Back to Contents

Set Up Profile Security

Use Intel(R) PROSet/Wireless Software
Personal Security
Personal Security Settings
Set up Data Encryption and Authentication

Enterprise Security
Enterprise Security Settings

Network Authentication

802.1X Authentication Types

Use Intel(R) PROSet/Wireless Software

The following sections describe how to use Intel(R) PROSet/Wireless to set up the required security settings for your wireless adapter. See Personal Security.

It also provides information about how to configure advanced security settings for your wireless adapter. This requires information from a systems administrator (corporate environment) or advanced security settings on your access point (for home users). See Enterprise Security.

For general information about security settings, See Security Overview.

Personal Security

Use Personal Security if you are a home or small business user who can use a variety of simple security procedures to protect your wireless connection. Select from the list of security settings that do not require extensive infrastructure setup for your wireless network. A RADIUS or AAA server is not required.

Personal Security Settings

Personal Security Settings Description

Name Setting

Personal Security

Select to open the Personal Security settings. The security settings that are available are dependent on the Operating Mode selected in the Create Wireless Profile Security Settings.

Device to Device (ad hoc): In device to device mode, also called ad hoc mode, wireless computers send information directly to other wireless computers. You can use ad hoc mode to network multiple computers in a home or small office, or to set up a temporary wireless network for a meeting.

NOTE: Device to Device (ad hoc) networks are identified with a notebook image (notebook) in the Wireless Networks and Profiles list.

Network (Infrastructure): An infrastructure network consists of one or more access points and one or more computers with wireless adapters installed. At least one access point should also have a wired connection. For home users, this is usually a broadband or cable network

NOTE: Infrastructure networks are identified with an access point image (access point) in the Wireless Networks and Profiles list.

Security Settings

If you are configuring a Device to Device (ad hoc) profile, select one of the following data encryption settings:

If you are configuring a Network (Infrastructure) profile, select:

Advanced button

 Click to access the Advanced Settings and configure the following options:
  • Auto Connect: Select to automatically or manually connect to a profile.
  • Auto Import: Network administrator can export a profile on another computer.
  • Mandatory Access Point: Select to associate the wireless adapter with a specific access point.
  • Password Protection: Select to password protect a profile.
  • Start Application: Specify a program to be started when a wireless connection is made.
  • Maintain Connection: Select to maintain the wireless connection with a user profile after log off.
  • User Name Format: Select the user name format for the authentication server.
  • PLC Domain Check: Select to verify the domain server's presence before the user login process is finished. If the server is not found, login may be delayed for a minute or more.

Back

View the prior page in the Profile Wizard.

OK

Closes the Profile Wizard and saves the profile.

Cancel

Closes the Profile Wizard and cancels any changes made.

Help?

Provides the help information for the current page.

Set up Data Encryption and Authentication

In a home wireless network you can use a variety of simple security procedures to protect your wireless connection. These include:

Wi-Fi Protected Access (WPA) encryption provides protection for your data on the network. WPA uses an encryption key called a pre-shared key (PSK) to encrypt data before transmission. Enter the same password in all of the computers and access point in your home or small business network. Only devices that use the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. The password automatically initiates the Temporal Key Integrity Protocol (TKIP) or AES-CCMP protocol for the data encryption process.

Network Keys

WEP encryption provides two levels of security:

For improved security, use a 128-bit key. If you use encryption, all wireless devices on your wireless network must use the same encryption keys.

You can create the key yourself and specify the key length (64-bit or 128-bit) and key index (the location that a specific key is stored). The greater the key length, the more secure the key.

Key Length: 64-bit

Pass phrase (64-bit): Enter five (5) alphanumeric characters, 0-9, a-z or A-Z.
Hex key (64-bit): Enter 10 hexadecimal characters, 0-9, A-F.

Key Length: 128-bit

Pass phrase (128-bit): Enter 13 alphanumeric characters, 0-9, a-z or A-Z.
Hex key (128-bit): Enter 26 hexadecimal characters, 0-9, A-F.

With WEP data encryption, wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message that uses a key stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.

Set up a Client with Open Authentication and No Data Encryption (None)

On the Intel(R) PROSet/Wireless main page, select one of the following methods to connect to an infrastructure network:

If there is no authentication required, the network connects without a prompt to enter any log-on credentials. Any wireless device with the correct network name (SSID) is able to associate with other devices in the network.

CAUTION: Networks using no authentication or encryption are highly vulnerable to access by unauthorized users.

To create a profile for a wireless network connection with no encryption:

  1. Click Profiles on the Intel(R) PROSet/Wireless main window.
  2. On the Profiles list, click Add to open the wireless profile General Settings.
  3. Profile Name: Enter a descriptive profile name.
  4. Wireless Network Name (SSID): Enter the name of your wireless network.
  5. Operating Mode: Click Device to Device (ad hoc).
  6. Click Next to open the Security Settings.
  7. Personal Security is selected by default.
  8. Security Settings: The default setting is None, which indicates that there is no security on this wireless network.
  9. Click OK. The profile is added to the Profiles list and connects to the wireless network.

Set up a Client with WEP 64-bit or WEP 128-bit Data Encryption

When WEP data encryption is enabled, a network key or password is used for encryption.

A network key is provided for you automatically (for example, it might be provided by your wireless network adapter manufacturer), or you can enter it yourself and specify the key length (64-bit or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The greater the key length, the more secure the key.

To add a network key for a Device to Device (ad hoc) network connection:

  1. On the Intel(R) PROSet/Wireless main window, double-click a Device to Device (ad hoc) network in the Wireless Networks list or select the network and click Connect.
  2. Click Profiles to access the Profiles list.
  3. Click Properties to open the wireless profile General Settings. The Profile name and Wireless Network Name (SSID) display. Device to Device (ad hoc) should be selected as the Operating Mode.
  4. Click Next to open the Security Settings.
  5. Personal Security is selected by default.
  6. Security Settings: The default setting is None, which indicates that there is no security on this wireless network.

To add a password or network key:

  1. Security Settings: Select either WEP 64-bit or WEP 128-bit to configure WEP data encryption with a 64-bit or 128-bit key.

    2. When WEP encryption is enabled on an access point, the WEP key is used to verify access to the network. If the wireless device does not have the correct WEP key, even though authentication is successful, the device is unable to transmit data through the access point or decrypt data received from the access point.

Name Description

Password

Enter the Wireless Security Password (Pass phrase) or Encryption Key (WEP key).

Pass phrase (64-bit )

Enter five (5) alphanumeric characters, 0-9, a-z or A-Z.

WEP key (64-bit)

Enter 10 hexadecimal characters, 0-9, A-F.

Pass phrase (128-bit)

Enter 13 alphanumeric characters, 0-9, a-z or A-Z.

WEP key (128-bit)

Enter 26 hexadecimal characters, 0-9, A-F.
  1. Key Index: Change the Key Index to set up to four passwords.
  2. Click OK to return to the Profiles list.

To add more than one password:

  1. Select the Key Index number: 1, 2, 3, or 4.
  2. Enter the Wireless Security Password.
  3. Select another Key Index number.
  4. Enter another Wireless Security Password.

Set up a Client with WPA*-Personal (TKIP) or WPA2*-Personal (TKIP) Security Settings

WPA* Personal Mode requires manual configuration of a pre-shared key (PSK) on the access point and clients. This PSK authenticates a user's password or identifying code, on both the client station and the access point. An authentication server is not needed. WPA Personal Mode is targeted to home and small business environments.

WPA2* is the second generation of WPA security that provides enterprise and consumer wireless users with a high level of assurance that only authorized users can access their wireless networks. WPA2 provides a stronger encryption mechanism through Advanced Encryption Standard (AES), which is a requirement for some corporate and government users.

NOTE: To achieve transfer rates greater than 54 Mbps on 802.11n connections, WPA2-AES security must be selected. No security (None) can be selected to enable network setup and troubleshooting.

To configure a profile with WPA-Personal network authentication and TKIP data encryption:

  1. On the Intel(R) PROSet/Wireless main window, double-click an infrastructure network in the Wireless Networks list or select the network and click Connect.
  2. Click Profiles to access the Profiles list.
  3. Click Properties to open the wireless profile General Settings. The Profile name and Wireless Network Name (SSID) display. Network (Infrastructure) should be selected as the Operating Mode.
  4. Click Next to open the Security Settings.
  5. Select Personal Security.
  6. Security Settings: Select WPA-Personal (TKIP) to provide security to a small business network or home environment. A password, called a pre-shared key (PSK), is used. The longer the password, the stronger the security of the wireless network.

If your wireless access point or router supports WPA2-Personal, then you should enable it on the access point and provide a long, strong password. The longer the password, the stronger the security of the wireless network. The same password entered in the access point needs to be used on this computer and all other wireless devices that access the wireless network.

NOTE: WPA-Personal and WPA2-Personal are interoperable.

  1. Wireless Security Password (Encryption Key): Enter a text phrase with eight to 63 characters. Verify that the network key matches the password in the wireless access point.
  2. Click OK to return to the Profiles list.

Set up a Client with WPA*-Personal (AES-CCMP) or WPA2*-Personal (AES-CCMP) Security Settings

Wi-Fi Protected Access (WPA*) is a security enhancement that strongly increases the level of data protection and access control to a wireless network. WPA enforces 802.1X authentication and key-exchange and only works with dynamic encryption keys. For a home user or small business, WPA-Personal uses either Advanced Encryption Standard - Counter CBC-MAC Protocol (AES-CCMP) or Temporal Key Integrity Protocol (TKIP).

NOTE: For the Intel(R) Wireless WiFi Link 4965AGN adapter, to achieve transfer rates greater than 54 Mbps on 802.11n connections, WPA2-AES security must be selected. No security (None) can be selected to enable network setup and troubleshooting.

To create a profile with WPA2*-Personal network authentication and AES-CCMP data encryption:

  1. On the Intel(R) PROSet/Wireless main window, double-click an infrastructure network from the Wireless Networks list or select the network and click Connect.
  2. If these are being transmitted, the Profile name and Wireless Network Name (SSID) should display on the General Settings screen. Network (Infrastructure) should be selected as the Operating Mode. Click Next to open the Security Settings.
  3. Select Personal Security.
  4. Security Settings: Select WPA2-Personal (AES-CCMP) to provide this level of security in the small network or home environment. It uses a password, also called a pre-shared key (PSK). The longer the password, the stronger the security of the wireless network.

AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is a newer method for privacy protection of wireless transmissions specified in the IEEE 802.11i standard. AES-CCMP provides a stronger encryption method than TKIP. Choose AES-CCMP as the data encryption method whenever strong data protection is important.

If your Wireless access point or router supports WPA2-Personal, then you should enable it on the access point and provide a long, strong password. The same password entered into the access point needs to be used on this computer and all other wireless devices that access the wireless network.

NOTE: WPA-Personal and WPA2-Personal are interoperable.

Some security solutions may not be supported by your computer's operating system. You may require additional software or hardware as well as wireless LAN infrastructure support. Contact your computer manufacturer for details.

  1. Password: Wireless Security Password (Encryption Key): Enter a text phrase (length is between eight and 63 characters). Verify that the network key used matches the wireless access point key.
  2. Click OK to return to the Profiles list.

Enterprise Security

From the Security Settings page you can enter the required security settings for the selected wireless network.

Use Enterprise Security if your network environment requires 802.1X authentication.

Enterprise Security Settings

Enterprise Security Settings Description

Name Setting
Enterprise Security

Select to open the Enterprise Security settings.
Network Authentication

Select one of the following authentication methods:
Data Encryption

Click to open the following data encryption types:
Enable 802.1X (Authentication Type) Click to open the following 802.1X authentication types:
Cisco Options Click to view the Cisco Compatible Extensions.

NOTE: Cisco Compatible Extensions are automatically enabled for CKIP and LEAP profiles.
Advanced button Select to access the Advanced Settings to configure the following options:
User Credentials

A profile configured for TTLS, PEAP, or EAP-FAST authentication requires one of the following log on authentication methods:

Use Windows logon: The 802.1X credentials match your Windows user name and password. Before connection, you are prompted for your Windows logon credentials.

NOTE: For LEAP profiles, this option is listed as Use Windows logon user name and password.

Prompt each time I connect: Prompt for your user name and password every time you log onto the wireless network.

NOTE: For LEAP profiles, this option is listed as Prompt for the user name and password.

Use the following: Use your saved credentials to log onto the network.

  • User Name: This user name must match the user name that is set in the authentication server by the administrator prior to client authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This identity is securely transmitted to the server only after an encrypted channel has been established.
  • Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its sub-domains (for example, zeelans.com, where the server is blueberry.zeelans.com).
  • Password: Specifies the user password. The password characters appear as asterisks. This password must match the password that is set in the authentication server.
  • Confirm Password: Reenter the user password.

NOTE: Contact your administrator to obtain the domain name.

NOTE: For LEAP profiles, this option is listed as Use the following user name and password.
Server Options

Select one of the following credential retrieval methods:

Validate Server Certificate: Select to verify the server certificate.

Certificate Issuer: The server certificate received during TLS message exchange must be issued by this certificate authority (CA). Trusted intermediate certificate authorities and root authorities whose certificates exist in the system store are available for selection. If Any Trusted CA is selected, any CA in the list is acceptable. Click Any Trusted CA as the default or select a certificate issuer from the list.

Specify Server or Certificate Name: Enter the server name.

The server name or domain to which the server belongs. This depends on which option below has been selected.

  • Server name must match the specified entry exactly: When selected, the server name must match exactly the server name found on the certificate. The server name should include the complete domain name (for example, Servername.Domain name).
  • Domain name must end with the specified entry: When selected, the server name identifies a domain, and the certificate must have a server name that belongs to this domain or to one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com).

NOTE: These parameters should be obtained from the administrator.
Certificate Options To obtain a certificate for TLS authentication, select one of the following:

Use my smart card: Select if the certificate resides on a smart card.

Use the certificate issued to this computer: Selects a certificate that resides in the machine store.

Use a user certificate on this computer: Click Select to choose a certificate that resides on this computer.

NOTE: Intel(R) PROSet/Wireless supports machine certificates. However, they are not displayed in the certificate listings.

Notes about Certificates: The specified identity should match the Issued to identity in the certificate and should be registered on the authentication server (for example, RADIUS server) that is used by the authenticator. Your certificate must be valid with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. Use the same user name you used to log in when the certificate was installed.
Back View the prior page in the Create Wireless Profile Wizard.
Next View the next page in the Create Wireless Profile Wizard. If more security information is required then the next Step of the Security page is displayed.
OK Closes the Create Wireless Profile Wizard and saves the profile.
Cancel Closes the Create Wireless Profile Wizard and cancels any changes made.
Help? Provides the help information for the current page.

Configure Profiles for Infrastructure Networks

An infrastructure network consists of one or more access points and one or more computers with wireless adapters installed. Each access point must have a wired connection to a wireless network.

Set up a Client with Open or Shared Network Authentication

When shared key authentication is used, each wireless station is assumed to have received a secret shared key over a secure channel that is independent from the 802.11 wireless network communications channel. Shared key authentication requires that the client configure a static WEP or CKIP key. Client access is granted only if the client passes a challenge-based authentication. CKIP provides stronger data encryption than WEP, but not all operating systems and access points support it.

NOTE: While shared key would appear to be the better option for a higher level of security, a known weakness is created by the clear text transmission of the challenge string to the client. Once an invader finds the challenge string, the shared authentication key can be easily reverse engineered. Therefore, open authentication is actually, and counter intuitively, more secure. To create a profile with shared authentication:

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile Page, click Add to open the Create Wireless Profile General Settings.
  3. Profile Name: Enter a descriptive profile name.
  4. Wireless Network Name (SSID): Enter the network identifier.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select Shared. Shared authentication is accomplished with a pre-configured WEP key.
  10. Data Encryption: Select None, WEP (64- or 128-bit), or CKIP (64- or 128-bit).
  11. Enable 802.1X: Disabled.
  12. Encryption Level: 64- or 128-bit: When switching between 64- and 128-bit encryption, the previous settings are erased and a new key must be entered.
  13. Wireless Security Password (Encryption Key): Enter the wireless network password (WEP Encryption Key). This password is the same value used by the wireless AP or router. Contact your administrator for this password.
Name Description
Password

Enter the Wireless Security Password (Pass phrase) or Encryption Key (WEP key).
Pass phrase (64-bit )

Enter five (5) alphanumeric characters, 0-9, a-z or A-Z.
WEP key (64-bit)

Enter 10 hexadecimal characters, 0-9, A-F.
Pass phrase (128-bit)

Enter 13 alphanumeric characters, 0-9, a-z or A-Z.
WEP key (128-bit)

Enter 26 hexadecimal characters, 0-9, A-F.
  1. Key Index: Select 1,2, 3, or 4. Change the Key Index to specify up to four passwords.
  2. Click OK.

Set up a Client with WPA*-Enterprise or WPA2*-Enterprise Network Authentication

WPA2-Enterprise requires an authentication server.

NOTE: WPA-Enterprise and WPA2-Enterprise are interoperable.

To add a profile that uses WPA-Enterprise or WPA2-Enterprise authentication:

  1. Obtain a user name and password on the RADIUS server from your administrator.
  2. Certain authentication types require that obtain and install a client certificate. See Setting up the Client for TLS authentication or consult your administrator.
  3. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  4. On the Profile page, click Add to open the Create Wireless Profile General Settings.
  5. Profile Name: Enter a descriptive profile name.
  6. Wireless Network Name (SSID): Enter the network identifier.
  7. Operating Mode: Click Network (Infrastructure).
  8. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  9. Click Next.
  10. Select Enterprise Security.
  11. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
  12. Data Encryption: Select one of the following:
  13. Enable 802.1X: Selected.
  14. Authentication Type: Select one of the following: EAP-SIM, LEAP, TLS, TTLS, PEAP, EAP-FAST.

Set up a Client with EAP-SIM Network Authentication

EAP-SIM uses a dynamic, session-based WEP key, which is derived from the client adapter and RADIUS server, to encrypt data. EAP-SIM requires you to enter a user verification code, or Personal Identification Number (PIN), for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card used by Global System for Mobile Communications (GSM) based digital cellular networks. To add a profile with EAP-SIM authentication:

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
  3. Profile Name: Enter a profile name.
  4. Wireless Network Name (SSID): Enter the network identifier.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Pre-logon/Common. (This step applies only if you are using the Administrator Tool. EAP-SIM cannot be used for Persistent profiles.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select Open (Recommended).
  10. Data Encryption: Select WEP.
  11. Click Enable 802.1X.
  12. Authentication type: Select EAP-SIM.

EAP-SIM authentication can be used with:

EAP-SIM User (optional)

  1. Specify user name (identity): Click to specify the user name.
  2. Click OK.

Set up a Client with TLS Network Authentication

These settings define the protocol and the credentials used to authenticate a user. Transport Layer Security (TLS) authentication is a two-way authentication method that exclusively uses digital certificates to verify the identity of a client and a server.

To add a profile with TLS authentication:

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
  3. Profile Name: Enter a descriptive profile name.
  4. Wireless Network Name (SSID): Type the network identifier.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
  10. Data Encryption: Select AES-CCMP (Recommended).
  11. Enable 802.1X: Selected.
  12. Authentication Type: Select TLS to be used with this connection.

TLS User

Step 1 of 2: TLS User

  1. Obtain and install a client certificate, See Set up the Client for TLS authentication or consult your system administrator.
  2. Select one of the following to obtain a certificate: Use my smart card, Use the certificate issued to this computer, or Use a user certificate on this computer.
  3. Click Next to open the TLS Server settings.

TLS Server

Step 2 of 2: TLS Server

  1. Select one of the following credential retrieval methods: Validate Server Certificate or Specify Server or Certificate Name.
  2. Click OK. The profile is added to the Profiles list.
  3. Click the new profile at the end of the Profiles list. Use the up and down arrows to change the priority of the new profile.
  4. Click Connect to connect to the selected wireless network.
  5. Click OK to close Intel(R) PROSet/Wireless.

Set up a Client with TTLS Network Authentication

TTLS authentication: These settings define the protocol and credentials used to authenticate a user. The client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols. The challenge and response packets are sent over a non-exposed TLS encrypted channel. The following example describes how to use WPA with AES-CCMP encryption with TTLS authentication.

To set up a client with TTLS Network Authentication:

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
  3. Profile Name: Enter a descriptive profile name.
  4. Wireless Network Name (SSID): Enter the network identifier.
  5. Operating Mode: Network (Infrastructure) is selected by default.
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise (recommended).
  10. Data Encryption: Select one of the following:
  11. Enable 802.1X: Selected by default.
  12. Authentication Type: Select TTLS to be used with this connection.

Step 1 of 2: TTLS User

  1. Authentication Protocol: This parameter specifies the authentication protocol operating over the TTLS tunnel. The protocols are: PAP (Default), CHAP, MS-CHAP and MS-CHAP-V2. See Security Overview for more information.
  2. User Credentials: For PAP, CHAP, MS-CHAP, and MS-CHAP-V2 protocols, select one of these authentication methods: Use Windows logon, Prompt each time I connect, or Use the following.
  3. Roaming Identity: A Roaming Identity may be populated in this field or you can use %domain%\%username% as the default format for entering a roaming identity.

When 802.1X Microsoft IAS RADIUS is used as an authentication server, the server authenticates the device using the Roaming Identity from Intel(R) PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2 user name. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for the Roaming Identity. For all other authentication servers, the Roaming Identity is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) for the Roaming Identity rather than a true identity.

  1. Click Next to access the TTLS Server settings.

Step 2 of 2: TTLS Server

  1. Select one of the following credential retrieval methods: Validate Server Certificate or Specify Server or Certificate Name.
  2. Click OK to save the setting and close the page.

Set up a Client with PEAP Network Authentication

PEAP authentication: PEAP settings are required for the authentication of the client to the authentication server. The client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and server. The client can use another EAP mechanism (for example, Microsoft Challenge Authentication Protocol (MS-CHAP) Version 2), over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel. The following example describes how to use WPA with AES-CCMP or TKIP encryption with PEAP authentication.

To set up a client with PEAP Authentication:

Obtain and install a client certificate. See Set up the Client for TLS authentication or consult your administrator.

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
  3. Profile Name: Enter a descriptive profile name.
  4. Wireless Network Name (SSID): Enter the network identifier.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
  10. Data Encryption: Select one of the following:
  11. Enable 802.1X: Selected.
  12. Authentication Type: Select PEAP to be used with this connection.

Step 1 of 2: PEAP User

PEAP relies on Transport Layer Security (TLS) to allow unencrypted authentication types (for example, EAP-Generic Token Card (GTC) and One-Time Password (OTP) support).

  1. Authentication Protocol: Select either GTC, MS-CHAP-V2 (Default), or TLS. See Authentication Protocols.
  2. User Credentials: Select one of the following: Use Windows logon, Prompt each time I connect, or Use the following.
  3. Roaming Identity: A Roaming Identity may be populated in this field or you can use %domain%\%username% as the default format for entering a roaming identity.

When 802.1X Microsoft IAS RADIUS is used as an authentication server, the server authenticates the device using the Roaming Identity from Intel(R) PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2 user name. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for the Roaming Identity. For all other authentication servers, the Roaming Identity is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) for the Roaming Identity rather than a true identity.

Configure Roaming Identity to Support Multiple Users

If you use a Pre-logon/Common profile that requires the roaming identity to be based on the Windows logon credentials, the creator of the profile can add a roaming identity that uses %username% and %domain%. The roaming identity is parsed and the appropriate log on information is substituted for the keywords. This allows maximum flexibility in configuring the roaming identity while allowing multiple users to share the profile.

Please See your authentication server user guide for directions about how to format a suitable roaming identity. Possible formats are:

If Roaming Identity is cleared, %domain%\%username% is the default.

Notes about the credentials: This user name and domain must match the user name that is set in the authentication server by the administrator prior to client authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This user identity is securely transmitted to the server only after an encrypted channel has been verified and established.

Authentication Protocols: This parameter specifies the authentication protocols that can operate over the TTLS tunnel. Below are instructions on how to configure a profile that uses PEAP authentication with

GTC, MS-CHAP-V2 (Default), or TLS authentication protocols.

Generic Token Card (GTC)

PEAP User

To configure a one-time password:

  1. Authentication Protocol: Select GTC (Generic Token Card).
  2. User Credentials: Select Prompt each time I connect.
  3. On connection prompt for: Select one of the following:
Name Description
Static Password On connection, enter the user credentials.
One-time password (OTP) Obtain the password from a hardware token device.
PIN (Soft Token) Obtain the password from a soft token program.
  1. Click OK.

NOTE: The Prompt each time I connect option is unavailable if an Administrator has cleared the Cache Credentials setting in the Administrator Tool. See Administrator Settings for more information.

One-Time Password

MS-CHAP-V2

This parameter specifies the authentication protocol operating over the PEAP tunnel.

  1. User Credentials: Select one of the following options: Use Windows logon, Prompt each time I connect, or Use the following.
  2. Click Next to open the PEAP Server settings.

TLS

Transport Layer Security authentication is a two-way authentication method that exclusively uses digital certificates to verify the identity of a client and a server.

  1. Obtain and install a client certificate, See Set up the Client for TLS authentication or consult your system administrator.
  2. Select one of the following to obtain a certificate: Use my smart card, Use the certificate issued to this computer, or Use a user certificate on this computer.
  3. Click Next to open the PEAP Server settings.

Step 2 of 2: PEAP Server

PEAP Server
  1. Select one of the following credential retrieval methods: Validate Server Certificate or Specify Server or Certificate Name.
  2. Click OK. The profile is added to the Profiles list.
  3. Click the new profile at the end of the Profiles list. Use the up and down arrows to change the priority of the new profile.
  4. Click Connect to connect to the selected wireless network.

If you did not select Use Windows logon on the Security Settings page and also did not configure user credentials, no credentials are saved for this profile. Please enter your credentials to authenticate to the network.

  1. Click OK to close Intel(R) PROSet/Wireless.

PEAP-TLS Certificate Auto Enrollment

In the Application Settings, select Enable TLS rejected certificates notification, if you want a warning issued when a PEAP-TLS certificate is rejected. When a certificate has an invalid field expiration date, you are notified that you must take one of the following actions: A potential authentication problem for profile <profile name> has been detected. The expiration date in the associated certificate may be invalid. Choose one of the following options:

Control Description
Continue with current parameters. Continue with the current certificate.
Update certificate manually. The Select Certificate page opens for you to choose another certificate.
Update certificate automatically based on the certificates in the local store. This option is enabled only when the local store holds one or more certificates for which the "issued to" and "issued by" fields match the current certificate and for which the "expiration date" has not expired. If you choose this option, the application selects the first valid certificate.
Log off to obtain certificate during logon process (this does not update the profile and only applies to certificates configured for auto enrollment). Logs off the user, who must obtain a proper certificate during the next logon process. The profile must be updated to select the new certificate.
Auto enrollment You are notified to: Please wait while the system is trying to obtain the certificate automatically. Click Cancel to end the certificate retrieval.
Do not show this message again. A user is able to avoid this step in subsequent sessions. The choice selected is remembered for future sessions.

Set up a Client with LEAP Network Authentication

Cisco LEAP (Light Extensible Authentication Protocol) is an 802.1X authentication type that supports strong mutual authentication between the client and a RADIUS server. The LEAP profiles settings include LEAP, CKIP with Rogue AP detection integration. To set up a client with LEAP Authentication:

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add. The Create Wireless Profile General Settings opens.
  3. Profile Name: Enter a descriptive profile name.
  4. Wireless Network Name (SSID): Enter the network identifier.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
  10. Data Encryption: Select one of the following:
  11. Enable 802.1X: Selected.
  12. Authentication Type: Select LEAP to be used with this connection.
  13. Click Cisco Options.
  14. Click Enable Cisco Compatible Extensions to enable Cisco Compatible Extensions (CCX) security (Allow Fast Roaming (CCKM), Enable Radio Management Support, Enable Mixed Cells Mode.).

Cisco Compatible Extensions

  1. Click Enable Radio Management Support. Use Radio Management to detect rogue access points.
  2. Click OK to return to the Security Settings.

LEAP User

LEAP User

  1. Select one of the following authentication methods listed next.
    2. If under Administrator Profile Type you selected Persistent, then only Use the following user name and password is available. If you selected Pre-logon/Common, then both authentication methods are available.
  2. Click OK to save the setting and close the page.

Cisco Compatible Extensions Options

Cisco Options: Use to enable or disable Radio Management and Mixed Cells Mode or Allow Fast Roaming (CCKM).

NOTE: Cisco Compatible Extensions are automatically enabled for CKIP, LEAP or EAP-FAST profiles. To override this behavior, select or clear options on this page.

Enable Cisco Compatible Options: Select to enable Cisco Compatible Extensions for this wireless connection profile.

Set up a Client with EAP-FAST Network Authentication

In Cisco Compatible Extensions, Version 3 (CCXv3), Cisco added support for EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling), which uses protected access credentials (PACs) to establish an authenticated tunnel between a client and a server.

Cisco Compatible Extensions, Version 4 (CCXv4) improves the provisioning methods for enhanced security and provides innovations for enhanced security, mobility, quality of service, and network management.

Cisco Compatible Extensions, Version 3 (CCXv3)

To set up a client with EAP-FAST authentication with Cisco Compatible Extensions, version 3 (CCXv3):

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
  3. Wireless Network Name (SSID): Enter the network identifier.
  4. Profile Name: Enter a descriptive profile name.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
  10. Data Encryption: Select one of the following:
  11. Enable 802.1X: Selected.
  12. Authentication Type: Select EAP-FAST to be used with this connection.

EAP-FAST Provisioning

NOTE: If CCXv4 Application Setting was not installed through an Administrator Package, only EAP-FAST User Settings are available for configuration. See EAP-FAST User Settings.

Step 1 of 2: EAP-FAST Provisioning

  1. Click Disable EAP-FAST Enhancements (CCXv4) to allow provisioning inside a server-unauthenticated TLS tunnel (Unauthenticated-TLS-Server Provisioning Mode).
  2. Click Select server to view any unauthenticated PACs that have already been provisioned and reside on this computer.

NOTE: If the provisioned PAC is valid, Intel(R) PROSet/Wireless does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel(R) PROSet/Wireless fails the provisioning automatically. A status message is displayed in the Wireless Event Viewer that an administrator can review on the user's computer.

To import a PAC:

PAC

  1. Click Next to select the credential retrieval method or click OK to save the EAP-FAST settings and return to the Profiles list. The PAC is used for this wireless profile.

Step 2 of 2: EAP-FAST Additional Information

To perform client authentication in the established tunnel, a client sends a user name and password to authenticate and establish client authorization policy.

  1. Click User Credentials to select one of the following credentials retrieval method: Use Windows logon, Prompt each time I connect , or Use the following.
  2. Click OK to save the settings and close the page. Server verification is not required.

Cisco Compatible Extensions, Version 4 (CCXv4)

To set up a client with EAP-FAST authentication with Cisco Compatible Extensions, version 4 (CCXv4):

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add to open the Create Wireless Profile Wizard General Settings.
  3. Wireless Network Name (SSID): Enter the network identifier.
  4. Profile Name: Enter a descriptive profile name.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Select Enterprise Security.
  9. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
  10. Data Encryption: Select one of the following:
  11. Data Encryption Select AES-CCMP.
  12. Enable 802.1X: Selected.
  13. Authentication Type: Select EAP-FAST to be used with this connection.

Step 1 of 3: EAP-FAST Provisioning

With CCXv4, EAP-FAST supports two modes for provisioning:

NOTE: Server-Authenticated Mode provides significant security advantages over Server-Unauthenticated Mode even when EAP-MS-CHAP-V2 is being used as an inner method. This mode protects the EAP-MS-CHAP-V2 exchanges from potential Man-in-the-Middle attacks by verifying the server’s authenticity before exchanging MS-CHAP-V2. Therefore, Server-Authenticated Mode is preferred whenever it is possible. EAP-FAST peer must use Server-Authenticated Mode whenever a certificate or public key is available to authenticate the server and ensure the best security practices.

Provisioning of Protected Access Credentials (PAC):

EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators are identified by an authority identity (A-ID). The local authenticator sends its A-ID to an authenticating client, and the client checks its database for a matching A-ID. If the client does not recognize the A-ID, it requests a new PAC.

NOTE: If the provisioned Protected Access Credential (PAC) is valid, Intel(R) PROSet/Wireless does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel(R) PROSet/Wireless fails the provisioning automatically. A status message is displayed in the Wireless Event Viewer that an administrator can review on the user's computer.

  1. Verify that Disable EAP-FAST Enhancements (CCXv4) is not selected. Allow unauthenticated provisioning and Allow authenticated provisioning are selected by default. Once a PAC is selected from the Default Server, you can deselect any of these provisioning methods.
  2. Default Server: None is selected as the default. Click Select Server to select a PAC from the default PAC authority server or select a server from the Server group list. The EAP-FAST Default Server (PAC Authority) selection page opens.

NOTE: Server groups are only listed if you have installed an Administrator Package that contains EAP-FAST Authority ID (A-ID) Group settings.

PAC distribution can also be completed manually (out-of-band). Manual provisioning enables you to create a PAC for a user on an ACS server and then import it into a user's computer. A PAC file can be protected with a password, which the user needs to enter during a PAC import.

To import a PAC:

  1. Click Import to import a PAC from the PAC server.
  2. Click Open.
  3. Enter the PAC password (optional).
  4. Click OK closes this page. The selected PAC is used for this wireless profile.

EAP-FAST CCXv4 enables support for the provisioning of other credentials beyond the PAC currently provisioned for tunnel establishment. The credential types supported include trusted CA certificate, machine credentials for machine authentication, and temporary user credentials used to bypass user authentication.

Use a Certificate (TLS Authentication)

  1. Click Use a certificate (TLS Authentication).
  2. Click Identity Protection when the tunnel is protected.
  3. Select one of the following:
  4. User Name: Enter the user name assigned to the user certificate.
  5. Click Next.

Step 2 of 3: EAP-FAST Additional Information

If you selected Use a certificate (TLS Authentication) and Use a user certificate on this computer, click Next (no roaming identity is required) and proceed to Step 3 to configure EAP-FAST Server certificate settings. If you do not need to configure EAP-FAST server settings, click OK to save your settings and return to the Profiles page.

If you selected to use a smart card, add the roaming identity, if required. Click OK to save your settings and return to the Profiles page.

If you did not select Use a certificate (TLS Authentication), click Next to select an Authentication Protocol. CCXv4 permits additional credentials or TLS cipher suites to establish the tunnel.

Authentication Protocol: Select either GTC, or MS-CHAP-V2 (Default).

Generic Token Card (GTC)

GTC may be used with Server-Authenticated Mode . This enable peers using other user databases as Lightweight Directory Access Protocol (LDAP) and one-time password (OTP) technology to be provisioned in-band. However, the replacement may only be achieved when used with the TLS cipher suites that ensure server authentication.

To configure a one-time password:

  1. Authentication Protocol: Select GTC (Generic Token Card).
  2. User Credentials: Select Prompt each time I connect.
  3. On connection prompt for: Select one of the following:
Name Description
Static Password On connection, enter the user credentials.
One-time password (OTP) Obtain the password from a hardware token device.
PIN (Soft Token) Obtain the password from a soft token program.
  1. Click OK.
  2. Select the profile on the Wireless Networks list.
  3. Click Connect. When prompted, enter the user name, domain and one-time password (OTP).
  4. Click OK.

MS-CHAP-V2

This parameter specifies the authentication protocol operating over the PEAP tunnel.

  1. Select the user credentials: Use Windows logon, Prompt each time I connect, or Use the following.
  2. Roaming Identity: A Roaming Identity may be populated in this field or you can use %domain%\%username% as the default format for entering a roaming identity.

When 802.1X Microsoft IAS RADIUS is used as an authentication server, the server authenticates the device using the Roaming Identity from Intel(R) PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2 user name. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for the Roaming Identity. For all other authentication servers, the Roaming Identity is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) for the Roaming Identity rather than a true identity.

Step 3 of 3: EAP-FAST Server

Authenticated-TLS-Server Provisioning Mode is supported using a trusted CA certificate, a self-signed server certificate, or server public keys and GTC as the inner EAP method.

  1. Select one of the following credential retrieval methods: Validate Server Certificate or Specify Server or Certificate Name.
  2. Click OK to close the security settings.

EAP-FAST User Settings

NOTE: If an Administrator Package to be exported to a user’s computer does not include the Enable CCXv4 Administrator Tool Application Setting, only EAP-FAST User Settings will be available for configuration.

To set up a client with EAP-FAST authentication:

  1. Click Profiles on the Intel(R) PROSet/Wireless main window. Or if you are acting as the administrator, open the Administrator Tool.
  2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
  3. Wireless Network Name (SSID): Enter the network identifier.
  4. Profile Name: Enter a descriptive profile name.
  5. Operating Mode: Click Network (Infrastructure).
  6. Administrator Profile Type: Select Persistent or Pre-logon/Common. (This step applies only if you are using the Administrator Tool.)
  7. Click Next to open the Security Settings.
  8. Click Enterprise Security.
  9. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
  10. Data Encryption: Select one of the following:
  11. Enable 802.1X: Selected.
  12. Authentication Type: Select EAP-FAST to be used with this connection.
  13. Click Cisco Options to select Allow Fast Roaming (CCKM), which enables the client wireless adapter for fast secure roaming.

Step 1 of 3 EAP-FAST Provisioning (User Settings)

EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators are identified by an authority identity (A-ID). The local authenticator sends its A-ID to an authenticating client, and the client checks its database for a matching A-ID. If the client does not recognize the A-ID, it requests a new PAC.

NOTE: If the provisioned Protected Access Credential (PAC) is valid, Intel(R) PROSet/Wireless does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel(R) PROSet/Wireless fails the provisioning automatically. A status message is displayed in the Wireless Event Viewer that an administrator can review on the user's computer.

  1. Leave unchecked Disable EAP-FAST Enhancements (CCXv4).
  2. Allow authenticated provisioning and Allow unauthenticated provisioning are both checked.
  3. Default Server: None selected is the default. Click Select Server to select a PAC from the default PAC authority server. The Protected Access Credentials selection page opens.

NOTE: Server groups are only listed if you have installed an Administrator Package that contains EAP-FAST Authority ID (A-ID) Group settings.

PAC distribution can also be completed manually (out-of-band). Manual provisioning lets you create a PAC for a user on an ACS server and then import it into a user's computer. A PAC file can be protected with a password, which the user needs to enter during a PAC import.

  1. To import a PAC:
    1. Click Import to import a PAC from the PAC server.
    2. Click Open.
    3. Enter the PAC password (optional).
    4. Click OK to close this page. The selected PAC is used for this wireless profile.
  2. Click Next.
  3. If this is not a Pre-logon/Common profile, then click Next and jump to Step 3 of 3: EAP-FAST Server.
  4. If this is a Pre-logon/Common profile, or if you are not using the Administrator Tool to create this profile, proceed to the next step.

Step 2 of 3: EAP-FAST Additional Information

  1. Authentication Protocol: Select MS-CHAP-V2 or GTC
  2. User Credentials: Select Use Windows Logon or Use the following.
  3. If you selectedu Use the following, then enter the User Name, Domain, Password, and Confirm Password.
  4. Enter the Roaming Identity: %DOMAIN%\%USERNAME
  5. Click Next.

Step 3 of 3: EAP-FAST Server

  1. Click Validate Certificate if desired and select the Certificate Issuer from the drop down menu. The default selection is Any Trusted CA.
  2. If desired, click Specify Server or Certificate Name and enter the name. Then click Server Name must match the specified entry exactly or Domain name must end with the specified entry.
  3. Click OK.

Back to Top

Back to Contents

Trademarks and Disclaimers