

• Only capable of 128 Bit WEP encryption.

• This configuration is not PCI complaint

• To become complaint upgrade to 400633-110 See number 4 below

2. Linksys PCMCIA WLAN Card. MICROS part # 400624-701

• Only capable of 128 Bit WEP encryption.

• This configuration is not PCI complaint

• To become complaint upgrade to 400633-110 See number 4 below

3. Microsoft MN-520 PCMCIA WLAN Card. MICROS Part # 400624-101

• This card is capable of using WPA-PSK.

• This configuration is not PCI compliant because WPA2 is required.

4. KIT, MINI-PCI UPGRADE, WS4, KWS4. MICROS part # 400633-110

• This card is capable of using WPA-Enterprise.

• This configuration is PCI compliant when using WPA encryption PEAP authentication and

placed behind a Firewall

• See Procedure 1 below

Criteria:

1. The WS4 and the server must have CAL version 1.0.2.27 or higher installed. CAL can be down-

loaded from the Micros web site at

http://www.micros.com/members/product_support/hardware/drivers/

2. An Access Point capable of using WPA encryption

3. RADIUS Server. e.g. Internet Authentication Service

4. Must use a static IP address

5. Keyboard (PS/2 or USB)

Summary:

This document will explain the steps necessary to connect a Wireless WS4 for PCI compliance.

Certain assumptions are made as this document is for reference only.



of 94

See Misc. Document MD0011-12 located on the Hardware Portal for instructions installing the card.

1. With the card installed according to the instructions in step 1, power-on the Workstation. If the

card has never been configured, the WS4 will display a Wireless Configuration dialog box on the

desktop. See Figure 1.

2. Double click the [Add New…] selection to open the Wireless Network Properties dialog box

(Figure 2.)

Procedure 1: Configuring the MICROS Mini-PCI wireless network card

Figure 1

1. Enter the SSID for your AP.

2. Select TKIP for the Encryption

3. Select WPA for the Authentication

4. Select PEAP as the 802.1X protocol

5. Select Properties and unselect the

Validate Server check box.

6. Press [OK] to close and save


8. Highlight your AP and press

[Connect]

Figure 2



of 94

3. Once you have association, you can leave the Wireless network card on DHCP (The default

setting) or you can set a static address by going to START|SETTINGS|NETWORK AND

DIAL-UP CONNECTIONS. Double click the ISLP21 icon and enter a static IP address, subnet

mask, and gateway if using a router.

4. Run the MICROS CAL normally.



of 94

Configuring the Wireless Workstation 4 LX

It is possible to have a Wireless Workstation 4LX with one of the two configurations below.

1. Mini-PCI Card Eazix, MICROS part #400633-110 (Discontinued)

• This card is capable of using WPA2 encryption

• This configuration is PCI compliant when using WPA2 encryption and placed behind a

Firewall


2. Mini-PCI Card Abocom MICROS part #400624-150

• This card is capable of using WPA2 encryption


Firewall


Criteria:

1. The WS4 LX and the server must have a minimum CAL version 6.1.3.68 installed. CAL can be

downloaded from the Micros web site at


2. A WPA2 compatible Access Point

3. USB Keyboard

Summary:

This document will explain the steps necessary to connect a Wireless WS4 LX for PCI compliance.

In this document we use the highest encryption level available to the device. It is recommended that

the WS4LX always be used at a minimum of WPA2 encryption. Certain assumptions are made as

this document is for reference only.



of 94

1. See the Workstation 4LX Setup Guide (Part #100016-162) located on the Hardware Portal for

instructions on installing the MICROS Mini-PCI Wireless card.

2. With the card installed according the instructions in step 1, Power-On the Workstation. If the card

has never been configured, the WS4 LX will display a Wireless Configuration dialog box on the

desktop asking you to configure the wireless network. See Figure 3

3. Double click the [Add New…] selection to open the Wireless Network dialog box. See Figure 4.

Procedure 1: Configuring the WS4 LX for use with the MICROS wireless mini-PCI

card. Part # 400633-110 or 400624-150

Figure 3



of 94

4. Once you have association, you can leave the Wireless network card on DHCP (The default set-

ting) or you can set a static address by going to START|SETTINGS|NETWORK AND DIAL-UP

CONNECTIONS. Double click the Wireless Card icon and enter a static IP address, subnet mask

and gateway if using a router.


Figure 4

1. Enter the SSID for your Access Point.

Case Sensitive

2. Select AES for the Encryption

3. Select WPA2-PSK for the

Authentication

4. Enter a Network key. This is a

“passphrase” and must match the

WPA2-PSK “passphrase” of your AP.

Please use a strong password policy that

includes upper and lower case, numeric

and special characters.

5. Press [OK] to close and save.

6. Highlight your AP and press [Connect]



of 94

Configuring the Wireless Keyboard Workstation 270

It is possible to configure the KW270 with the Sagrad USB Wireless Card (MD0018-002)

Part used to make the KW270 Wireless:

MICROS Part #: MD0018-002

Description: Sagrad USB Wireless Card.

• Capable of WPA & WPA2 Personal and Enterprise

• This configuration is PCI compliant when using WPA encryption PEAP authentication and

placed behind a Firewall

Criteria:

1. The KW270 and the server must have CAL version X.X.X.X or higher installed. CAL can be



2. An Access Point capable of using WPA2 encryption

3. RADIUS Server. e.g. Internet Authentication Service

4. Must use a static IP address

5. Keyboard (PS/2 or USB)

Summary:

This document will explain the steps necessary to connect a Wireless KW270 for PCI compliance.

Certain assumptions are made as this document is for reference only.



of 94

1. Consult the instructions that come with the Sagrad USB Wireless Card MD0018-002, supplied

with the kit for installing the card

2. With the card installed according to the instructions in Step 1, Power-On the KW270. If the card

has never been configured, the KW270 will display a Wireless Configuration dialog box on the

desktop. See Figure 5.

3. If your Wireless network appears in the list, double click it, otherwise double click the “Add

New…” selection to open the Wireless Network dialog box. See Figure 6.

Procedure 1: Configuring the Sagrad USB Wireless Card (MD0018-002)

1. Enter the SSID of your Access Point.

Case sensitive


3. Select WPA2 for the Enterprise

Authentication

Figure 5

Figure 6



of 94

4. In order to see the rest of the dialog box on the KW270 Screen, move the “Wireless Network

Properties” window up as far as possible, so that it matches Figure 7.

5. Once you have association, you can leave the Wireless

network card on DHCP (The default setting) or you can

set a static address by going to

“START|SETTINGS|NETWORK AND DIAL-UP

CONNECTIONS.” Double click the “RT2501USB1”

icon and enter a static IP address, subnet mask and

gateway if using a router.


1. Select the now visible PEAP as your

IEEE 802.1X authentication. PEAP is a

security method that requires a user

name and password before being able to

join the network.

2. Select the “Properties” button. See

Figure 8 if you are using a certificate to

validate the RADIUS Server, enter the

certificate now. If you are not using a

certificate, uncheck the “Validate Serv-

er” box.

3. Press “OK” to close and save

4. Press “OK” on the top right of the

“Wireless Network Properties” dialogue

box to save.

5. Highlight your AP and press “Connect”

Figure 7

Figure 8



of 94

Configuring the Wireless Workstation 5

It is possible to have a Wireless Workstation 4LX with one of the two configurations below.

Mini-PCI Card Eazix, MICROS part # = 400633-110 (Discontinued)

This card is capable of using WPA2 encryption.

This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall

See Procedure 1 below

Mini-PCI Card Abocom MICROS part # 400633-220

This card is capable of using WPA2 encryption.

This configuration is PCI compliant when using WPA2 encryption and placed behind a Firewall

See Procedure 1 below. Both cards are configured identically.

Criteria:

The WS5 must have a minimum CAL version 7.1.3.68 installed. CAL can be downloaded from the

Micros web site at http://www.micros.com/members/product_support/hardware/drivers/

A 802.11i compatible Access Point

USB Keyboard

Summary:

This document will explain the steps necessary to connect a Wireless WS5 for PCI compliance. In this

document we use the highest encryption level available to the device. It is recommended that the WS5

always be used at a minimum of WPA2 encryption. Certain assumptions are made as this document is

for reference only.



of 94

1. See the Workstation 5 Setup Guide (Part #100016-165) located on the Hardware Portal for



has never been configured, the WS5 will display a Wireless Configuration dialog box on the

desktop asking you to configure the wireless network. See Figure 9.


Procedure 1: Configuring the WS5 for use with the MICROS wireless mini-PCI card.

Part # 400633-110

Figure 9



of 94



DIAL-UP CONNECTIONS. Double click the Wireless Network Connection icon and enter a

static IP address, subnet mask and gateway if using a router.


Figure 10


Case Sensitive



Authentication




Please use a strong password policy

that includes upper and lower case,

numeric and special characters.





of 94

Configuring the Windows CE Wireless Workstation 5a

It is possible to configure the Workstation 5a with the same Mini-PCI wireless card as that used in the

PCWS 2010, WS5 and WS4 LX Workstations.

Part used to make the WS5a Wireless:

MICROS part #: 400633-115 or 400633-220

• Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a .

• This card is capable of using WPA2 encryption with AES.


Firewall


Criteria:

1. Read the PCI DSS Wireless Guideline Whitepaper Version 1.2.

2. The WS5a must have a minimum CAL version 13.1.3.68 installed. CAL can be downloaded from

the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/

3. The Wireless WS5a must use MICROS part # 400633-115 or 400633-220

4. A WPA2-AES compatible Access Point

5. If using PEAP, an Authentication device e.g. IAS Server or the WS2000

6. USB Keyboard

Summary:

This document will explain the steps necessary to connect a Wireless WS5a for PCI compliance. In

this document we use the highest encryption level available to the device. It is recommended that the

WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this document is

for reference only.



of 94

Security Method 1:

(WPA2-PSK) Wi-Fi Protected Access 2 with Pre-Shared Key

Follow this procedure if you are using the 802.11i WPA2-Personal security method.

NOTE:

PCI DSS Wireless Guideline Whitepaper Version 1.2 section 4.4.1 states:

• It is recommended that WPA2 Personal mode be used with a minimum 13-character random

passphrase and AES encryption.

• Pre-Shared Keys should be changed on a regular basis

1. See the Workstation 5a Setup Guide located on the Hardware Portal for instructions on installing

the MICROS Mini-PCI Wireless card.

2. With the card installed according to the instructions in step 1, Power-On the Workstation. If the

card has never been configured, the WS5a will display a Wireless Configuration dialog box on the

desktop asking you to configure the wireless network. See Figure 11



Part # 400633-220

Figure 11



of 94



DIAL-UP CONNECTIONS. Double click the PCI-E1Y51CE61 icon and enter a static IP address,

subnet mask and gateway if using a router.



Case Sensitive



Authentication




Please use a strong password policy

that includes upper and lower case,

numeric and special characters.



Figure 12



of 94

Security Method 2:

(WPA2) Wi-Fi Protected Access 2 and PEAP Authentication Follow this procedure if you are using the PCI recommended 802.11i WPA2-Enterprise security

method.



2. With the card installed according to the instructions in step 1, Power-On the Workstation. If the

card has never been configured, the WS5a will display a Wireless Configuration dialog box on the

Desktop asking you to configure the wireless network. See Figure 13.

3. If your Wireless network appears in the list, double click it, otherwise double click the [Add

New…] selection to open the Wireless Network dialog box. See Figure 14.


Part # 400633-220

Figure 13



of 94

Figure 14


Case Sensitive


3. Select WPA2 for the Enterprise

Authentication

4. Select PEAP as your IEEE 802.1X

authentication. PEAP is a security

method that requires a user name and

password before being able to join the

network.

5. Select the Properties button. See

Figure 15 if you are using a certificate

to validate the RADIUS Server, enter

the certificate now. If you are not

using a certificate, uncheck the

Validate Server.




Figure 15



of 94

4. Once you have association, you can leave the Wireless network card on DHCP (The default set-

ting) or you can set a static address by going to START|SETTINGS|NETWORK AND DIAL-UP

CONNECTIONS. Double click the PCI-E1Y51CE61 icon and enter a static IP address, subnet

mask and gateway if using a router.




of 94

Configuring the POSReady 2009 Wireless Workstation 5a




MICROS part #: 400633-220

Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a



Firewall

Criteria:

1. Read the PCI DSS Wireless Guideline Whitepaper Version 2.0


the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/

3. The Wireless WS5a must use MICROS part #400633-220


5. If using a PEAP Authentication device e.g. IAS Server or the WS2000

6. USB Keyboard

Summary:




for reference only.



of 94

(WPA-PSK) Wi-Fi Protected Access with Pre-Shared Key

Follow this procedure if you are using the 802.11i WPA2-Personal security method

NOTE:

PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states


passphrase, with AES encryption




2. With the card installed go to “Start|Settings|Network Connections

3. Right click on the “Wireless Network Connection” icon and select “Properties.” See Figure 16.

4. Select the “Wireless Networks” tab. See Figure 17.

5. Click the “Add” button. See Figure 18.

Configuring the WS5a POSReady for use with the MICROS wireless mini-PCI card.

Part # 400633-220

Figure 16

Figure 17



of 94

6. If you are using DHCP, you can click “OK” and let the WS5a make an association with the Acces

Point designated in Step 4. If you are using a static IP address, do not press “OK”, instead high-

light “Internet Protocol (TCP/IP) and click “Properties.” The Internet Protocol Properties box

will open. Highlight the “Use the following IP address” radio button and manually enter proper

IP, subnet and gateway addresses.

7. Press “OK”

8. Press “OK”

9. You should now have an association with your AP. The taskbar icon should look like Figure 19.


Wireless network card is associated

1. Enter the SSID of your Access Point

(Case Sensitive)

2. Select WPA2-PSK and TKIP

3. Enter the secure Passphrase that

matches the one entered on your

Access Point

4. Click “OK”

Figure 18

Figure 19



of 94

Configuring the Dual-Core Windows 7® Wireless Workstation 5a





Description: KIT,MINI-PCI UPGRADE,WS4LX,WS5,WS5a



Firewall

Criteria:



the

3. Micros web site at http://www.micros.com/members/product_support/hardware/drivers/

4. The Wireless WS5a must use MICROS part #400633-220



7. USB Keyboard

Summary:




for reference only.



of 94

Figure 20



NOTE:







2. With the card installed go to “Start|Control Panel” and click “Network and Internet”

3. Click on “Network and Sharing Center”

4. Click “Set up a new connection or network,” highlight “Manually connect to a wireless network”

and press “Next.” See Figure 20.

*NOTE: Windows recommends against connecting to APs that do not broadcast, however, the PCI

Whitepaper v2.0 Section 4.2.1 states that while suppressing SSID is not required, broadcasting an

Configuring the DC WS5a Win7 for use with the MICROS wireless mini-PCI card.

Part # 400633-220

1. Enter the SSID of your Access

Point (Case Sensitive)

2. Select WPA2-Personal and AES

Encryption type

3. Check “Hide characters”



Access Point

5. Check “Connect even if the

network is not broadcasting”*



of 94

Figure 21

Figure 22

SSID that advertises the organization’s name or is easily identifiable with the organization is not

recommended. Default SSID values should always be changed.

5. Click “Next”

6. If you are using DHCP, your wireless card will associate with the AP now. If you are using a

static IP, click on the “Wireless Network Connection (SSID)” in the Network and Sharing Center

window and click “Properties.” Highlight “Internet Protocol Version 4 (TCP/IPv4)” and click

“Properties.” The Internet Protocol Properties box will open. Highlight the “Use the following

IP addresses” radio button and manually enter proper IP, subnet and gateway addresses.

7. Press “OK” twice.

8. You will now be associated with your AP. The taskbar icon should look like Figure 21.

9. If the taskbar icon looks like Figure 22 then you need to ensure that you are connected with your

AP.



of 94

Figure 23

10. Right click on the Wireless Connection Icon in the task bar and select “Open Network and Sharing

Center.” Click on “Wireless Network Connection (SSID)” shown in Figure 23.

11. Click “Details”

12. Look at the Value for “IPv4 Address” and verify that you have attained an IP address from the AP

that fits within the proper IP Address Schema for your network. See Figure 24.



of 94

Figure 24

13. Click “Close” twice and close the “Network and Sharing Center” window.




of 94

Configuring the POSReady 2009 Wireless PCWS 2015

Currently, only the SparkLAN WMIR-200N (P/N # 400633-225) is compatible with the PCWS 2015



Description: WIRELESS (802.11a/b/g/n) UPGRADE KIT WS5/WS5A/PCWS2015 ,INCLUDES

MINI-PCI CARD,ANTENNAS AND INSTALLATION INSTRUCTIONS

• This card is capable of using WPA2 with AES encryption.


Firewall

Criteria:


2. The PCWS 2015 must have a minimum CAL version 3.1.3.115 installed. CAL can be


3. http://www.micros.com/members/product_support/hardware/drivers/

4. The Wireless PCWS2015 must use MICROS part #400633-225



7. USB Keyboard

Summary:

This document will explain the steps necessary to connect a Wireless PCWS2015 for PCI compliance.


the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this

document is for reference only.



of 94

Figure 25


NOTE:





Configuring the WS5a POSReady for use with the MICROS wireless mini-PCI card. Part #

400633-220



2. With the card installed go to “Start|Settings|Network Connections

3. Right click on the “Wireless Network Connection” icon and select “Properties” See Figure 25.

Procedure 1: Configuring the POSReady 2009 PCWS 2015 (WPA2-PSK) Wi-Fi

Protected Access with Pre-Shared Key using the Windows Wireless Zero Configuration

(WZC) Service



of 94


5. Click the “Add” button. See Figure 27.

Figure 26

1. Enter the SSID of your

Access Point (Case Sensi-

tive)

2. Select WPA2-PSK and

TKIP

3. Enter the secure Passphrase

that matches the one entered

on your Access Point

4. Click “OK”

Figure 27



of 94

6. If you are using DHCP, you can click “OK” and let the WS5a make an association with the Access

Point designated in Step 4. If you are using a static IP address, do not press “OK”, instead high-

light “Internet Protocol (TCP/IP) and click “Properties.” The Internet Protocol Properties box

will open. Highlight the “Use the following IP address” radio button and manually enter proper

IP, subnet and gateway addresses.

7. Press “OK”

8. Press “OK”



Figure 28



of 94


NOTE:PCI DSS Wireless Guidline Whitepaper Version 2.0 Section 4.4.1 states




This Procedure applies when, during the Mini-PCI Wireless Card driver installation, the option to use

the Ralink WLAN Utility was chosen.

Configuring the WS5a POSReady for use with the MICROS wireless mini-PCI card. Part #

400633-220



2. When the installation of the driver and software is complete, the Ralink WLAN Utility will launch

automatically

3. Click on the “Profile” tab at the top of the screen, seen in Figure 29.

4. Click the “Add” button

Procedure 2: Configuring the POSReady 2009 PCWS 2015 (WPA2-PSK) Wi-Fi

Protected Access with Pre-Shared Key using the Ralink WLAN Utility and Ralink

Configuration Tool

Figure 29



of 94

5. Enter the SSID of the Access Point you wish to connect to, seen in Figure 30.

6. Click the “Auth. \Encry.” Tab to setup the correct Authentication and Encryption types for your

AP.

Figure 30



of 94

7. If your AP is using WPA2-PSK Personal Mode, select that for Authentication and choose AES for

Encryption, as seen in Figure 31. Enter the Secure Passphrase that matches the one setup on the

AP in the “WPA Preshared Key” field.

8. If your AP is setup with WPA2 Enterprise Mode, using AES Encryption and EAP Authentication,

select WPA2 for Authentication and AES for Encryption, and click the “802.1x” tab to continue

the setup.

Figure 31



of 94

9. Click on the Client Certificate, seen in Figure 32, and check the Use Client certificate box.

10. Select your certificate from the drop down list and click “OK”

Figure 32



of 94

11. Highlight the Profile you have created and click the “Activate” button, as seen in Figure 33.

12. If you are using DHCP, verify that you have an IP address, Sub Mask, and Default Gateway

assigned. If so, you are associated with the AP and can close the Ralink Configuration Utility and

run the MICROS CAL.

13. If you are using a static IP address, close the Ralink Configuration Utility, and go to “Start|

Settings| Network Connections.” Right click on the Wireless Network Connection, and select

“Properties.” Highlight “Internet Protocol (TCP/IP) and click “Properties.” The Internet

Protocol Properties box will open. Highlight the “Use the following IP address” radio button and

manually enter proper IP, subnet and gateway addresses.

14. Press “OK”

15. Press “OK”



Figure 33

Figure 34



of 94

Configuring the Windows 7 Wireless PCWS 2015

Currently, only the SparkLAN WMIR-200N (P/N # 400633-225) is compatible with the PCWS 2015



Description: WIRELESS (802.11a/b/g/n) UPGRADE KIT WS5/WS5A/PCWS2015 ,INCLUDES

MINI-PCI CARD,ANTENNAS AND INSTALLATION INSTRUCTIONS

• This card is capable of using WPA2 with AES encryption.


Firewall

Criteria:


2. The PCWS 2015 must have a minimum CAL version 3.1.3.115 installed. CAL can be downloaded

from the Micros web site at

3. http://www.micros.com/members/product_support/hardware/drivers/

4. The Wireless PCWS2015 must use MICROS part #400633-225



7. USB Keyboard

Summary:

This document will explain the steps necessary to connect a Wireless PCWS2015 for PCI compliance.


the WS5a always be used at a minimum of WPA2-AES. Certain assumptions are made as this

document is for reference only.



of 94



NOTE: PCI DSS Wireless Guideline Whitepaper Version 2.0 Section 4.4.1 states


passphrase, with AES encryption for WPA2


1. See the PCWS 2015 Setup Guide located on the Hardware Portal for instructions on installing the

MICROS Mini-PCI Wireless card.

2. With the card installed go to “Start|Control Panel” and click “Network and Internet”

3. Click on “Network and Sharing Center”

4. Click “Set up a new connection or network,” highlight “Manually connect to a wireless network”

and press “Next.” See Figure 35.

*NOTE: Windows recommends against connecting to APs that do not broadcast, however, the PCI

Whitepaper v2.0 Section 4.2.1 states that while suppressing SSID is not required, broadcasting an

Configuring the PCWS 2015 Win7 for use with the MICROS wireless mini-PCI card.

Part # 400633-220

1. Enter the SSID of your Access

Point (Case Sensitive)

2. Select WPA2-Personal and AES

Encryption type

3. Check “Hide Characters”



Access Point

5. Check “Connect even if the

network is not broadcasting”*

Figure 35



of 94

SSID that advertises the organization’s name or is easily identifiable with the organization is not

recommended. Default SSID values should always be changed.

5. Click “Next”

6. If you are using DHCP, your wireless card will associate with the AP now. If you are using a

static IP, click on the “Wireless Network Connection (SSID)” in the Network and Sharing Center

window and click “Properties.” Highlight “Internet Protocol Version 4 (TCP/IPv4)” and click

“Properties.” The Internet Protocol Properties box will open. Highlight the “Use the following

IP addresses” radio button and manually enter proper IP, subnet and gateway addresses.

7. Press “OK” twice.

8. You will now be associated with your AP. The taskbar icon should look like Figure 36.

9. If the taskbar icon looks like Figure 37 then you need to ensure that you are connected with your

AP.

10. Right click on the Wireless Connection Icon in the task bar and select “Open Network and Sharing

Center.” Click on “Wireless Network Connection (SSID)” Shown in Figure 38.

Figure 36

Figure 37

Figure 38



of 94

11. Click “Details”

12. Look at the Value for “IPv4 Address” and verify that you have attained an IP address from the

AP that fits within the proper IP Address Schema for your network. See Figure 39.

13. Click “Close” twice and close the “Network and Sharing Center” window.


Figure 39



of 94

Configuring the Wireless PCWS 2010 with Windows XP Professional®

It is possible to configure the PCWS2010 with the same Mini-PCI wireless card as that used in the

WS4, WS4 LX and WS5.

Part used to make the PCWS 2010 Wireless:


Description: KIT,MINI-PCI UPGRADE, 2010, WS4 LX, PCWS 2010.

• This card is capable of using WPA2 encryption.


Firewall


Criteria:


from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/

2. The Wireless PCWS 2010 must use MICROS part # 400633-110


4. USB Keyboard

Summary:

This document will explain the steps necessary to connect a Wireless PCWS 2010 for PCI compliance.


the PCWS 2010 always be used at a minimum of WPA2 encryption. Certain assumptions are made as




of 94

1. See the PCWS 2010 Setup Guide (Part #100016-144) located on the Hardware Portal for



has never been configured, the PCWS 2010 display a message indicating that it has found “new

Hardware”. Browse to the C:\B\MINI PCI LAN Drivers folder and let the install utility setup the

drivers. After the drivers are loaded, go to “Start|Settings|Network Connections”. When the dialog

box opens, highlight the “Wireless Network Connection” icon and select the “Change settings of

this connection”. See Figure 40.


4. Click [Add…]. See Figure 42.

Procedure 1: Configuring the PCWS 2010 for use with the MICROS wireless mini-PCI

card. Part # 400633-110

Figure 40



of 94

8. If you are using DHCP, you can click [OK] and let the PCWS 2010 make an association with the

Access Point designated in step 4. If you are using a static IP address, do not press [OK], instead

highlight “Internet Protocol (TCP/IP) and click “properties”. The Internet Protocol Properties box

will open. Highlight the “Use the following IP address” radio button and manually enter proper IP,

subnet and gateway addresses.

9. Press [OK]

10. Press [OK]



Wireless Network Card

is associated

1. Enter the SSID

of your Access

Point (Case

Sensitive)

2. Select

WPA2-PSK and

AES

3. Enter the secure

Passphrase that

matches the one

entered on your

AP

4. Click [OK]

Figure 42

Figure 41

Figure 43



of 94

Configuring the Wireless PCWS 2010 with Windows Server 2003®

It is possible to configure the PCWS2010 with the same Mini-PCI wireless card as that used in the

WS4, WS4 LX and WS5.

Part used to make the PCWS 2010 Wireless:


Description: KIT,MINI-PCI UPGRADE,PCWS 2010, WS4 LX, WS5.

• This card is capable of using WPA2 encryption.


Firewall


Criteria:


from the Micros web site at http://www.micros.com/members/product_support/hardware/drivers/

2. The Wireless PCWS 2010 must use MICROS part # 400633-110


4. USB Keyboard

Summary:

This document will explain the steps necessary to connect a Wireless PCWS 2010 for PCI compliance.


the PCWS 2010 always be used at a minimum of WPA2 encryption. Certain assumptions are made as




of 94

1. See the PCWS 2010 Setup Guide (Part #100016-144) located on the Hardware Portal for instruc-

tions on installing the MICROS Mini-PCI Wireless card.


has never been configured, the PCWS 2010 display a message indicating that it has found “new

Hardware”. Browse to the C:\B\MINI PCI LAN Drivers folder and let the install utility setup the

drivers. After the drivers are loaded, go to “Start|Settings|Network Connections”. When the dialog

box opens, highlight the “Wireless Network Connection” icon and select File| Properties. See

Figure 44.


4. Click [Add…]. See Figure 46.

5. If you are using DHCP, you can click [OK] and let the PCWS 2010 make an association with the

Access Point designated in step 4. If you are using a static IP address, do not press [OK], instead

choose the [General] Tab, and highlight “Internet Protocol (TCP/IP) and click “properties” The

Procedure 1: Configuring the PCWS 2010 for use with the MICROS wireless mini-PCI

card. Part # 400633-110

Figure 44

1. Enter the SSID

of your Access

Point (Case

Sensitive)

2. Select

WPA2-PSK and

AES

3. Enter the secure

Passphrase that

matches the one

entered on your

AP

4. Click [OK]

Figure 46

Figure 45



of 94

Internet Protocol Properties box will open. Highlight the “Use the following IP address” radio

button and manually enter proper IP, subnet and gateway addresses.

6. Press [OK]

7. Press [OK]

8. You should now have an associate with your AP. The taskbar icon will look like Figure 47.


Wireless Network Card

is associated

Figure 47



of 94

Configuring the PPT8846 to use PEAP Authentication

The Symbol PPT8846 is certified to work with MICROS versions or higher:

• RES 3.2, 4.0

• 9700 2.7

• Simphony (Check the release notes)

The PPT8846 runs Pocket PC 2003 (Windows CE 4.21) which is capable of utilizing the WPA

encryption security standard. The PCI-DSS Wireless recommendations (802.1x Authentication) can

be met with the use of a third-party utility called Aegis. The Aegis utility is available for download

from the Motorola website at http://support.symbol.com or the micros portal at:

http://portal.micros.com/sites/hardware. . The manuals for Aegis are also included in the same zip file

as this document. For more information please reference those manuals.

Criteria:

The PPT8846 must have:

1. A minimum platform version of 33 or higher

2. A WPA and 802.1x compatible Access Point

3. Fully charged battery

Summary:

This document will explain the steps necessary to connect a Symbol PPT8846 for Wireless PCI

compliant recommendations. In this document we use the highest encryption level available to the

device. It is recommended that the PPT8846 always be used with 802.1X authentication. Certain

assumptions are made as this document is for reference only.



of 94

1. Read the product warranty information that came with your Symbol PPT8846.

2. Attach the battery to the PPT8846 according to the enclosed instructions.

3. Charge the battery for several hours to make sure you have sufficient battery time to configure the

PPT8846 and download the application.

Install the Aegis 802.1X Client

(Once the Aegis Utility is installed and running there is no need to configure the Built-in Mobile

Companion)

1. Obtain a copy of the Aegis client (AEGIS 2.1.13-0 WM 2003 PPT8800.cab) from the micros

hardware portal or packaged with this document. Copy the Aegis Utility to the \Application folder

of the PPT8846. Also copy the following files to the \Application folder

a. AegisCopy.cpyAEGISPPT8846.reg

b. SaveAegis.lnk

c. AegisScript.spt

d. AegisLicense.reg

e. SimScriptWM.exe

2. On the PPT8846, browse the \Application folder and tap the

AEGIS 2.1.13-0 WM 2003 PPT8800.cab file to install Aegis.

3. Perform a Cold Boot on the PPT8846. See the instructions at

the end of this section.

4. Go through the startup wizard. A message will display

indicating that “This is the first time the Aegis Client has run

…” Press OK to this message.

5. The Aegis client opens. See Figure 48.

6. If you are going to use more than one network, you can create

multiple profiles. Otherwise the profile name can be left at

default. For the Authentication type, select PEAP. See Figure

48. Enter your PEAP user name and password into the

Identity and password fields. This user name must correspond

to the user on your RADIUS Server. See Figure 48.

NOTE: “A strong, alphanumeric password must be created

with a minimum length of eight characters that includes upper and lower case letters, numbers, and

special characters.

Configuring the Symbol PPT8846 for PEAP

Figure 48



of 94

7. Choose EAP-MSCHAP v2 from the protocol list box.

8. Select the Server tab. See Figure 49.

9. Place a check mark at: “Do not validate server

certificate chain”. This will prevent the Aegis utility

from looking for a certificate. If you are using

certificates, do not check this box. See Figure 49.

10. Press OK. You will receive a message indicating that

you must restart the client. Press OK again. If the utility

closes it can be re-opened by tapping the Icon in the

lower right corner. A Four-Button press may be

required to get around the POSLoader. See instructions

for this process at the bottom of this section.

11. When the Start Icon appears. Press START| Today to

enter the Today screen

12. Open the Aegis utility by tapping the Aegis utility in

the lower right corner of the today screen.

13. Tap the “Spectrum24 LA41…” label on the Aegis

screen. Another window will open. See Figure 50.

14. Select Configure See Figure 51.

15. In the Available Network list, highlight you access point and press “move to configured” or click

Add if your access point is not on the list.

Figure 49

Figure 50

Figure 51



of 94

16. Select “Properties” to edit the access point details. See Figure 52.

17. Select the Authentication Profile created in step 5 and corresponds to your PEAP network.

18. Select WPA Settings tab. See Figure 53.

19. In the WPA Mode list box, choose “WPA 802.1X”

20. In the Encryption list box, choose AES.

21. Click OK

22. Restart the client, Choose Client|Restart to restart the utility. The utility should start

“Authenticated” when connected. If you do not get an “Authenticated” message, go back and

double check everything

Figure 52

Figure 53



of 94

Once Connected to the Network

1. Close the Aegis client. Do not Exit. Exiting will disable the utility and remove the PPT8846 from

the network.

2. Save your settings with Start, Save Aegis. Pressing this utility will make your device Cold Boot

persistent. It is highly recommended that you run this utility after every change to the network.

3. Cold Boot the PPT8846

4. Run the POSLoader as normal except DO NOT configure the Wireless settings. Just skip that

section.

5. At the “Configure Network Adapters” window, tap “802.11b Wireless LAN”.

6. Configure the IP scheme appropriately to your network.

7. Continue the POSLoader wizard. Enter the Server IP address and the HHT name.

8. The loader will force a reboot and continue.

Performing a Four-Finger Press to Exit the MICROS Application

When the PPT8846 shipped from micros is booted the POSLoader will take over. It is possible to exit

from the POSLoader while on the very first splash screen.

One at a time, press the following buttons: F1, F4, Function, and F1 (again). This will cause the Start

Icon display in the top left corner. You can navigate anywhere from the Start button.

Performing a Cold Boot

Remove the back cover and depress the small white “reset” button while simultaneously depressing

the Function button. Replace the back cover and hit the red Power button (Lower left-hand side.)

Making Aegis Persistant

Once the network is configured and communicating, run the “Save Aegis” utility located on the start

menu. Make a good practice of re-running this utility every time you reconfigure your network

settings.

You did this procedure in the first two steps of the Once Connected to the Network section.



of 94

Configuring the Symbol MC50 to use PEAP Authentication

The Symbol MC50 is certified to work with MICROS versions or higher:

• RES 4.0

• 9700 3.0 SP10

• Simphony 1.x

The MC50 runs Pocket PC 2003 (Windows CE 4.21) which is capable of utilizing the WPA

encryption security standard. The PCI-DSS Wireless recommendations (802.1x Authentication) can

be met with the use of a third-party utility called Aegis. The Aegis utility is available for download

from the Motorola website at http://support.symbol.com or the micros portal at:

http://portal.micros.com/sites/hardware. The manuals for Aegis are also included in the same zip file

as this document. For more information please reference those manuals.

Criteria:

1. The MC50 must be on a minimum platform version of 19i or higher

2. A WPA and 802.1x compatible Access Point

3. Fully charged Battery

Summary:

This document will explain the steps necessary to connect a Symbol MC50 for Wireless PCI

compliant recommendations. In this document we use the highest encryption level available to the

device. It is recommended that the MC50 always be used with 802.1X authentication. Certain




of 94

1. Read the product warranty information that came with your Symbol MC50.

2. Attach the battery to the MC50 according to the enclosed instructions.


MC50 and download the application.

Install the Aegis 802.1X Client

(Once the Aegis Utility is installed and running there is no

need to configure the Built-in Mobile Companion)

1. Obtain a copy of the Aegis client (AEGIS 2.1.13-0 WM

2003 PPT8800.cab) from the micros hardware portal or

packaged with this document. Copy the Aegis Utility to

the \Application folder of the MC50. Also copy the

following files to the \Application folder

a. AegisCopy.cpy

b. SaveAegis.lnk

c. AegisScript.spt

d. AegisLicense.reg

e. SimScriptWM.exe

2. On the MC50, browse the \Application folder and tap

the AEGIS 2.1.13-0 WM 2003 PPT8800.cab file to

install Aegis.

3. Cold Boot the MC50 to force the Aegis utility to run.

The Aegis client will pop open a message indicating

that “ If this is the first time…”, Press OK

4. The Aegis Client will open. See Figure 54.

5. If you are going to use more than one network, you can create multiple profiles. Otherwise the

profile name can be left at default. For the Authentication type, select PEAP. See Figure 54. Enter

your PEAP user name and password into the Identity and password fields. This user name must

correspond to the user on your RADIUS Server. See Figure 54. NOTE: “A strong, alphanumeric

password must be created with a minimum length of eight characters that includes upper and lower

case letters, numbers, and special characters.

6. Choose EAP-MSCHAP v2 from the protocol list box.

7. Select the Server tab. See Figure 55.

8. Place a check mark at: “Do not validate server certificate chain”. This will prevent the Aegis utility

from looking for a certificate. If you are using certificates, do not check this box. See Figure 55.

Configuring the Symbol MC50 for PEAP

Figure 54



of 94

9. Press OK. You will receive a message indicating

that you must restart the client. Press OK again. If the

utility closes it can be re-opened by tapping the Icon in

the lower right corner.

10. Tap the “Pegasus WLAN CF…” label on the

Aegis screen. Another window will open. See Figure

56.

11. Select Configure. See Figure 57.

12. In the Available Network list, highlight you

access point and press “move to configured” or click

Add if your access point is not on the list.

13. Select “Properties” to edit the access point

details. See Figure 58.

14. Select the Authentication Profile created in step

5 and corresponds to your PEAP network.

15. Select WPA Settings tab. See Figure 59.

16. In the WPA Mode list box, choose “WPA

802.1X”

17. In the Encryption list box, choose AES.

18. Click OK

19. Restart the client, Choose Client|Restart to restart

the utility. The utility should start “Authenticated”

when connected. If you do not get an

“Authenticated” message, go back and double check

everything.

Once the network is configured, run the “Save Aegis”

utility located on the start menu. Make a good practice

of re-running this utility every time you reconfigure your

network settings

Figure 55

Figure 56



of 94

Figure 57

Figure 58

Figure 59



of 94

Performing a Cold Boot

Hold down the Power button and right Scan/Action button, then press and release the reset button

located below the battery release on the back of the mobile computer. Release the Power button and

right Scan/Action button. See Figure 60.

Performing a Warm Boot

Press the reset button located below the battery release on the back of the mobile computer.

Closing the CAL Client

The CAL client is forced to start every time a reboot occurs. You can by-pass the CAL screen by

using the following method:

1. When the CAL is at the “Version Window,” press the green phone key

2. Press the calendar key

3. Press the red phone key

The CAL will disappear. You can restart it again with a Warm boot.

Figure 60



of 94

Configuring the Symbol MC70

The Symbol MC70 is certified to work with MICROS versions or higher:

• RES – 4.4

• 9700 - 3.1 SP4 and 3.2 SP1

• Simphony - 1.0 (Check documentation for Service Pack level)

The Symbol MC70 uses Windows Mobile 5.0 (OS Version 05.01.0478) which is capable of utilizing

the WPA and WPA2 encryption security standards. The MC70 is shipped from MICROS with the

CAL pre-loaded.

Criteria:

1. The MC70 must be on a minimum OEM Version of 4.39.0000.



Summary:

This document will explain the steps necessary to connect a Symbol MC70 for PCI compliance. It is

recommended that the MC70 always be used at a minimum of WPA2 encryption. Certain assumptions

are made as this document is for reference only.



of 94

1. Read the product warranty and enclosed documentation that shipped with your Symbol MC70.

2. Attach the battery to the MC70 according to the enclosed instructions.


MC70 and download the application.

4. Click the Fusion (Instead of the Mobile Companion that was used in the past. Motorola\Symbol

has changed to a similar utility called “Fusion”) icon located in the lower right corner of the

“Today” screen. See Figure 61.

5. Tap the Fusion icon and select “Manage Profiles”.

The Manage Profiles window will open.

6. Hold the stylus on the empty space in the Window

and select “Add”. See Figure 62.

7. The “Profile Entry” window will open. Enter the

name and ESSID of the Access Point. See Figure 63.

8. Click Next

9. Enter you Operating Mode and Country. The

Operating Mode choices are “Infrastructure” or

“Ad-Hoc”. Choose “Infrastructure” if you are

connecting to an Access Point or Access Port. Select

“Ad-Hoc” if you are only connecting mobile device

to mobile device. See Figure 64.

10. Click Next

11. Select the Authentication type required. Some sites

require a stronger security than WPA2_PSK. At

these sites there will be an Authentication device that

will require you to type a password or provide a certificate.

12. Click Next

13. The Encryption window will open. Select AES. See Figure 65.

14. Click Next

15. The Pass Phrase Window will open. Enter the WPA2 Pre-Shared Key Pass Phrase that matches

your Infrastructure. See Figure 66.

NOTE: “A strong, alphanumeric password must be created with a minimum length of eight characters

that includes upper and lower case letters, numbers and special characters.

16. Click Next

Configuring the Symbol MC70 for use on a MICROS system

Figure 61



of 94

17. The “IP Address Entry Window will open. Select Static or

DHCP depending upon your needs and which product you

will be using. In most cases a RES site will use a Static IP

address and a 9700 or Simphony site will use a DHCP

address.

18. Click next. If you selected DHCP above a “Transmit

Power” window will open. If you selected Static above an

“IP address Entry” window will open. If you selected

Static above enter the appropriate IP address and Subnet

Mask for your system.

19. Click Next to leave the “Transmit Power” set to

“Automatic”.

20. The “Battery Usage” window will open. You can leave the

default setting of “Fast Power Save” or choose and

alternative.

21. Click Finish

22. Click [OK] to close the Fusion utility.

23. There will be a 60 second delay until you get a “Network

Connect” response on the desktop. This will mean that you

are successfully connected. See Figure 67.

Figure 63

Figure 62

Figure 64



of 94

Figure 65

Figure 66

Figure 67



of 94

Configuring the Motorola MC55

The Motorola MC55 is certified to work with MICROS versions or higher:

• RES – 4.6

• 9700 - 3.5

• Simphony - 1.x (Check documentation for Service Pack level)

The Motorola MC55 uses Windows Mobile 6.1 (OS Version 05.02.20758) which is capable of

utilizing the WPA and WPA2 encryption security standards. The MC55 is shipped from MICROS

with the CAL pre-loaded.

Criteria:

1. The MC55 must be on a minimum OEM Version of 1.27.0006.



Summary:

This document will explain the steps necessary to connect a Motorola MC55 for PCI compliance. It is

recommended that the MC55 always be used at a minimum of WPA2-PSK encryption. Certain




of 94

1. Read the product warranty and enclosed documentation

that shipped with your Motorola MC55.

2. Attach the battery to the MC55 according to the enclosed

instructions.

3. Charge the battery for several hours to make sure you

have sufficient battery time to configure the MC55 and

download the application.

4. Click the Fusion icon located in the lower right corner of

the “Today” screen. See Figure 68.

5. Tap the Fusion icon and select “Manage Profiles”. The

Manage Profiles window will open.

6. Hold the Stylus on the Profile “Motorola Wireless Out of

Box Magic” and select Delete to remove this Profile. If

this profile does not exist, go to step 7.

7. Hold the stylus on the empty space in the Window and

select “Add.” See Figure 69.

8. The “Profile Entry” window will open. Enter the name

and ESSID of the Access Point. See Figure 70.

9. Click Next

Configuring the Motorola MC55 for use on a MICROS System

Figure 68

Figure 69

Figure 70



of 94

10. Enter you Operating Mode and Country. The Operating Mode choices are “Infrastructure” or

“Ad-Hoc”. Choose “Infrastructure” if you are connecting to an Access Point or Access Port. Select

“Ad-Hoc” if you are only connecting mobile device to mobile device.

11. Click Next

12. Select the Security Mode used by your Infrastructure.

At a minimum, WPA2-Personal must be used.

13. Select the Authentication type if required. Some sites

require a stronger security than WPA2-PSK. At these

sites there will be an Authentication device that will

require you to type a password or provide a certificate.

If you are using WPA2-Personal only, leave

Authentication type at “None”.

14. Click Next

15. The Encryption window will open. Select AES. See

Figure 71.

16. Choose Pass-phrase or Hexadecimal Keys are an entry

method. Click Next.

17. The Pass-phrase Window will open. Enter the WPA

Pre-Shared Key Pass-phrase or Hexadecimal key that

matches your Infrastructure. See Figure 72.

18. Click Next. The “IP Address Entry Window will open.

Select Static or DHCP depending upon your needs and

which product you will be using. In most cases a RES

site will use a Static IP address and a 9700 or

Simphony site will use a DHCP address.

19. Click next. If you selected DHCP above a “Transmit

Power” window will open. If you selected Static above

an “IP address Entry” window will open. If you

selected Static above enter the appropriate IP address

and Subnet Mask for your system.

20. Click Next to leave the “Transmit Power” set to

“Automatic”.

21. The “Battery Usage” window will open. You can leave

the default setting of “Fast Power Save” or choose and

alternative.

22. Click Save

23. Click [OK] to close the Fusion utility.

24. Warm Boot the MC55 and allow the micros CAL to

run as normal.

Figure 71

Figure 72



of 94

Configuring the Motorola MC55a

The Motorola MC55 is certified to work with MICROS versions or higher:

• RES – 4.6

• 9700 - 3.5

• Simphony - 1.x (Check documentation for Service Pack level)

The Motorola MC55a uses Windows Mobile 6.5 (OS Version 05.02.23121) which is capable of

utilizing the WPA and WPA2 encryption security standards. The MC55a is shipped from MICROS

with the CAL pre-loaded.

Criteria:

1. The MC55a must be on a minimum OEM Version of 1.34.0005.

2. The MC55a must have a minimum CAL version 15.1.3.115 installed. CAL can be downloaded

from the Micros web site at


4. A Fully charged battery

Summary:

This document will explain the steps necessary to connect a Motorola MC55a for PCI compliance. It is

recommended that the MC55a always be used at a minimum of WPA2-PSK encryption. Certain




of 94

1. Read the product warranty and enclosed documentation that shipped with your Motorola MC55a.

2. Attach the battery to the MC55a according to the enclosed instructions.


MC55a and run CAL

4. Highlight the Wi-Fi row on the “Home” screen, and click the Fusion Menu button at the bottom of

the screen, seen in Figure 73

5. Click the “Manage Profiles” button

6. Hold the stylus on the profile “Motorola Wireless Out of Box Magic” and select Delete to remove

this profile. If this profile does not exist go to step 7.

7. Hold the stylus on the empty space in the window and select “Add,” as seen in Figure 74.

8. The “Wireless Lan Profile Entry” window will open, enter a Profile Name and the ESSID (case

sensitive) of the Access Point you are connecting to, see Figure 75.

9. Click Next

10. Select your Operating Mode and Country, the default is “Infrastructure” for connecting to an

Access Point. Select “Ad-Hoc” if you are only connecting mobile device to mobile device.

11. Click Next

Configuring the Motorola MC55a for use on a MICROS system

Figure 73

Figure 74



of 94

12. Select the Security Mode used by your Infrastructure.

At a minimum, WPA2-Personal must be used.

13. Select the Authentication type if required. Some

sites require a stronger security than WPA2-PSK. At

these sites there will be an Authentication device that

will require you to type a password or provide a

certificate. If you are using WPA2-Personal only,

leave Authentication type at “None”

14. Click Next

15. At the Encryption window in, Figure 76, select AES

for Encryption type.

16. Click the Pass-phrase radio button and make sure the

check box next to “For added security – Mask

characthers entered” is selected.

17. Click Next

18. Enter the WPA Pre-Shared Key pass-phrase that

matches your infrastructure.

19. Click Next

20. At the IP Address window, un-check “Obtain Device

IP Address Automatically” if you are using a static IP.

Click Next to enter your IP, Subnet and Gateway

information. If you are using DHCP leave the box

checked and click Next

21. Click Next to leave the Transmit Power set to

“Automatic”

22. Click Save to leave the Battery Usage Mode set to

“Fast Power Save,” or choose an alternative.

23. Click OK to close the Manage Profile Fusion

Window.

24. Warm Boot the MC55a and allow the MICROS CAL

to run as normal.

77

Figure 75

Figure 76



of 94

Configuring the Symbol AP5131 Access Point

Criteria:

1. This Access Point must be on a minimum firmware version of 1.1.1.0-020R.

2. A Firewall must separate the AP5131 from the MICROS Server. This can be accomplished by

either:

a. Use of an external firewall

b. Use of the internal firewall as described in this section

Summary:

This document will explain the steps necessary to connect a Symbol AP5131 Access Point for PCI

compliance. In this document we use the highest encryption level available to the device. It is

recommended that the AP5131 always be used at a minimum of WPA2-PSK encryption. Certain




of 94

1. Read the product warranty information that came with your Symbol AP5131.

2. Gain access to the configuration utility on the AP5131 according to the manufacturer’s

instructions. This can be done over a Serial cable and HyperTerminal or via a Web Browser. If

using a web browser, you must use a secure connection of either https or SSH.

3. Once you have gained access to the AP5131 and entered the administrator password, Enter the

name of this Access Point in the System Name field. See Figure 78.

4. Click [Apply]

5. Double Click “[Network Configuration]”

6. Click “LAN” See Figure 79.

Configuring the Symbol AP5131 for use on a MICROS System

Figure 78



of 94

Figure 79

Figure 80



of 94

7. Configure the LAN to have 2 subnets. One named WIRED that uses the Ethernet Port, as shown

in Figure 79.

8. The other named WIRELESS that is mapped to the WLAN. Click [WLAN Mapping] and

configure it as shown in Figure 80.

9. Click OK on the Mapping Configuration screen.

10. Click [Apply] to save your LAN configuration.

11. Select the WIRED LAN, see Figure 81.

12. Enter the IP information for your WIRED network

13. Click [Apply]

Figure 81



of 94

14. Select the WIRELES LAN, see Figure 82.

15. Enter your IP information for your WIRELESS network

16. Click [Apply]

Figure 82



of 94

17. Select the Firewall, see Figure 83.

18. Make sure that “Disable Firewall” is NOT checked.

19. Under Configurable Firewall Filters, check all settings EXCEPT “MIME Flood Attack Check”.

This rule incorrectly drops packets associated with running Manager Procedures.

20. Click [Apply]

Figure 83



of 94

21. Select Firewall-Subnet Access, see Figure 84.

22. Select the intersection of From WIRELESS and To WIRED

23. In the Rules section, select Deny all protocols, except

24. Make sure that all the standard protocols along the left are unchecked

25. Use the [Add] button to create the exceptions as shown above. The exceptions pertain directly to

the micros application. Contact the micros helpdesk for application ports.

26. Continue using the [Add] button to create the exceptions list. In this case it is RES. See Figure 85.

Figure 84

Figure 85



of 94

27. Click [Apply]

28. Select Firewall-Subnet Access, see Figure 86.

29. Select the intersection of From WIRED and To WIRELESS

30. In the Rules section, select Deny all protocols, except

31. Make sure that all the standard protocols along the left are unchecked

32. Use the [Add] button to create the exceptions as shown above

33. Click [Apply]

Figure 86



of 94

34. Create or Edit an existing Wireless Configuration. See Figure 87.

35. Enter the ESSID and Device Name.

36. Click [Apply]

Figure 87



of 94

37. Click “Security” to enter the Wireless Security Configuration menu. See Figure 88.

38. Create or Edit an existing Policy

Figure 88



of 94

39. Select the WPA2/CCMP radio button

40. Select the “ASCII PassPhrase” radio button

41. Enter your secret pass phrase using a strong password. See Figure 89.

NOTE: use a strong password. A strong, alphanumeric password must be created with a minimum

length of eight characters that includes upper and lower case letters, numbers, and special cha-

racters.

42. Click “AP-5131 Access” to enter the AP-5131 Access menu. See Figure 90.

43. Uncheck the following items from both the LAN and WAN columns. Leaving only:

a. Applet https (Port 443) and SSH (Port 22) secure access methods.

b. Applet http (Port 80) uncheck

c. CLI Telnet (Port 23) uncheck

d. SNMP (Port 161) uncheck

NOTE: Removing these items will limit the means in which the AP-5131 can be managed. You

must use one of these (https or SSH) secure methods to manage the access point for all future

management sessions

Figure 89



of 94

44. Set the “Applet Timeout for http/s access to 2 Minutes. See Figure 90.

45. Click [Apply]. All future management sessions must be done over a secure connection using https of

SSH. For example, instead of typing http://10.0.0.0 to access the AP-5131, you must use

https://10.0.0.0

46. Click [Apply] to save your settings.

47. Exit the configuration and proceed with normal network setup.

Figure 90



of 94

Configuring the Symbol WS2000 Wireless Switch

Criteria:

1. This Wireless Switch must be on a minimum firmware version of 2.2.0.0-021R.

2. The Firewall must be enabled and blocking no MICROS applications

Summary:

This document will explain the steps necessary to connect a Symbol Wireless Switch 2000 for PCI

compliance. In this document we use the highest encryption level available to the device. It is

recommended that the WS2000 always be used at a minimum of WPA2-PSK encryption. Certain




of 94

1. Read the product warranty information that came with your Symbol WS2000.

2. Gain access to the configuration utility on the WS2000 according to the manufacturer’s instruc-

tions. This can be done over a Serial cable and HyperTerminal or via Internet Explorer.

3. Once you have gained access to the WS2000 and entered the administrator password, enter the

name of this WS2000 in the System Name field. See Figure 91.

4. Click [Apply]

5. Double Click “[Network Configuration]”

6. Click “Lan”

7. Select a Subnet. See Figure 92.

Configuring the Symbol WS2000 for use on a MICROS System

Figure 91



of 94

8. Enter the IP information for your network

9. Click [Apply]

10. Double Click “Wireless”

11. Double Click the first SSID. See Figure 93.

12. Enter the ESSID of this Wireless Switch.

13. Check the “secure Beacon” check box to disable the broadcast beacon.

14. Click Apply.

15. Click the security for this SSID. See Figure 94.

Figure 92



of 94

Figure 93

Figure 94



of 94

16. Select theWPA2-CCMP (802.11i) radio button.

17. Select the highlighted [WPA2-CCMP Se…] button. See Figure 94.

18. Enter the ASCII Passphrase. See Figure 95.

NOTE: use a strong password. A strong, alphanumeric password must be created with a minimum

length of eight characters that includes upper and lower case letters, numbers, and special cha-

racters.

19. Click [OK]

20. Click [Apply]

21. Click “Firewall”

22. Make sure the Firewall is “Enabled”

23. Create Firewall rules that meet your network requirements.

Figure 95



of 94

Configuring the Symbol RFS4000 Wireless Switch

Criteria:

1. This Switch must be on a minimum firmware version of 5.0.3.9-001R.

2. The Firewall must be enabled and blocking all non-MICROS applications.

Summary:

This document will explain the steps necessary to connect a Symbol RFS4000 Wireless Switch for

PCI compliance. In this document we use the highest encryption level available to the device. It is

recommended that the RFS4000 always be used at a minimum of WPA2-PSK encryption. Certain




of 94

1. Read the product warranty information that came with your Symbol RFS4000.

2. Gain access to the configuration utility on the AP5131 according to the manufacturer’s

instructions. This can be done over a Serial cable and HyperTerminal or via a Web Browser. If

using a web browser, you must use a secure connection of either https or SSH.

3. Once you have gained access to the RFS4000 and entered the administrator password, navigate to

the “Configuration” tab.

4. Select “Wireless,” on the right side of the screen all of the Wireless LAN Access Points setup for

the switch will be displayed. Click “Add”

5. The WLAN setup screen will appear as seen in Figure 96.

Configuring the Symbol RFS4000 for use on a MICROS system.

1. Enter a name for this

WLAN

2. Enter the SSID of your

Access Point

3. Uncheck “Broadcast

SSID”

4. Uncheck “Answer

Broadcast Probes”

5. Enter the name of the

VLAN that this WLAN

will be assigned to

Figure 96



of 94

6. Click the “Security” link as seen in Figure 97, and click the EAP radio button for

“Authentication Type”

Figure 97



of 94

7. Leave the default settings for the Captive Portal enforcement policy set to off

8. Select WPA2-CCMP Encryption type for the highest possible encryption as recommended in PCI

Whitepaper V2.0 section 4.4.1. Once the check-box is clicked you will see the Encryption

settings below as in Figure 98.

1. Enter the ASCII Passphrase.

NOTE: Use a strong alphanumeric

password, with a minimum length

of eight characters that includes

upper and lower case letters,

numbers and special characters

Figure 98



of 94

9. Click “OK”

10. Click “Firewall”

11. Select Inbound and Outbound IP Firewall rules that apply for your network, you can create new

rules or edit the selected ones from this screen by Clicking the “Create” or “Edit” icons next to the

dropdown boxes, as seen in Figure 99.

Figure 99



of 94

12. Make sure the Firewall is enabled for the whole device by clicking on “Security” under the

“Configuration” tab at the top of the screen.

13. Expand the Wireless Firewall selection as seen in Figure 100.

14. Highlight “Firewall Policy,” select the default policy and click “Edit”

15. Make sure the Firewall is set to “Enabled”

16. You can add, and edit IP Firewall Rules and MAC Firewall Rules as mentioned previously in step

11.

17. Once the Firewall rules have been configured for your network click the “Save” button at the top

right of the screen

18. Exit the configuration and proceed with normal network setup

Figure 100

Wireless Networking Best Practices - DCRS SolutionsWireless Networking Best Practices Wireless...

Documents

Transcript of Wireless Networking Best Practices - DCRS SolutionsWireless Networking Best Practices Wireless...