Appendix A. Configuring Security Settings on Wireless Clients
Typically, users will configure security on their wireless clients for access to many different networks (access points). The list of "Available Networks" will change depending on the location of the client and which APs are online and detectable in that location. Once an AP has been detected by the client and security is configured for it, it remains in the client's list of networks but shows as either reachable or unreachable depending on the situation. For each network (AP) you want to connect to, configure security settings on the client to match the security mode being used by that network
We describe security setup on a client that uses Microsoft Windows client software for wireless connectivity. The Windows client software is used as the example because of its widespread availability on Windows computers and laptops. These procedures will vary slightly if you use different software on the client (such as Funk Odyssey), but the configuration information you need to provide is the same.
|
Note
|
The recommended sequence for security configuration is (1) set up security on the access point, and (2) configure security on each of the wireless clients.
We expect that initially, you will connect to an access point that has no security set (plain text mode) from an unsecure wireless client. With this initial connection, you can go to the access point Administration Web pages and configure a security mode (Advanced > Security).
When you re-configure the access point with a security setting and click "Update", your wireless client will be disassociated and you will lose connectivity to the AP Administration Web pages. In some cases, you may need to make additional changes to the AP security settings before configuring the client. Therefore, you must have a backup Ethernet (wired) connection.
|
The following sections describe how to set up each of the supported security modes on wireless clients of a network served by the Devicescape Enterprise-Managed AP.
Network Infrastructure and Choosing Between Built-in or External Authentication Server
Network security configurations including Public Key Infrastructures (PKI), Remote Authentication Dial-in User Server (RADIUS) servers, and Certificate Authority (CA) can vary a great deal from one organization to the next in terms of how they provide Authentication, Authorization, and Accounting (AAA). Ultimately, the particulars of your infrastructure will determine how clients should configure security to access the wireless network. Rather than try to predict and address the details of every possible scenario, this document provides general guidelines about each type of client configuration supported by the Devicescape Enterprise-Managed AP.
I Want to Use the Built-in Authentication Server (EAP-PEAP)
If you do not have a RADIUS server or PKI infrastructure in place and/or are unfamiliar with many of these concepts, we strongly recommend setting up the Devicescape Enterprise-Managed APs with security that uses the Built-in Authentication Server on the AP. This will mean setting up the AP to use either IEEE 802.1x or WPA/WPA2 Enterprise (RADIUS) security mode. (The built-in authentication server uses EAP-PEAP authentication protocol.)
- If the Devicescape Enterprise-Managed AP is set up to use IEEE 802.1x mode and the Built-in Authentication Server, then configure wireless clients as described in IEEE 802.1x Client Using EAP/PEAP.
I Want to Use an External RADIUS Server with EAP-TLS Certificates or EAP-PEAP
We make the assumption that if you have an external RADIUS server and PKI/CA setup, you will know how to configure client security options appropriate to your security infrastructure beyond the fundamental suggestions given here. Topics covered here that particularly relate to client security configuration in a RADIUS - PKI environment are:
Details on how to configure an EAP-PEAP client with an external RADIUS server are not covered in this document.
Make Sure the Wireless Client Software is Up-to-Date
Before starting out, please keep in mind that service packs, patches, and new releases of drivers and other supporting technologies for wireless clients are being generated at a fast pace. A common problem encountered in client security setup is not having the right driver or updates to it on the client. For example; if you are setting up WPA on the client, make sure you have a driver installed that supports WPA, which is a relatively new technology. Even many client cards currently available do not ship from the factory with the latest drivers.
Accessing the Microsoft Windows Wireless Client Security Settings
Generally, on Windows XP there are two ways to get to the security properties for a wireless client:
- From the wireless connection icon on the Windows task bar:
- Right-click on the Wireless connection icon in your Windows task bar and select View available wireless networks.
- Select the SSID of the network to which you want to connect and click Advanced to bring up the Wireless Network Connection Properties dialog.
Or
- From the Windows Start menu at the left end of the task bar:
- From the Windows Start menu on the task bar, choose Start > My Network Places to bring up the Network Connections window.
- From the Network Tasks menu on the left, click View Network Connections to bring up the Network Connections window.
- Select the Wireless Network Connection you want to configure, right-mouse click and choose View available wireless networks.
- Select the SSID of the network to which you want to connect and click Advanced to bring up the Wireless Network Connection Properties dialog.
The Wireless Networks tab (which should be automatically displayed) lists Available networks and Preferred networks.
- From the list of "Available networks", select the SSID of the network to which you want to connect and click Configure.
This brings up the Wireless Network Connection Properties dialog with the Association and Authentication tabs for the selected network.
Use this dialog for configuring all the different types of client security described in the following sections. Make sure that the Wireless Network Properties dialog you are working in pertains to the Network Name (SSID) for the network you want to reach on the wireless client you are configuring.
Configuring a Client to Access an Unsecure Network (Plain Text mode)
If the access point or wireless network to which you want to connect is configured as "Plain Text" security mode (no security), you need to configure the client accordingly. A client using no security to connect is configured with Network Authentication "Open" to that network and Data Encryption "Disabled" as described below.
If you do have security configured on a client for properties of an unsecure network, the security settings actually can prevent successful access to the network because of the mismatch between client and access point security configurations.
To configure the client to not use any security, bring up the client Network Properties dialog and configure the following settings.
Association Tab
|
Network Authentication
|
Open
|
|
Data Encryption
|
Disabled
|
Configuring Static WEP Security on a Client
Static Wired Equivalent Privacy (WEP) encrypts data moving across a wireless network based on a static (non-changing) key. The encryption algorithm is a "stream" cipher called RC4. The access point uses a key to transmit data to the client stations. Each client must use that same key to decrypt data it receives from the access point. Different clients can use different keys to transmit data to the access point. (Or they can all use the same key, but this is less secure because it means one station can decrypt the data being sent by another.)
If you configured the Devicescape Enterprise-Managed AP to use Static WEP security mode . . .
. . . then configure WEP security on each client as follows.
Association Tab
|
Network Authentication
|
"Open" or "Shared", depending on how you configured this option on the access point.
Note: When the Authentication Algorithm on the access point is set to "Both", clients set to either Shared or Open can associate with the AP. Clients configured to use WEP in Shared mode must have a valid WEP key in order to associate with the AP. Clients configured to use WEP as an Open system can associate with the AP even without a valid WEP key (but a valid key will be required to actually view and exchange data). For more information, see Administrators Guide and Online Help on the access point.
|
|
Data Encryption
|
WEP
|
|
Network Key
|
Provide the WEP key you entered on the access point Security settings in the Transfer Key Index position.
For example, if the Transfer Key Index on the access point is set to "1", then for the client Network Key specify the WEP Key you entered as WEP Key 1 on the access point.
|
|
Key Index
|
Set key index to indicate which of the WEP keys specified on the access point Security page will be used to transfer data from the client back to the access point.
For example, you can set this to 1, 2, 3, or 4 if you have all four WEP keys configured on the access point.
|
|
The key is provided for me automatically
|
Disable this option (click to uncheck the box).
|
Authentication Tab
|
Enable IEEE 802.1x authentication for this network
|
Make sure that IEEE 802.1x authentication is disabled (box should be unchecked).
(Setting the encryption mode to WEP should automatically disable authentication.)
|
Click OK on the Wireless Network Properties dialog to close it and save your changes.
Connecting to the Wireless Network with a Static WEP Client
Static WEP clients should now be able to associate and authenticate with the access point. As a client, you will not be prompted for a WEP key. The WEP key configured on the client security settings is automatically used when you connect.
Configuring IEEE 802.1x Security on a Client
IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.
IEEE 802.1x Client Using EAP/PEAP
The Built-In Authentication Server on the Devicescape Enterprise-Managed AP uses Protected Extensible Authentication Protocol (EAP) referred to here as "EAP/PEAP".
- If you are using the Built-in Authentication server with "IEEE 802.1x" security mode on the Devicescape Enterprise-Managed AP, then you will need to set up wireless clients to use PEAP.
- Additionally, you may have an external RADIUS server that uses EAP/PEAP. If so, you will need to (1) add the Devicescape Enterprise-Managed AP to the list of RADIUS server clients, and (2) configure your IEEE 802.1x wireless clients to use PEAP.
|
Note
|
The following example assumes you are using the Built-in Authentication server that comes with the Devicescape Enterprise-Managed AP. If you are setting up EAP/PEAP on a client of an AP that is using an external RADIUS server, the client configuration process will differ somewhat from this example especially with regard to certificate validation.
|
If you configured the Devicescape Enterprise-Managed AP to use IEEE 802.1x security mode . . .
. . . then configure IEEE 802.1x security with PEAP authentication on each client as follows.
- Configure the following settings on the Association tab on the Network Properties dialog.
Association Tab
|
Network Authentication
|
Open
|
|
Data Encryption
|
WEP
Note: An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each IEEE 802.11 frame. This is the same encryption algorithm as is used for Static WEP; therefore, the data encryption method configured on the client for this mode is WEP.
|
|
This key is provided for me automatically
|
Enable (click to check) this option.
|
- Configure this setting on the Authentication tab.
Authentication Tab
|
EAP Type
|
Choose "Protected EAP (PEAP)".
|
- Click Properties to bring up the Protected EAP Properties dialog and configure the following settings.
Protected EAP Properties Dialog
|
Validate Server Certificate
|
Disable this option (click to uncheck the box).
Note: This example assumes you are using the Built-in Authentication server on the AP. If you are setting up EAP/PEAP on a client of an AP that is using an external RADIUS server, you might certificate validation and choose a certificate, depending on your infrastructure.
|
|
Select Authentication Method
|
Choose "Secured password (EAP-MSCHAP v2)".
|
- Click Configure to bring up the EAP MSCHAP v2 Properties dialog.
On this dialog, disable (click to uncheck) the option to "Automatically use my Windows login name . . . " etc.
Click OK on all dialogs (starting with the EAP MSCHAP v2 Properties dialog) to close and save your changes.
Logging on to the Wireless Network with an IEEE 802.1x PEAP Client
IEEE 802.1x PEAP clients should now be able to associate with the access point. Client users will be prompted for a user name and password to authenticate with the network.
IEEE 802.1x Client Using EAP/TLS Certificate
Extensible Authentication Protocol (EAP) Transport Layer Security (TLS), or EAP-TLS, is an authentication protocol that supports the use of smart cards and certificates. You have the option of using EAP-TLS with both WPA/WPA2 Enterprise (RADIUS) and IEEE 802.1x modes if you have an external RADIUS server on the network to support it.
|
Note
|
If you want to use IEEE 802.1x mode with EAP-TLS certificates for authentication and authorization of clients, you must have an external RADIUS server and a Public Key Authority Infrastructure (PKI), including a Certificate Authority (CA), server configured on your network. It is beyond the scope of this document to describe these configuration of the RADIUS server, PKI, and CA server. Consult the documentation for those products.
Some good starting points available on the Web for the Microsoft Windows PKI software are: "How to Install/Uninstall a Public Key Certificate Authority for Windows 2000" at http://support.microsoft.com/default.aspx?scid=kb;EN-US;231881 and How to Configure a Certificate Server at http://support.microsoft.com/default.aspx?scid=kb;en-us;318710#3.
|
To use this type of security, you must do the following:
- Configure the Devicescape Enterprise-Managed AP to use your RADIUS server (by providing the RADIUS server IP address as part of the "IEEE 802.1x" security mode settings).
- Configure wireless clients to use IEEE 802.1x security and "Smart Card or other Certificate" as described in this section.
If you configured the Devicescape Enterprise-Managed AP to use IEEE 802.1x security mode with an external RADIUS server . . .
. . . then configure IEEE 802.1x security with certificate authentication on each client as follows.
- Configure the following settings on the Association tab on the Network Properties dialog.
Association Tab
|
Network Authentication
|
Open
|
|
Data Encryption
|
WEP
Note: An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each IEEE 802.11 frame. This is the same encryption algorithm as is used for Static WEP; therefore, the data encryption method configured on the client for this mode is WEP.
|
|
This key is provided for me automatically
|
Enable (click to check) this option.
|
- Configure these settings on the Authentication tab.
Authentication Tab
|
Enable IEEE 802.1x authentication for this network
|
Enable (click to check) this option.
|
|
EAP Type
|
Choose Smart Card or other Certificate.
|
- Click Properties to bring up the Smart Card or other Certificate Properties dialog and enable the "Validate server certificate" option.
Smart Card or other Certificate Properties Dialog
|
Validate Server Certificate
|
Enable this option (click to check the box).
|
|
Certificates
|
In the certificate list shown, select the certificate for this client.
|
Click OK on all dialogs to close and save your changes.
Connecting to the Wireless Network with an IEEE 802.1x Client Using a Certificate
IEEE 802.1x clients should now be able to connect to the access point using their TLS certificates. The certificate you installed is used when you connect, so you will not be prompted for login information. The certificate is automatically sent to the RADIUS server for authentication and authorization.
Configuring WPA/WPA2 Enterprise (RADIUS) Security on a Client
Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode requires the use of a RADIUS server to authenticate users.
This security mode also provides backwards-compatibility for wireless clients that support only the original WPA.
When you configure WPA/WPA2 Enterprise (RADIUS) security mode on the access point, you have a choice of whether to use the Built-in Authentication Server or an external RADIUS server that you provide.
The Devicescape Enterprise-Managed AP Built-in Authentication Server supports Protected Extensible Authentication Protocol (EAP) known as "EAP/PEAP" and Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2), which provides authentication for point-to-point (PPP) connections between a Windows-based computer and network devices such as access points.
So, if you configure the network (access point) to use security mode and choose the Built-in Authentication server, you must configure client stations to use WPA/WPA2 Enterprise (RADIUS) and EAP/PEAP.
If you configure the network (access point) to use this security mode with an external RADIUS server, you must configure the client stations to use WPA/WPA2 Enterprise (RADIUS) and whichever security protocol your RADIUS server is configured to use.
WPA/WPA2 Enterprise (RADIUS) Client Using EAP/PEAP
The Built-In Authentication Server on the Devicescape Enterprise-Managed AP uses Protected Extensible Authentication Protocol (EAP) known as "EAP/PEAP".
- If you are using the Built-in Authentication server with "WPA/WPA2 Enterprise (RADIUS)" security mode on the Devicescape Enterprise-Managed AP, then you will need to set up wireless clients to use PEAP.
- Additionally, you may have an external RADIUS server that uses EAP/PEAP. If so, you will need to (1) add the Devicescape Enterprise-Managed AP to the list of RADIUS server clients, and (2) configure your "WPA/WPA2 Enterprise (RADIUS)" wireless clients to use PEAP.
|
Note
|
The following example assumes you are using the Built-in Authentication server that comes with the Devicescape Enterprise-Managed AP. If you are setting up EAP/PEAP on a client of an AP that is using an external RADIUS server, the client configuration process will differ somewhat from this example especially with regard to certificate validation.
|
If you configured the Devicescape Enterprise-Managed AP to use WPA/WPA2 Enterprise (RADIUS) security mode and to use either the Built-in Authentication Server or an external RADIUS server that uses EAP/PEAP . . .
First set up user accounts on the access point (Cluster > User Management). . . .
. . . then configure WPA security with PEAP authentication on each client as follows.
- Configure the following settings on the Association and Authentication tabs on the Network Properties dialog.
Association Tab
|
Network Authentication
|
WPA
|
|
Data Encryption
|
TKIP or AES depending on how this option is configured on the access point.
Note: When the Cipher Suite on the access point is set to "Both", then TKIP clients with a valid TKIP key and AES clients with a valid CCMP (AES) key can associate with the access point. For more information, see Administrators Guide and Online Help on the access point.
|
- Configure this setting on the Authentication tab.
Authentication Tab
|
EAP Type
|
Choose "Protected EAP (PEAP)"
|
- Click Properties to bring up the Protected EAP Properties dialog and configure the following settings.
Protected EAP Properties Dialog
|
Validate Server Certificate
|
Disable this option (click to uncheck the box).
Note: This example assumes you are using the Built-in Authentication server on the AP. If you are setting up EAP/PEAP on a client of an AP that is using an external RADIUS server, you might certificate validation and choose a certificate, depending on your infrastructure.
|
|
Select Authentication Method
|
Choose "Secured password (EAP-MSCHAP v2)"
|
- Click Configure to bring up the EAP MSCHAP v2 Properties dialog.
On this dialog, disable (click to uncheck) the option to "Automatically use my Windows login name . . . " etc. so that upon login you will be prompted for user name and password.
Click OK on all dialogs (starting with the EAP MSCHAP v2 Properties dialog) to close and save your changes.
Logging on to the Wireless Network with a WPA PEAP Client
"WPA/WPA2 Enterprise (RADIUS)" PEAP clients should now be able to associate with the access point. Client users will be prompted for a user name and password to authenticate with the network.
WPA/WPA2 Enterprise (RADIUS) Client Using EAP-TLS Certificate
Extensible Authentication Protocol (EAP) Transport Layer Security (TLS), or EAP-TLS, is an authentication protocol that supports the use of smart cards and certificates. You have the option of using EAP-TLS with both WPA/WPA2 Enterprise (RADIUS) and IEEE 802.1x modes if you have an external RADIUS server on the network to support it.
|
Note
|
If you want to use IEEE 802.1x mode with EAP-TLS certificates for authentication and authorization of clients, you must have an external RADIUS server and a Public Key Authority Infrastructure (PKI), including a Certificate Authority (CA), server configured on your network. It is beyond the scope of this document to describe these configuration of the RADIUS server, PKI, and CA server. Consult the documentation for those products.
Some good starting points available on the Web for the Microsoft Windows PKI software are: "How to Install/Uninstall a Public Key Certificate Authority for Windows 2000" at http://support.microsoft.com/default.aspx?scid=kb;EN-US;231881 and How to Configure a Certificate Server at http://support.microsoft.com/default.aspx?scid=kb;en-us;318710#3.
|
To use this type of security, you must do the following:
- Configure the Devicescape Enterprise-Managed AP to use your RADIUS server (by providing the RADIUS server IP address as part of the "WPA/WPA2 Enterprise [RADIUS]" security mode settings).
- Configure wireless clients to use WPA security and "Smart Card or other Certificate" as described in this section.
If you configured the Devicescape Enterprise-Managed AP to use WPA/WPA2 Enterprise (RADIUS) security mode with an external RADIUS server . . .
. . . then configure WPA security with certificate authentication on each client as follows.
- Configure the following settings on the Association tab on the Network Properties dialog.
Association Tab
|
Network Authentication
|
WPA
|
|
Data Encryption
|
TKIP or AES depending on how this option is configured on the access point.
Note: When the Cipher Suite on the access point is set to "Both", then TKIP clients with a valid TKIP key and AES clients with a valid CCMP (AES) key can associate with the access point. For more information, see Administrators Guide and Online Help on the access point.
|
- Configure these settings on the Authentication tab.
Authentication Tab
|
Enable IEEE 802.1x authentication for this network
|
Enable (click to check) this option.
|
|
EAP Type
|
Choose Smart Card or other Certificate.
|
- Click Properties to bring up the Smart Card or other Certificate Properties dialog and enable the "Validate server certificate" option.
Smart Card or other Certificate Properties Dialog
|
Validate Server Certificate
|
Enable this option (click to check the box).
|
|
Certificates
|
In the certificate list shown, select the certificate for this client.
|
Click OK on all dialogs to close and save your changes.
Logging on to the Wireless Network with a WPA Client Using a Certificate
WPA clients should now be able to connect to the access point using their TLS certificates. The certificate you installed is used when you connect, so you will not be prompted for login information. The certificate is automatically sent to the RADIUS server for authentication and authorization.
Configuring WPA/WPA2 Personal (PSK) Security on a Client
Wi-Fi Protected Access (WPA) with Pre-Shared Key (PSK) is a Wi-Fi Alliance subset of IEEE 802.11i, which includes Temporal Key Integrity Protocol (TKIP), Advanced Encryption Algorithm (AES), and Counter mode/CBC-MAC Protocol (CCMP) mechanisms. PSK employs a pre-shared key for an initial check of client credentials.
If you configured the Devicescape Enterprise-Managed AP to use WPA/WPA2 Personal (PSK) security mode . . .
. . . then configure WPA/WPA2 Personal (PSK) security on each client as follows.
Association Tab
|
Network Authentication
|
WPA-PSK
|
|
Data Encryption
|
TKIP or AES depending on how this option is configured on the access point.
Note: When the Cipher Suite on the access point is set to "Both", then TKIP clients with a valid TKIP key and AES clients with a valid CCMP (AES) key can associate with the access point. For more information, see Administrators Guide and Online Help on the access point.
|
|
Network Key
|
Provide the key you entered on the access point Security settings for the cipher suite you are using.
For example, if the key on the access point is set to use a TKIP key of "012345678", then a TKIP client specify this same string as the network key.
|
|
The key is provided for me automatically
|
This box should be disabled automatically based on other settings.
|
Authentication Tab
|
Enable IEEE 802.1x authentication for this network
|
Make sure that IEEE 802.1x authentication is disabled (unchecked).
(Setting the encryption mode to WEP should automatically disable authentication.)
|
Click OK on the Wireless Network Properties dialog to close it and save your changes.
Connecting to the Wireless Network with a WPA-PSK Client
WPA-PSK clients should now be able to associate and authenticate with the access point. As a client, you will not be prompted for a key. The TKIP or AES key you configured on the client security settings is automatically used when you connect.
Configuring an External RADIUS Server to Recognize the Devicescape Enterprise-Managed AP
An external Remote Authentication Dial-in User Server (RADIUS) server running on the network can support of EAP-TLS smart card/certificate distribution to clients in a Public Key Infrastructure (PKI) as well as EAP-PEAP user account setup and authentication. By external RADIUS server, we mean an authentication server external to the access point itself. This is to distinguish between the scenario in which you use a network RADIUS server versus one in which you use the Built-in Authentication Server on the Devicescape Enterprise-Managed AP.
This section provides an example of configuring an external RADIUS server for the purposes of authenticating and authorizing TLS-EAP certificates from wireless clients of a particular Devicescape Enterprise-Managed AP configured for either "WPA/WPA2 Enterprise (RADIUS)" or "IEEE 802.1x" security modes. The intention of this section is to provide some idea of what this process will look like; procedures will vary depending on the RADIUS server you use and how you configure it. For this example, we use the Internet Authentication Service that comes with Microsoft Windows 2003 server.
|
Note
|
This document does not describe how to set up Administrative users on the RADIUS server. In this example, we assume you already have RADIUS server user accounts configured. You will need a RADIUS server user name and password for both this procedure and the following one that describes how to obtain and install a certificate on the wireless client. Please consult the documentation for your RADIUS server for information on setting up user accounts.
|
The purpose of this procedure is to identify your Devicescape Enterprise-Managed AP as a "client" to the RADIUS server. The RADIUS server can then handle authentication and authorization of wireless clients for the AP. This procedure is required per access point. If you have more than one access point with which you plan to use an external RADIUS server, you need to follow these steps for each of those APs.
Keep in mind that the information you need to provide to the RADIUS server about the access point corresponds to settings on the access point (Advanced > Security) and vice versa. You should have already provided the RADIUS server IP Address to the AP; in the steps that follow you will provide the access point IP address to the RADIUS server. The RADIUS Key provided on the AP is the "shared secret" you will provide to the RADIUS server.
|
Note
|
The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the Devicescape Enterprise-Managed AP, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The Devicescape Enterprise-Managed AP is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.)
|
- Log on to the system hosting your RADIUS server and bring up the Internet Authentication Service.
- In the left panel, right click on "RADIUS Clients" node and choose New > Radius Client from the popup menu.
- On the first screen of the New RADIUS Client wizard provide information about the Devicescape Enterprise-Managed AP to which you want your clients to connect:
- For the "Shared secret" enter the RADIUS Key you provided to the access point (on the Advanced > Security page).
Re-type the key to confirm. - Click Finish.
The access point is now displayed as a client of the Authentication Server.
Obtaining a TLS-EAP Certificate for a Client
|
Note
|
If you want to use IEEE 802.1x mode with EAP-TLS certificates for authentication and authorization of clients, you must have an external RADIUS server and a Public Key Authority Infrastructure (PKI), including a Certificate Authority (CA), server configured on your network. It is beyond the scope of this document to describe these configuration of the RADIUS server, PKI, and CA server. Consult the documentation for those products.
Some good starting points available on the Web for the Microsoft Windows PKI software are: "How to Install/Uninstall a Public Key Certificate Authority for Windows 2000" at http://support.microsoft.com/default.aspx?scid=kb;EN-US;231881 and How to Configure a Certificate Server at http://support.microsoft.com/default.aspx?scid=kb;en-us;318710#3.
|
Wireless clients configured to use either "WPA/WPA2 Enterprise (RADIUS)" or" IEEE 802.1x" security modes with an external RADIUS server that supports TLS-EAP certificates must obtain a TLS certificate from the RADIUS server.
This is an initial one-time step that must be completed on each client that uses either of these modes with certificates. In this procedure, we use the Microsoft Certificate Server as an example.
To obtain a certificate for a client, follow these steps.
- Go to the following URL in a Web browser:
https://IPAddressOfServer/certsrv/
Where IPAddressOfServer is the IP address of your external RADIUS server, or of the Certificate Authority (CA), depending on the configuration of your infrastructure.
- Click "Yes" to proceed to the secure Web page for the server.
The Welcome screen for the Certificate Server is displayed in the browser.
- Click "Request a certificate" to get the login prompt for the RADIUS server.
- Provide a valid user name and password to access the RADIUS server.
|
Note
|
The user name and password you need to provide here is for access to the RADIUS server, for which you will already have user accounts configured at this point. This document does not describe how to set up Administrative user accounts on the RADIUS server. Please consult the documentation for your RADIUS server for these procedures.
|
- Click "User Certificate" on the next page displayed.
- Click "Yes" on the dialog displayed to install the certificate.
- Click "Submit" to complete and click "Yes" to confirm the submittal on the popup dialog.
- Click "Install this certificate" to install the newly issued certificate on your client station. (Also, click "Yes" on the popup windows to confirm the install and to add the certificate to the Root Store.)
A success message is displayed indicating the certificate is now installed on the client.
