Personal SecurityUse Personal Security if you are a home or small business user who can use a variety of simple security procedures to protect your wireless connection. Select from the list of security settings that do not require extensive infrastructure setup for your wireless network. A RADIUS or AAA server is not required.
Personal Security SettingsPersonal Security Settings Description
Set up Data Encryption and AuthenticationIn a home wireless network you can use a variety of simple security procedures to protect your wireless connection. These include:
Wi-Fi Protected Access (WPA) encryption provides protection for your data on the network. WPA uses an encryption key called a Pre-Shared Key (PSK) to encrypt data before transmission. Enter the same password in all of the computers and access points (AP) in your home or small business network. Only devices that use the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. The password automatically initiates the Temporal Key Integrity Protocol (TKIP) for the data encryption process. Network KeysWEP encryption provides two levels of security:
For improved security, use a 128-bit key. If you use encryption, all wireless devices on your wireless network must use the same encryption keys. You can create the key yourself and specify the key length (64- or 128-bit) and key index (the location that a specific key is stored). The greater the key length, the more secure the key. Key Length: 64-bitPass phrase (64-bit): Enter five (5) alphanumeric characters, 0-9, a-z or A-Z. Key Length: 128-bitPass phrase (128-bit): Enter 13 alphanumeric characters, 0-9, a-z or A-Z. With WEP data encryption, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point (AP) or a wireless station transmits an encrypted message that uses a key stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving AP or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body. Personal Security: Configure Profiles for Device to Device (Ad Hoc) NetworksSet up a Client with Open Authentication and No Data Encryption (None)In device to device mode, also called ad hoc mode, wireless computers send information directly to other wireless computers. You can use ad hoc mode to network multiple computers in a home or small office, or to set up a temporary wireless network for a meeting. On the Intel(R) PROSet/Wireless main page, select one of the following methods to connect to a device to device network:
To create a Device to Device (ad hoc) profile:
Set up a Client with WEP 64-bit or WEP 128-bit Data EncryptionWhen WEP data encryption is enabled, a network key or password is used for encryption. You must enter the key and specify the length (64- or 128-bit) and key index (the location that a specific key is stored). The more complex the key (mixed letters and numbers), the more secure the key. To add a network key to a device to device network connection:
To add a password or network key:
When WEP encryption is enabled on a device, the WEP key is used to verify access to the network. If the wireless device does not have the correct WEP key, even though authentication is successful, the device is unable to transmit data.
Personal Security: Configure Profiles for Infrastructure NetworksAn infrastructure network consists of one or more access points and one or more computers with wireless adapters installed. Each access point must have a wired connection to a wireless network. For home users, this is usually a broadband or cable network. Set up a Client with No Data Encryption and No Network Authorization (None)On the Intel(R) PROSet/Wireless main page, select one of the following methods to connect to an Infrastructure network:
If there is no authentication required, the network connects without a prompt to enter any log-on credentials. Any wireless device with the correct network name (SSID) is able to associate with network devices and gain access to the network. Set up a Client with WEP 64-bit or WEP 128-bit Data EncryptionWhen WEP data encryption is enabled, a network key or password is used for encryption. A network key is provided for you automatically (for example, it might be provided by your wireless network adapter manufacturer), or you can enter it yourself and specify the key length (64- or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The greater the key length, the more secure the key. To add a network key for an infrastructure network connection:
To add a password or network key:
Set up a Client with WPA-Personal (TKIP) or WPA2-Personal (TKIP) Security SettingsWPA Personal Mode requires manual configuration of a pre-shared key (PSK) on the access point and clients. This PSK authenticates users a password or identifying code, on both the client station and the access point. An authentication server is not needed. WPA Personal Mode is targeted to home and small business environments. WPA2 is the second generation of WPA security that provides enterprise and consumer wireless users with a high level of assurance that only authorized users can access their wireless networks. WPA2 provides a stronger encryption mechanism through Advanced Encryption Standard (AES), which is a requirement for some corporate and government users. To configure a profile with WPA-Personal network authentication and TKIP data encryption:
Set WPA-Personal (AES-CCMP) - WPA2-Personal (AES-CCMP) Security SettingsWi-Fi Protected Access (WPA) is a security enhancement that strongly increases the level of data protection and access control to a wireless network. WPA enforces 802.1x authentication and key-exchange and only works with dynamic encryption keys. For a home user or small business, WPA-Personal utilizes either Advanced Encryption Standard - Counter CBC-MAC Protocol (AES-CCMP) or Temporal Key Integrity Protocol (TKIP). To configure a profile with WPA2-Personal network authentication and AES-CCMP data encryption:
AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is the new method for privacy protection of wireless transmissions specified in the IEEE 802.11i standard. AES-CCMP provides a stronger encryption method than TKIP. Choose AES-CCMP as the data encryption method whenever strong data protection is important. If your Wireless access point or router supports WPA2-Personal then you should enable it on the access point and provide a long, strong password. The same password entered into access point needs to be used on this computer and all other wireless devices that access the wireless network.
Enterprise SecurityFrom the Security Settings page you can enter the required security settings for the selected wireless network. See Personal Security to set basic WEP or WPA security in a non-enterprise environment (home, small business). See Enterprise Security Settings for a description of each of the Enterprise Security options. Use Enterprise Security if your network environment requires 802.1x authentication.
See Use Intel PROSet/Wireless Profile Features for a description of when the Profile Wizard is launched. See Security Overview for more information about the different security options for wireless networks. Enterprise Security SettingsEnterprise Security Settings Description
Enterprise Security: Configure Profiles for Device to Device (Ad Hoc) NetworksSet up a Client with Open Network Authentication and No (None) AuthenticationWhen Open authentication is used, any wireless station can request authentication. The station that needs to authenticate with another wireless station sends an authentication management frame that contains the identity of the sending station. The receiving station grants any request for authentication. Open authentication allows any device network access. If no encryption is enabled on the network, any device that knows the SSID can gain access to the network. In Device to Device (ad hoc) mode, wireless computers send information directly to other wireless computers. You can use ad hoc mode to network multiple computers in a home or small office, or to set up a temporary wireless network for a meeting.
To create a profile for a wireless network connection with no encryption:
Set up a Client with Open Network Authentication and WEP Data EncryptionOn the Intel PROSet/Wireless main window, select one of the following methods to connect to a device to device network:
To create a profile for a wireless network connection with WEP encryption:
Enterprise Security: Configure Profiles for Infrastructure NetworksAn infrastructure network consists of one or more access points and one or more computers with wireless adapters installed. Each access point must have a wired connection to a wireless network. Set up a Client with No Authentication or Data Encryption (None)On the Intel(R) PROSet/Wireless main page, select one of the following methods to connect to an Infrastructure network:
If there is no authentication required, the network connects without a prompt to enter any log-on credentials. Any wireless device with the correct network name (SSID) is able to associate with other devices in the network. To create a profile for a wireless network connection with no encryption:
Set up a Client with Shared Network AuthenticationWhen Shared Key authentication is used, each wireless station is assumed to have received a secret shared key over a secure channel that is independent from the 802.11 wireless network communications channel. Shared key authentication requires that the client configure a static WEP or CKIP key. The client access is granted only if it passes a challenge-based authentication. CKIP provides stronger data encryption than WEP, but not all operating systems and access points support it.
Set up a Client with WPA-Personal or WPA2 Personal Network AuthenticationWi-Fi Protected Access (WPA) is a security enhancement that strongly increases the level of data protection and access control to a wireless network. WPA enforces key-exchange and only works with dynamic encryption keys. If your wireless AP or router supports WPA-Personal and WPA2-Personal then you should enable it on the AP and provide a long, strong password. For personal or home networks without a RADIUS or AAA server, use Wi-Fi Protected Access Personal.
Some security solutions may not be supported by your computer's operating system and may require additional software or certain hardware as well as wireless LAN infrastructure support. Check with your computer manufacturer for details. To add a profile with WPA-Personal or WPA2-Personal network authentication:
Set up a Client with WPA-Enterprise or WPA2-Enterprise Network AuthenticationWPA2-Enterprise requires an authentication server.
To add a profile that uses WPA - Enterprise or WPA2 - Enterprise authentication:
Set up a Client with WEP Data Encryption and MD5 Network AuthenticationMD5 authentication is a one-way authentication method that uses user names and passwords. This method does not support key management, but does require a pre-configured key if data encryption is used.
To add WEP and MD5 authentication to a new profile:
Step 1 of 2: Password
Step 2 of 2: MD5 User
If you did not select Use Windows logon on the Security Settings page and also did not configure user credentials, an Enter Credentials message appears when you attempt to connect to this profile. Enter your user name, domain, and password. Click OK to access the profile. Set up a Client with WEP Data Encryption and EAP-SIM NetworK AuthenticationEAP-SIM uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or Personal Identification Number (PIN), for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card that is used by Global System for Mobile Communications (GSM) based digital cellular networks. To add a profile with EAP-SIM authentication:
EAP-SIM authentication can be used with:
EAP-SIM User (optional)
Set up a Client with TLS Network AuthenticationThese settings define the protocol and the credentials used to authenticate a user. Transport Layer Security (TLS) authentication is a two-way authentication method that exclusively uses digital certificates to verify the identity of a client and a server. To set up the Client for WPA-Enterprise with AES-CCMP encryption and TLS authentication:
|
) in the Wireless Networks and Profile list. 
) in the Wireless Networks and Profile list. 
 |
NOTE: Contact your administrator to obtain the domain name. |
- Click OK to save the setting and close the page.
Set up a Client with TTLS Network Authentication
TTLS authentication: These settings define the protocol and credentials used to authenticate a user. The client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols (for example, MD5 Challenge over this encrypted channel to enable server validation). The challenge and response packets are sent over a non-exposed TLS encrypted channel. The following example describes how to use WPA with AES-CCMP encryption with TTLS authentication.
To set up a client with AES-CCMP Data Encryption and TTLS Network Authentication:
- Click Profiles on the Intel PROSet/Wireless main window.
- On the Profile page, click Add to open the Profile Wizard's General Settings.
- Profile Name: Enter a descriptive profile name.
- Wireless Network Name (SSID): Enter the network identifier.
- Operating Mode: Click Network (Infrastructure).
- Click Next to open the Security Settings.
- Click Enterprise Security.
- Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
- Data Encryption: Select one of the following:
- TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
- AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data encryption method whenever strong data protection is important. AES-CCMP is recommended.
- Enable 802.1x: Selected.
- Authentication Type: Select TTLS to be used with this connection.
Step 1 of 2: TTLS User
Authentication Protocol: This parameter specifies the authentication protocol operating over the TTLS tunnel. The protocols are: PAP (Default), CHAP, MD5, MS-CHAP and MS-CHAP-V2. See Security Overview for more information.
For PAP, CHAP, MD5, MS-CHAP, and MS-CHAP-V2 protocols, select one of these authentication methods:
| Name | Description |
|---|---|
| Use the Windows logon user name and password: | Select to retrieve the user's credentials from the ser's Windows logon process. |
| Prompt for the user name and password: | Select to prompt for user name and password before you connect to the wireless network. The user name and password must be first set in the authentication server by the administrator. NOTE: This option is unavailable if Pre-Logon Connect is not selected during installation of the Intel PROSet/Wireless software. Refer to Install or Uninstall the Single Sign On Feature. |
| Use the following user name and password: | The user name and password are securely (encrypted) saved in the profile.
|
Client Certificate: TLS requires a Client Certificate from the Personal Certificate store of the user who is logged-in on Windows. This certificate identifies you as the user. This certificate is used for client authentication. Click Select to use a client certificate from the Personal certificate store of the user who is logged-in on Windows. This certificate is used for client authentication. Refer to the Administrator Tool for instructions about how to install a client certificate.
- Roaming Identity: If the Roaming Identity is cleared, %domain%\%username% is the default.
When 802.1x MS RADIUS is used as an authentication server, the server authenticates the device that uses the Roaming Identity user name from Intel PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1x identity supplied to the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP clients. When 802.1x MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) instead of a true identity.
Step 2 of 2: TTLS Server
- Validate Server Certificate: Selected.
- Certificate Issuer: The server certificate received during the TTLS message exchange must have been issued by this certificate authority (CA). Trusted intermediate certificate authorities and root authorities whose certificates exist in the system store are available for selection. If Any Trusted CA is selected, any CA in the list is acceptable.
- Specify Server or Certificate Name: The server name or domain to which the server belongs, whichever of the following has been selected.
- Server name must match exactly: When selected, the server name entered must match exactly the server name found on the certificate. The server name should include the complete domain name (for example, Servername.Domain name).
- Domain name must end in specified name: When selected, the server name identifies a domain and the certificate must have a server name belonging to this domain or to one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com).
|
NOTE: These parameters should be obtained from the administrator. |
- Click OK to save the setting and close the page.
Set up a Client with PEAP Network Authentication
PEAP authentication: PEAP settings are required for the authentication of the client to the authentication server. The client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and server. The client can use another EAP mechanism (for example, Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2), over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel. The following example describes how to use WPA with AES-CCMP or TKIP encryption with PEAP authentication.
To set up a client with PEAP Authentication:
Obtain and install a client certificate. Refer to Set up the Client for TLS authentication or consult your administrator.
- Click Profiles on the Intel PROSet/Wireless main window.
- On the Profile page, click Add to open the Profile Wizard's General Settings.
- Profile Name: Enter a descriptive profile name.
- Wireless Network Name (SSID): Enter the network identifier.
- Operating Mode: Click Network (Infrastructure).
- Click Next to open the Security Settings.
- Click Enterprise Security.
- Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
- Data Encryption: Select one of the following:
- TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
- AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data encryption method whenever strong data protection is important. AES-CCMP is recommended.
- Enable 802.1x: Selected.
- Authentication Type: Select PEAP to be used with this connection.
Step 1 of 2: PEAP User
PEAP relies on Transport Layer Security (TLS) to allow unencrypted authentication types (for example, EAP-Generic Token Card (GTC) and One-Time Password (OTP) support).
- Authentication Protocol: Select either GTC, MS-CHAP-V2 (Default), or TLS. Refer to Authentication Protocols.
- User Credentials: Select one of the following :
| Name | Description |
|---|---|
| Use the Windows logon user name and password: | Select to retrieve the user's credentials from the ser's Windows logon process. |
| Prompt for the user name and password: | Select to prompt for user name and password before you connect to the wireless network. The user name and password must be first set in the authentication server by the administrator. NOTE: This option is unavailable if Pre-Logon Connect is not selected during installation of the Intel PROSet/Wireless software. Refer to Install or Uninstall the Single Sign On Feature. |
| Use the following user name and password: | The user name and password are securely (encrypted) saved in the profile.
|
- Roaming Identity: If the Roaming Identity is cleared, %domain%\%username% is the default.
When 802.1x MS RADIUS is used as an authentication server, the authentication server authenticates the device with the Roaming Identity user name from the Intel PROSet/Wireless utility and ignores the Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1x identity supplied to the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP clients. Enter a valid user name whenever 802.1x MS RADIUS is used. For all other servers, this is optional, therefore, it is recommended that you no use a true identity, but instead the desired realm (for example, anonymous@myrealm).
Configure Roaming Identity to support multiple users:
If you use a Pre-Logon or Common connection profile that requires the roaming identity to be based on the Windows logon credentials, the creator of the profile can add a roaming identity that uses %username% and %domain%. The roaming identity is parsed and the appropriate log on information is substituted for the keywords. This allows maximum flexibility in configuring the roaming identity while allowing multiple users to share the profile.
Please refer to your authentication server user guide for directions about how to format a suitable roaming identity. Possible formats are:
%domain%\%username%
%username%@%domain%
%username%@%domain%.com
%username%@mynetwork.comIf Roaming Identity is cleared, %domain%\%username% is the default.
|
NOTE: Credentials: This user name and domain must match the user name that is set in the authentication server by the administrator prior to client authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This user identity is securely transmitted to the server only after an encrypted channel has been verified and established. |
Authentication Protocols: These parameter specifies the authentication protocols that can operate over the TTLS tunnel. Below are instructions on how to configure a profile that uses PEAP authentication with GTC, MS-CHAP-V2 (Default), or TLS authentication protocols.
Generic Token Card (GTC)
To configure a one-time password:
- Authentication Protocol: Select GTC (Generic Token Card).
- User Credentials: Select Prompt each time I connect
- On connection prompt for: Select one of the following:
- Static password: On connection, enter the user credentials.
- One-time password (OTP): Obtain the password from a hardware token device.
- PIN (Soft Token): Obtain the password from a soft token program.
- Click OK.
- Select the profile on the Wireless Networks list.
- Click Connect. When prompted, enter the user name, domain and OTP.
- Click OK. You are asked to verify your log in information.
MS-CHAP-V2. This parameter specifies the authentication protocol operating over the PEAP tunnel.
- User Credentials: Select one of the following options:
- Save your user name and password for future use whenever an 802.1x authentication profile is used.
- User Name: This user name must match the user name that is set in the authentication server by the administrator prior to client authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This identity is securely transmitted to the server only after an encrypted channel has been established.
- Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its sub-domains (for example, zeelans.com, where the server is blueberry.zeelans.com). NOTE: Contact your administrator to obtain the domain name.
- Password: Specifies the user password. The password characters appear as asterisks. This password must match the password that is set in the authentication server.
- Confirm Password: Reenter the user password.
- Save your user name and password for future use whenever an 802.1x authentication profile is used.
- Click OK to save the settings.
|
NOTE: | This option is unavailable if Pre-Logon Connect is not selected during installation of the Intel PROSet/Wireless software. Refer to Install or Uninstall the Single Sign On Feature. |
TLS: Transport Layer Security authentication is a two-way authentication method that exclusively uses digital certificates to verify the identity of a client and a server.
- Obtain and install a client certificate, refer to Set up the Client for TLS authentication or consult your system administrator.
- Select one of the following to obtain a certificate:
- Use my smart card: Select if the certificate resides on a smart card.
- Use the certificate issued to this computer: Click Select to choose a certificate that resides in the machine store.
- Use a user certificate on this computer. Click Select to choose a certificate that resides on this computer.
- Click Next.
Step 2 of 2: PEAP Server
- Select one of the following options:
- Validate Server Certificate: Select to verify the server certificate.
- Specify Server or Certificate Name:
Certificate Issuer: Click Any Trusted CA as the default or select a certificate issuer from the list.
Server or Certificate Name: Enter the server name.
The server name or domain to which the server belongs, depends on which of the two options below has been selected.
Server name must match the specified entry exactly: When selected, the server name must match exactly the server name found on the certificate. The server name should include the complete domain name (for example, Servername.Domain name).
Domain name must end with the specified entry: When selected, the server name identifies a domain, and the certificate must have a server name that belongs to this domain or to one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com). NOTE: These parameters should be obtained from the administrator.
|
NOTE: Certificates: The specified identity should match the Issued to identity in the certificate and should be registered on the authentication server (for example, RADIUS server) that is used by the authenticator. Your certificate must be valid with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. Use the same user name you used to log in when the certificate was installed. |
- Click OK. The profile is added to the Profiles list.
- Click the new profile at the end of the Profiles list. Use the up and down arrows to change the priority of the new profile.
- Click Connect to connect to the selected wireless network.
Set up a Client with LEAP Network Authentication
Cisco LEAP (Light Extensible Authentication Protocol) is an 802.1X authentication type that supports strong mutual authentication between the client and a RADIUS server. The LEAP profiles settings include LEAP, CKIP with Rogue AP detection integration.
To set up a client with LEAP Authentication:
- Click Profiles on the Intel PROSet/Wireless main window.
- On the Profile page, click Add. The Create Wireless Profile General Settings opens.
- Profile Name: Enter a descriptive profile name.
- Wireless Network Name (SSID): Enter the network identifier.
- Operating Mode: Click Network (Infrastructure).
- Click Next to open the Security Settings.
- Click Enterprise Security.
- Network Authentication: Select Open.
- Data Encryption: Select CKIP.
- Enable 802.1x: Selected.
- Authentication Type: Select LEAP to be used with this connection.
- Click Cisco Options.
- Click Enable Cisco Compatible Extensions to enable Cisco Compatible Extensions (CCX) security.
- Click Enable Radio Management Support. Use Radio Management to detect rogue access points.
- Click OK to return to the Security Settings.
LEAP User:
- Select one of the following authentication methods:
- Use the Windows logon user name and password: Allows the 802.1x credentials to match your Windows user name and password. The user's credentials are retrieved from the user's Windows log-on process. The credentials are only used if the user has no password defined in the Windows log-on credentials or if there is a problem capturing the Windows log-on credentials.
|
NOTE: This option is unavailable if Pre-Logon Connect is not selected during installation of the Intel PROSet/Wireless software. Refer to Install or Uninstall the Single Sign On Feature. |
- Prompt for the user name and password: Select to prompt for the user name and password before you connect to the wireless network. The user name and password must be first set in the authentication server by the administrator.
- Use the following user name and password: Select to save your user name and password for future use when an 802.1x authentication profile is used.
- User Name: This user name must match the user name that is set in the authentication server by the administrator prior to client authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol. This user's identity is securely transmitted to the server only after an encrypted channel has been established.
- Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its sub-domains (for example, zeelans.com, where the server is blueberry.zeelans.com).
|
NOTE: Contact your administrator to obtain the domain name. |
- Password: Specifies the user password. The password characters are seen as asterisks. This password must match the password that is set in the authentication server.
- Confirm Password: Reenter the user password.
- Click OK to save the setting and close the page.
Cisco Compatible Extensions Options
Cisco Options: Use to enable or disable Radio Management and Mixed Cells Mode or Allow Fast Roaming (CCKM).
|
NOTE: Cisco Compatible Extensions are automatically enabled for CKIP, LEAP or EAP-FAST profiles. To override this behavior, select or clear options on this page. |
Allow Fast Roaming (CCKM): Select to enable the client wireless adapter for fast-secure roaming. When a wireless LAN is configured for fast reconnection, an EAP-FAST, EAP-TLS, PEAP-GTC, PEAP-MSCHAPv2-enabled client device can roam from one access point to another without involving the main server. Use Cisco Centralized Key Management (CCKM), an access point configured to provide Wireless Domain Services (WDS), to take the place of the RADIUS server and authenticate the client without perceptible delay in voice or other time-sensitive applications.
Enable Cisco Compatible Options: Select to enable Cisco Compatible Extensions for this wireless connection profile.
Enable Radio Management Support: Select to have your wireless adapter provide radio management to the Cisco infrastructure. If the Cisco Radio Management utility is used on the infrastructure, it configures radio parameters, detects interference and rogue access points. Default setting is selected.
Enable Mixed Cells Mode: Select to allow the wireless adapter to communicate with mixed cells. A mixed cell is a wireless network in which there are both devices that use WEP and devices that do not. Refer to Mixed Cells Mode for more information. The default setting is cleared.
Set up a Client with EAP-FAST Network Authentication
In Cisco Compatible Extensions, Version 3 (CCXv3), Cisco added support for EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling), which uses protected access credentials (PACs) to establish an authenticated tunnel between a client and a server.
Cisco Compatible Extensions, Version 4 (CCXv4) improves the provisioning methods for enhanced security and provides innovations for enhanced security, mobility, quality of service, and network management.
Cisco Compatible Extensions, Version 3 (CCXv3)
To set up a client with EAP-FAST authentication with Cisco Compatible Extensions, version 3 (CCXv3):
- Click Profiles on the Intel PROSet/Wireless main window.
- On the Profile page, click Add to open the Create Wireless Profile Wizard's General Settings.
- Wireless Network Name (SSID): Enter the network identifier.
- Profile Name: Enter a descriptive profile name.
- Operating Mode: Click Network (Infrastructure).
- Click Next to open the Security Settings.
- Click Enterprise Security.
- Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
- Data Encryption: Select one of the following:
- TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
- AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data encryption method whenever strong data protection is important. AES-CCMP is recommended.
- Enable 802.1x: Selected.
- Authentication Type: Select EAP-FAST to be used with this connection.
|
NOTE: If CCXv4 Application Setting was not installed through an Administrator Package, only EAP-FAST User settings are available for configuration. Refer to EAP-FAST User Settings. |
Step 1 of 2: EAP-FAST Provisioning
- Click Disable EAP-FAST Enhancements (CCXv4) to allow provisioning inside a server-unauthenticated TLS tunnel (Unauthenticated-TLS-Server Provisioning Mode).
- Click Select server to view any unauthenticated PACs that have already been provisioned and reside on this computer.
|
NOTE: If the provisioned PAC is valid, Intel(R) PROSet/Wireless does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel PROSet/Wireless fails the provisioning automatically. A status message is displayed in the Wireless Event Viewer that an administrator can review on the user's computer. |
To import a PAC:
- Click Select server to open the Protected Access Credentials (PAC) list.
- Click Import to import a PAC that resides on this computer or a server.
- Select the PAC and click Open.
- Enter the PAC password (optional).
- Click OK to close this page. The selected PAC is added to PAC list.
- Click Next to select the credential retrieval method or click OK to save the EAP-FAST settings and return to the Profiles list. The PAC is used for this wireless profile.
Step 2 of 2: EAP-FAST Additional Information
To perform client authentication in the established tunnel, a client sends a user name and password to authenticate and establish client authorization policy.
- Click User Credentials to select the credentials retrieval method:
- Use the Windows logon user name and password: The user credentials are retrieved from the Windows log on process.
|
NOTE: This option is unavailable if Pre-Logon Connect is not selected during installation of the Intel PROSet/Wireless software. Refer to Install or Uninstall the Single Sign On Feature. |
- Prompt for the user name and password: Prompts for user name and password before you connect to the wireless network. The user name and password must first be set in the authentication server by the administrator.
- Use the following user name and password: The user name and password must be first set in the authentication server by the administrator.
- User Name: This user name must match the user name that is set in the authentication server.
- Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its sub-domains (for example, zeelans.com, where the server is blueberry.zeelans.com).
|
NOTE: Contact your administrator to obtain the domain name. |
- Password: This password must match the password that is set in the authentication server. The entered password characters display as asterisks.
- Confirm Password: Reenter the user password.
- Click OK to save the settings and close the page. Server verification is not required.
Cisco Compatible Extensions, Version 4 (CCXv4)
To set up a client with EAP-FAST authentication with Cisco Compatible Extensions, version 4 (CCXv4):
- Click Profiles on the Intel PROSet/Wireless main window.
- On the Profile page, click Add to open the Create Wireless Profile Wizard's General Settings.
- Wireless Network Name (SSID): Enter the network identifier.
- Profile Name: Enter a descriptive profile name.
- Operating Mode: Click Network (Infrastructure).
- Click Next to open the Security Settings.
- Click Enterprise Security.
- Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
- Data Encryption: Select one of the following:
- TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
- AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data encryption method whenever strong data protection is important. AES-CCMP is recommended.
- Enable 802.1x: Selected.
- Authentication Type: Select EAP-FAST to be used with this connection.
Step 1 of 3: EAP-FAST Provisioning
With CCXv4, EAP-FAST supports two modes for provisioning:
- Server-Authenticated Mode: Provisioning inside a server authenticated (TLS) tunnel.
- Server-Unauthenticated Mode: Provisioning inside an unauthenticated (TLS) tunnel.
|
NOTE: Server-Authenticated Mode provides significant security advantages over Server-Unauthenticated Mode even when EAP-MSCHAPv2 is being used as an inner method. This mode protects the EAP-MSCHAPv2 exchanges from potential Man-in-the-Middle attacks by verifying the server’s authenticity before exchanging MSCHAPv2. Therefore, Server-Authenticated Mode is preferred whenever it is possible. EAP-FAST peer must use Server-Authenticated Mode whenever a certificate or public key is available to authenticate the server and ensure the best security practices. |
Provisioning of Protected Access Credentials (PAC):
EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators are identified by an authority identity (A-ID). The local authenticator sends its AID to an authenticating client, and the client checks its database for a matching AID. If the client does not recognize the AID, it requests a new PAC.
|
NOTE: If the provisioned Protected Access Credential (PAC) is valid, Intel(R) PROSet/Wireless does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel PROSet/Wireless fails the provisioning automatically. A status message is displayed in the Wireless Event Viewer that an administrator can review on the user's computer. |
- Verify that Disable EAP-FAST Enhancements (CCXv4) is not selected. Allow unauthenticated provisioning and Allow authenticated provisioning are selected by default. Once a PAC is selected from the Default Server, you can deselect any of these provisioning methods.
- Default Server: None is selected as the default. Click Select Server to select a PAC from the default PAC authority server or select a server from the Server group list. The EAP-FAST Default Server (PAC Authority) selection page opens.
|
NOTE: Server groups are only listed if you have installed an Administrator Package that contains EAP-FAST Authority ID (A-ID) Group settings. |
PAC distribution can also be completed manually (out-of-band). Manual provisioning enables you to create a PAC for a user on an ACS server and then import it into a user's computer. A PAC file can be protected with a password, which the user needs to enter during a PAC import.
To import a PAC:
- Click Import to import a PAC from the PAC server.
- Click Open.
- Enter the PAC password. (Optional)
- Click OK closes this page. The selected PAC is used for this wireless profile.
EAP-FAST CCXv4 enables support for the provisioning of other credentials beyond the PAC currently provisioned for tunnel establishment. The credential types supported include trusted CA certificate, machine credentials for machine authentication, and temporary user credentials used to bypass user authentication.
Use a certificate (TLS Authentication)
- Click Use a certificate (TLS Authentication)
- Click Identity Protection when the tunnel is protected.
- Select one of the following:
- Use a user certificate on this computer. Click Select to choose the user certificate. Click OK. Proceed to Step 4.
- Use the certificate issued to this computer. Proceed to Step 5.
- Use my smart card. Select if the certificate resides on a smart card. Proceed to Step 5.
- User Name: Enter the user name assigned to the user certificate.
- Click Next.
Step 2 of 3: EAP-FAST Additional Information
If you selected Use a certificate (TLS Authentication) and Use a user certificate on this computer, click Next (no roaming identity is required) and proceed to Step 3 to configure EAP-FAST Server certificate settings. If you do not need to configure EAP-FAST server settings, click OK to save your settings and return to the Profiles page.
If you selected to use a smart card, add the roaming identity, if required. Click OK to save your settings and return to the Profiles page.
If you did not select Use a certificate (TLS Authentication), click Next to select an Authentication Protocol. CCXv4 permits additional credentials or TLS cipher suites to establish the tunnel.
Authentication Protocol: Select either GTC, or MS-CHAP-V2 (Default)
GTC may be used with Server-Authenticated Mode . This enable peers using other user databases as Lightweight Directory Access Protocol (LDAP) and one-time password (OTP) technology to be provisioned in-band. However, the replacement may only be achieved when used with the TLS cipher suites that ensure server authentication.
To configure a one-time password:
- Authentication Protocol: Select GTC (Generic Token Card).
- User Credentials: Select Prompt each time I connect
- On connection prompt for: Select one of the following:
- Static Password: On connection, enter the user credentials.
- One-time password (OTP): Obtain the password from a hardware token device.
- PIN (Soft Token): Obtain the password from a soft token program.
- Click OK.
- Select the profile on the Wireless Networks list.
- Click Connect. When prompted, enter the user name, domain and one-time password (OTP).
- Click OK.
MS-CHAP-V2. This parameter specifies the authentication protocol operating over the PEAP tunnel.
-
User Credentials: Select one of the following options:
- Use Windows Logon: Allows the 802.1x credentials to match your Windows user name and password. Before connection, you are prompted for your Windows logon credentials.
|
NOTE: This option is unavailable if Pre-Logon Connect is not selected during installation of the Intel PROSet/Wireless software. Refer to Install or Uninstall the Single Sign On Feature. |
- Prompt each time I connect: Prompts for user name and password every time you log onto the network.
- Use the following user name and password: The user name and password are securely (encrypted) saved in the profile.
- User Name: This user name must match the user name that is set in the authentication server.
- Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com).
|
NOTE: Contact your administrator to obtain the domain name. |
- Password: This password must match the password that is set in the authentication server. The entered password characters display as asterisks.
- Confirm Password: Reenter the user password.
- Roaming Identity: If the Roaming Identity is cleared, %domain%\%username% is the default.
When 802.1x MS RADIUS is used as an authentication server, the server authenticates the device that uses the Roaming Identity user name from Intel PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1x identity supplied to the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP clients. When 802.1x MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) instead of a true identity.
Step 3 of 3: EAP-FAST Server
Authenticated-TLS-Server Provisioning Mode is supported using a trusted CA certificate, a self-signed server certificate, or server public keys and GTC as the inner EAP method.- Validate Server Certificate:
- Certificate Issuer: The server certificate received during TLS message exchange must be issued by this certificate authority (CA). Trusted intermediate certificate authorities and root authorities whose certificates exist in the system store are available for selection. If Any Trusted CA is selected, any CA in the list is acceptable.
- Allow intermediate certificates: The server certificate received during negotiation may have been issued directly by the CA or additionally by one of its intermediate certificate authorities. Select to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If cleared, then the specified CA must have been directly issued by the server certificate.
- Specify Server or Certificate Name: Select if you want to specify your server or certificate name.
The server name or a domain to which the server belongs, depends on which of the two options below has been selected.
- Server name must match exactly: When selected, the server name entered must match exactly the server name found on the certificate. The server name should include the fully qualified domain name (for example, Servername.Domain name).
- Domain name must end in specified name: When selected, the server name identifies a domain and the certificate must have a server name belonging to this domain or to one of its sub-domains (for example, zeelans.com, where the server is blueberry.zeelans.com).
|
NOTE: Contact your administrator to obtain the domain name. |
- Click OK to close the security settings.
EAP-FAST User Settings
|
NOTE: If an Administrator Package was installed on a user' computer that did not apply the Cisco Compatible Extensions, Version 4 Application Setting, only EAP-FAST User settings are available for configuration. |
To set up a client with EAP-FAST authentication:
- Click Profiles on the Intel PROSet/Wireless main window.
- On the Profile page, click Add to open the Create Wireless Profile Wizard's General Settings.
- Wireless Network Name (SSID): Enter the network identifier.
- Profile Name: Enter a descriptive profile name.
- Operating Mode: Click Network (Infrastructure).
- Click Next to open the Security Settings.
- Click Enterprise Security.
- Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
- Data Encryption: Select one of the following:
- TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
- AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data encryption method whenever strong data protection is important. AES-CCMP is recommended.
- Enable 802.1x: Selected.
- Use the Windows logon user name and password: The user credentials are retrieved from the Windows log on process.
|
NOTE: This option is unavailable if Pre-Logon Connect is not selected during installation of the Intel PROSet/Wireless software. Refer to Install or Uninstall the Single Sign On Feature. |
- Prompt for the user name and password: Prompts for user name and password before you connect to the wireless network. The user name and password must first be set in the authentication server by the administrator.
- Use the following user name and password: The user name and password must be first set in the authentication server by the administrator.
- User Name: This user name must match the user name that is set in the authentication server.
- Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its sub-domains (for example, zeelans.com, where the server is blueberry.zeelans.com).
|
NOTE: Contact your administrator to obtain the domain name. |
- Password: This password must match the password that is set in the authentication server. The entered password characters display as asterisks.
- Confirm Password: Reenter the user password.
Allow automatic provisioning of Protected Access Credentials (PAC):
EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators are identified by an authority identity (A-ID). The local authenticator sends its AID to an authenticating client, and the client checks its database for a matching AID. If the client does not recognize the AID, it requests a new PAC. Click PACs to view any PACs that have already been provisioned and reside on this computer. A PAC must have already been obtained to clear Allow automatic provisioning on the Security Settings.
|
NOTE: If the provisioned Protected Access Credential (PAC) is valid, Intel(R) PROSet/Wireless does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel PROSet/Wireless fails the provisioning automatically. A status message is displayed in the Wireless Event Viewer that an administrator can review on the user's computer. |
PAC distribution can also be completed manually (out-of-band). Manual provisioning enables you to create a PAC for a user on an ACS server and then import it into a user's computer. A PAC file can be protected with a password, which the user needs to enter during a PAC import. To import a PAC:
- Click PACs to open the Protected Access Credentials (PAC) list.
- Click Import to import a PAC that resides on this computer or a server.
- Select the PAC and click Open.
- Enter the PAC password (optional).
- Click OK to close this page. The selected PAC is added to PAC list.
- Click OK to save the EAP-FAST settings and return to the Profiles list. The PAC is used for this wireless profile.