secure 802.1x wireless solution

Secure 802.1x Wireless Solution Page 1 of 51

Table of Contents

1 Overview __________________________________________________________ 2

1.1 Our Lab environment is configured as follows: ______________________________3

2 Set up your Certificate Authority Server________________________________ 4

2.1 To configure a computer certificate enrollment for a Certificate Authority Server,do the following:_____________________________________________________________4

2.2 Configure a User Certificate Template to use the Wave CSP ___________________5

2.3 To create a User Certificate Template that uses the Wave CSP follow these steps:__8

3 RADIUS Configuration using Microsoft’s Internet Authentication Service __ 15

3.1 Configuring IAS ______________________________________________________ 15

3.2 Installing a RADIUS Service Certificate ___________________________________ 25

4 Configuring Wireless Access Points for 802.1x __________________________ 26

5 Configure your Enterprise Domain Policy for Wireless 802.1x authentication 29

5.1 To configure Wireless Network (IEEE 802.11) Policies Group Policy settings, dothe following: ______________________________________________________________ 29

6 Installing User Certificates __________________________________________ 33

6.1 Configuring User Certificates for autoenrollment ___________________________ 33

6.2 Installing a User Certificate via a Web Request _____________________________ 35

7 Configure your wireless client to access your Enterprise network using secure802.1x _______________________________________________________________ 42

7.1 Steps taken to configure your wireless client: _______________________________ 42

8 Table of Figures ___________________________________________________ 50


1 Overview

This article describes the steps taken to deploy secure 802.11 wireless access,employing Microsoft Windows-based client computers with 802.1x authentication,using wireless access point in our lab. Our lab’s wireless authenticationinfrastructure consists of Microsoft Windows 2003 Server Domain Controller,Certification Authority Server, Internet Authentication Service Server (also known asa RADIUS server) and a Wireless Access point that is 802.1x compatible.

This article does not go into details regarding the evolution of wireless technologyand security standards. To learn more about this, you could visit the following links:

Wireless Networkinghttp://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx

Wireless LAN Technologies and Microsoft Windowhttp://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/wrlsxp.mspx

Deployment of Secure 802.11 Networks Using Microsoft Windowshttp://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

Securing Wireless LANs with Certificate Serviceshttp://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire/PGCH03.mspx?mfr=true

This article discusses the process taken to configure secure 802.11 wirelessinfrastructures in our Lab.

• Configuring the Certificate Authority Infrastructure to use Wave CSP• Configuring the Internet Authentication Server (RADIUS)• Configuring Active Directory Group Policy• Configuring the Access Point using a NETGEAR® WG302• Installing User Certificate• Configuring the Client (Dell Latitude D620)


1.1 Our Lab environment is configured as follows:

• Wireless Client computers (Dell Latitude D620) running Microsoft Windows XPPro and the Wave Systems Embassy Trust Suite software.

Windows XP has built-in support for IEEE 802.11 wireless access and IEEE802.1 authentication using Extensible Authentication Protocol (EAP).

• Our RADIUS (Remote Authentication Dial-In User Service) Server consists ofa Microsoft Windows 2003 Server running Internet Authentication Service(IAS).

It is recommended that you have at least 2 IAS servers (a primary andsecondary) to provide fault tolerance for RADIUS-based authentication.

• Our Active Directory Domain consists of Microsoft Windows 2003 Server.

The domain active directory contains the user accounts, computer accountsand dial-in properties that each RADIUS Server requires to authenticatecredentials and evaluate authorization.

• Certificate Authority Server consists of Microsoft Windows 2003 EnterpriseEdition.

A Microsoft Windows 2003 Enterprise edition was used, in order to takeadvantage of autoenrollment of user certificates and to be able to modify theuser certificate template to use the Wave CSP.

• NETGEAR® ProSafe™ 802.11g Wireless Access Point WG302.

This device complies with industry security standards for wireless dataencryption and user authorization. WPA and 802.1x support enables strongmutual authentication to ensure only valid clients can communicate with theEnterprises.


2 Set up your Certificate Authority Server

Regardless of which authentication method you use for wireless connections, EAP-TLS or PEAP-MS-CHAP v2, you must install computer certificates on the RADIUSservers.

The computer certificate is installed on the RADIUS server computer so that duringEAP-TLS authentication, the RADIUS server has a certificate to send to the wirelessclient computer for mutual authentication, regardless of whether the wireless clientcomputer authenticates with a computer certificate or a user certificate.

To install Certificate Authority (CA) on your domain, log on as Domain Administrator.Click on http://technet2.microsoft.com/WindowsServer/en/library/7a2c636a-bf86-479a-8729-d9b005514ee61033.mspx and perform the steps, as shown.

Configure your Certificate Authority to meet the needs of your Enterprise PKIpolicies. Our lab CA server was configured as a Enterprise root certificate authority.Once the Certificate Authority service was configured on the server, a computercertificate was needed for the server.

2.1 To configure a computer certificate enrollment for aCertificate Authority Server, do the following:

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, double-click Active Directory Users and Computers, right-click the domain name to which your CA belongs. Click Properties.

3. On the Group Policy tab, click the appropriate Group Policy object (the defaultobject is Default Domain Policy. Click Edit.

4. In the console tree, open Computer Configuration, Windows Settings, thenSecurity Settings, Public Key Policies, Automatic Certificate Request Settings.

5. Right-click Automatic Certificate Request Settings, point to New. ClickAutomatic Certificate Request.

6. The Automatic Certificate Request wizard appears. Click Next.

7. In Certificate templates, click Computer. Click Next.

8. Your Enterprise CA appears on the list.

9. Click the Enterprise CA, click Next. Click Finish.

10. To immediately obtain a computer certificate for the CA Server, type thefollowing at a command prompt:

gpupdate /target:computer


2.2 Configure a User Certificate Template to use the Wave CSP

In order for the Wave CSP to be available in the Certificate Authority Server, youneed to make some modifications to your Certificate Authority Server Registry.

Before making any modifications to your Servers Registry, it is stronglyrecommended to make a backup of your registry.

1. To back up the whole registry, you may use the Backup utility which will backup the system state. The system state includes the registry, the COM+ ClassRegistration Database and your boot files. Or, you could open the RegistryEditor and Export the registry to be saved into a file. (See Figures 1,2 & 3.)

Figure 1: Registry Editor

Figure 2: Use the Export to make a backup


Figure 3: Select location to save backup

2. Once your Server Registry has been backed up, you need to create thefollowing files using Notepad (see Figures 4 & 5). These files will be used toimport the Wave CSP information into the Certificate Authority Server.

Figure 4: Wave TCG-Enabled CSP registry information


Figure 5: Wave TCG-Enabled SChannel CSP registry information

3. Once these files have been created you may double click on each file (seeFigure 6). You will be prompted to verify that you want to import the contentof the file into the registry (see Figures 7 & 8). Select Yes.

Figure 6: Wave TCG-Enabled CSP registry files

Figure 7: Importing Wave TCG-Enabled CSP into the server's registry

Figure 8: Importing Wave TCG-Enabled SChannel into server's registry


4. Then you will need to reboot the Certificate Authority Server before beingable to use the Wave CSP on the certificate templates. Once the server hasbeen rebooted, the Wave CSP and Wave SChannel CSP will be available. Youwill then be able to configure the user certificate template to use the WaveCSP.

2.3 To create a User Certificate Template that uses the WaveCSP follow these steps:

1. Open the Microsoft Management Console (mmc) and add the CertificateTemplates snap-in and the Certificate Authority snap-in.

2. Select the Certificate Templates.3. On the right pane, select User (see Figure 9). Right-click and select

Duplicate Template (see Figure 10).4. On the right pane, you will see a new template called Copy of User. Select

and open, in order to modify it. (See Figure 11.)5. In our Lab environment, I called this new User Certificate Template Wireless

User (see Figure 12), making sure you select the “Publish Certificate inActive Directory” checkbox. Select Apply.

6. Select the “Request Handling” tab of the Wireless User Certificate Template(see Figure 13); in Purpose, select “Signature and Smartcard logon.”

7. On the “Request Handling” tab, select “Prompt the user duringenrollment and require user input when the private key is used.”

8. On the “Request Handling” tab, press the CSPs button; this will allow you torestrict the type of CSP with which this User Certificate will work. (See Figure14.)

9. On the CSP Selection window, make sure you have selected “Request mustuse one of the following CSPs,” and under the list of CSPs, select “WaveTCG-Enabled CSP and Wave TCG- Enabled SChannel CSP.” Select OK.Using this CSP will allow the private key of the Certificate to be stored in theTPM.

10. Go to the Subject Name tab of the Wireless User Certificate Properties. SelectBuild from this Active Directory information. Select Subject name and includeother information according to your Enterprise policies (see Figure 15).

11. Create a group in Active Directory called Wireless Users. Users in this groupwill be allowed to Enroll and Autoenroll User certificates. In the Security tabof the Certificate template ensure that this group has access to Enroll andAutoenroll by checking the Allow box next to the Permissions (see Figure16).

12. In the mmc, select the Certificate Authority, select the Certificate Authorityand Certificate Templates. Right-click (see Figure 17). Select New –Certificate Template to Issue and select Wireless User. You can now see(Figure 18) that the Wireless User Certificate Template is available.


Figure 9: Certificate Authority Templates

Figure 10: Duplicate User Template


Figure 11: Modify Template General Properties

Figure 12: Modify Template Name


Figure 13: Certificate Request handling properties


Figure 14: Select CSP for User Certificate


Figure 15: Certificate Subject Name properties

Figure 16: Certificate Template Security


Figure 17: Issuing a new Certificate Template

Figure 18: Certificate Authority Templates

Note: Now the “Wireless User” user certificate which uses the Wave TCG CSP isavailable to be used….and it gets configured in Domain Group Policy for UserCertificate Auto-Enrollment


3 RADIUS Configuration using Microsoft’s InternetAuthentication Service

This section provides direction for building a RADIUS (Remote Authentication Dial-InUser Service) infrastructure for wireless LAN (WLAN) security based on MicrosoftWindows Server 2003 Internet Authentication Service (IAS). The objective of thissection is to provide the steps taken to configure the RADIUS service in our Labinfrastructure; this section does not try to explain any of the general concepts ofRADIUS or how IAS implements the RADIUS protocol.

This section makes the following assumptions about the existing IT infrastructure:• A deployed Windows 2003 Active Directory domain infrastructure exists.• All users of the RADIUS infrastructure in this solution should be members of

domains within the same active directory domain.• Server hardware capable of running Windows Server 2003 IAS is available

For instructions on installing IAS, see the following article written by Microsoft: http://support.microsoft.com/kb/317588

3.1 Configuring IAS

1. In order to enable IAS Service to communicate with Active Directory, youmust register the IAS Service. To do so, start the IAS snap-in. SelectInternet Authentication Service (Local). Right-click. Choose RegisterServer in Active Directory (see Figure 19).

2. Right-click Clients. Click New Client. This will open the New Radius clientwindow (see Figure 20).

3. On the New Radius client window, enter the information for your Access Point(see Figure 21).

4. Once the Wireless Access Point has been added as a client it will be shown onthe right pane of the IAS snap-in (see Figure 22).

5. Select the radius client and right-click. Select Properties (see Figure 23).This is where you enter the Shared secret, which is also configured on theAccess point.

6. Now go to Remote Access Policies in the IAS snap-in (see Figure 24).Right-click. Select New Remote Access Policy. This will open the NewRemote Access Policy Wizard (Figure 25). Select Next.

7. At this point, the New Remote Access Policy Wizard will ask you to selecthow to set up this polic, and to give this policy a name (see Figure 26). PressNext.

8. Now the New Remote Access Policy Wizard will prompt you to select themethod of access for this policy (see Figure 27). Select Wireless. Click onNext to continue.

9. Now the New Remote Access Policy Wizard will prompt you to enter theUser or Groups that will be granted access through this policy (see Figure28); it is recommended that you choose a group for ease of operation. Onceyou have entered the Users/Groups to gain access, press Next to continue.


10. Now you will be prompted to select the type of EAP to be used for this policy.We chose SmartCard or other certificate (see Figure 29), then press Nextto continue.

11. You will now see the new policy in the right side of the IAS snap-in. Youcould modify its properties by right-clicking on the policy and selectingProperties (see Figures 30, 31, 32 and 33).

Figure 19: Internet Authentication Service Console


Figure 20: Create a new RADIUS client

Figure 21: Creating new RADIUS client


Figure 22: RADIUS client

Figure 23: Modify RADIUS client properties


Figure 24: Create a New Remote Access Policy

Figure 25: Remote Access Policy Wizard Starts


Figure 26: How do you want to set up policy?

Figure 27: Select Method of access for this policy


Figure 28: Select User or Group access


Figure 29: Select Authentication method

Figure 30: Configure Policy properties


Figure 31: Select Policy conditions

Figure 32: Verify Authentication information


Figure 33: Selecting EAP providers


3.2 Installing a RADIUS Service Certificate

In order for the RADIUS server to be able to process certificate login, it needs tohave a certificate install for that service. To get the certificate for the Radius server,you need to do the following:

1. Logon to the CA server and open the CA console.2. Go the certificate templates module and click Action > New > Certificate

Template to Install.3. Click the RAS and IAS Server template and click OK.4. Logon to the Radius server as the domain administrator.5. Click Start > Run, type mmc.6. Click File > Add / Remove Snap-in.7. Click Add.8. Click Certificates. Click OK.9. Click Computer account. Click Next.10. Click Finish.11. Click Close.12. Click OK.13. Expand certificates.14. Click Personal.15. Click Action > All Tasks > Request New certificate.16. Select the RAS and IAS certificate. Click Next.17. Give it a name. Click Next.18. Click Finish.


4 Configuring Wireless Access Points for 802.1x

The procedure for configuring Wireless Access Points (APs) varies depending on themake and model of the device. However, wireless AP vendors will generally provideinstructions for configuring the device. The following are the essential items toconfigure the AP for 802.1x authentication:

• 802.1x networking settings• IP Address for primary RADIUS server• RADIUS shared secret for primary RADIUS server• IP address for secondary RADIUS server• RADIUS shared secret for secondary RADIUS server

It is recommended that you have a primary and a secondary RADIUS server forredundancy. For the purpose of this document, we only configured a primaryRADIUS server and that information was entered into the access point as follows.

We used a NETGEAR® ProSafe™ 802.11g Wireless Access Point WG302 and theinstructions and figures displayed in this section pertain to configuring such a device.

The figures shown below are the essential information for configuring the accesspoint used in our Lab to communicate with the Lab’s RADIUS Server.

Figure 34: RADIUS Server configuration


Figure 35: Access Point Security Profile settings

Figure 36: Select proper network Authentication


Figure 37: Select the proper data encryption


5 Configure your Enterprise Domain Policy forWireless 802.1x authentication

Windows Server 2003 provides the Wireless Network (IEEE 802.11) Policies GroupPolicy extension. This enables administrators to specify a list of preferred networksand their settings to automatically configure wireless LAN settings for clients runningWindows XP with SP1, Windows XP with SP2, Windows Server 2003 .

For each preferred network, you can specify association settings (such as the SSID,authentication, encryption method) and 802.1x authentication settings; such as, thespecific EAP type.

5.1 To configure Wireless Network (IEEE 802.11) PoliciesGroup Policy settings, do the following:

1. Open the Active Directory Users and Computers snap-in.2. In the console tree, double-click Active Directory Users and Computers,

right-click the domain system container that contains the wireless useraccounts. Click Properties.

3. On the Group Policy tab, click the appropriate Group Policy object (thedefault object is Default Domain Policy). Click Edit.

4. In the console tree, open Computer Configuration, Windows Settings,Security Settings, Wireless Network (IEEE 802.11) Policies.

5. Right-click Wireless Network (IEEE 802.11) Policies. Click CreateWireless Network Policy. In the Wireless Network Policy Wizard, type aname and description.

6. In the details pane, double-click your newly created wireless network policy.7. Change settings on the General tab as needed. (See Figure 38.)8. Click the Preferred Networks tab. Click Add to add a preferred network.9. On the Network Properties tab, type the wireless network name (SSID) and

change wireless network key settings as needed (see Figure 39).10. In our environment, the Network Name (SSID) is WaveLab.11. Click the IEEE 802.1x tab. Change 802.1x settings as needed, including

specifying and configuring the correct EAP type. In our Lab environment, weused an EAP type of SmartCard or other certificate (see Figure 40).

12. Click OK twice to save changes.


Figure 38: Wireless network policies properties


Figure 39: Wireless network preferred networks properties


Figure 40: Wireless network policy – IEEE 802.1 properties


6 Installing User Certificates

As an IT administrator in your organization, you have two options for installing user’scertificates in your enterprise:

• Use your domain autoenrollment feature• Have the user manually request and install the user certificate

6.1 Configuring User Certificates for autoenrollmentIf you are using a Windows Server 2003, Enterprise Edition or Windows Server 2003,Datacenter Edition, Enterprise CA as an issuing CA, you can install User Certificatesthrough autoenrollment. Configuring user certificate autoenrollment for wireless usercertificates requires you to duplicate existing certificate templates, a feature that isonly supported for Windows Server 2003, Enterprise Edition or Windows Server2003, Datacenter Edition, Enterprise CAs. (See section Configure a User CertificateTemplate to use the Wave CSP.)

Figure 41: Set up User for Certificate autoenrollment


6.1.1 To configure User Certificate enrollment for an enterpriseCertificate Authority:

1. Click Start, click Run, type mmc. Click OK.2. On the File menu, click Add/Remove Snap-in. Click Add.3. Under Snap-in, double-click Certificate Templates, click Close. Click OK.4. In the console tree, click Certificate Templates. All of the certificate templates

will be displayed in the details pane.5. In the details pane, click the User template.6. On the Action menu, click Duplicate Template.7. In the Display Name field, type Wireless User (you can use your company

naming policies).8. Make sure that the Publish Certificate in the Active Directory checkbox is

selected.9. Click the Request Handling tab.10. Make sure to Prompt the user during enrollment and require user input when

the private key in use is selected.11. Click the CSPs button.12. Select the Wave TCG-Enabled CSPs. Click OK.13. Click the Security tab.14. In the Group or user names field, click Domain Users.15. In the Permissions for Domain Users list, select the Enroll and Autoenroll

permission checkboxes. Click OK.16. Open the Certification Authority snap-in.17. In the console tree, open Certification Authority, CA name, Certificate

templates.18. On the Action menu, point to New. Click Certificate to Issue.19. Click Wireless User (example). Click OK.20. Open the Active Directory Users and Computers snap-in.21. In the console tree, double-click Active Directory Users and Computers.

Right-click the domain system container that contains the wireless useraccounts. Click Properties.

22. On the Group Policy tab, click the appropriate Group Policy object (the defaultobject is Default Domain Policy). Click Edit.

23. In the console tree, open User Configuration, Windows Settings, SecuritySettings, Public Key Policies.

24. In the details pane, double-click Autoenrollment Settings.25. Click Enroll certificates automatically. (See Figure 41.)26. Select the Renew expired certificates, update pending certificates and remove

revoked certificates checkbox.27. Select the Update certificates that use certificate templates checkbox. Click

OK.

Note:(1) Next time the user logs into the network they will see a prompt in their system tray that informs them of the installation of a user certificate.(2) The instructions provided above are for a Certificate Authority running in a Microsoft Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.


6.2 Installing a User Certificate via a Web Request

If your environment does not support a user autoenrollment, you could require thatthe user enroll manually by installing a User Certificate via a Web request.Please remember that when you are doing Certificate Request via the Web, you musthave a Web server Service running at the Certificate Authority Server:

6.2.1 To install a User Certificate via Web Request:

1. Open Internet Explorer.I In the Address section, typehttp://ServerName/Certsrv. ServerName is the name of the windows serverwhere the certification authority (CA) that you want to access is located. (SeeFigure 42.)

2. Click on Request a Certificate.3. In Request a Certificate (see Figure 43), click on Advanced Certificate

Request.4. In the Advance Certificate Request (see Figure 44), click on Create and

submit a request to this CA.5. You will now be able to choose the Certificate Template that you created with

the Wave TCG-Enabled CSP (see Figure 45 for details). Click Submit.6. If your Certificate Authority Server is not trusted in by your computer, you

will be notified that the website is requesting a new certificate on your behalf(see Figure 46). Click Yes.

7. At this point, the Certificate Authority server is generating a certificaterequest (see Figure 47). You will be prompted to authenticate several timesas the TPM keys are created and verified. For the best user experience, youshould use the EMBASSY Security Center to create a TCG Security PasswordVault ahead of time.

8. When the Certificate Request has been complete, you will be prompted toinstall the certificate (see Figure 48). Click on Install this certificate. Oncethe certificate has been successfully installed, you will be notified (see Figure49).


Figure 42: Request a Certificate


Figure 43: Request a Certificate


Figure 44: Advanced Certificate Request


Figure 45: Advanced Certificate Request

Figure 46: Website requesting certificate on your behalf


Figure 47: Generating certificate


Figure 48: Certificate issued

Figure 49: Certificate successfully installed


7 Configure your wireless client to access yourEnterprise network using secure 802.1x

Once the user has installed their User Certificate either by autoenrollment or by aweb request, he/she is ready to configure the Wireless portion. For the purpose ofthe cookbook, we used a Dell Latitude D620 with an Intel ® PRO/Wireless 3945ABGNetwork adapter, using the Intel® PROSet/Wireless Software Version 10.1.0.3 toconfigure our Wireless access.

7.1 Steps taken to configure your wireless client:

1. Go to the system Tray and open the Intel PROSet/Wireless utility (seeFigure 50).

2. Select the Wireless Network in question (see Figure 51). Click onProfiles.

3. Verify the Profile Name and Wireless Network Name select Network asthe operating mode (see Figure 52). Click Next.

4. Configure Security Settings section, as follows (see Figures 53,53 &54):

a) Select Enterprise Security.b) Check the “Enable 802.1x” box.c) Set Network Authentication: WPA2 – Enterprise.d) Set Data Encryption: TKIP.e) Set Authentication Type: TLS.

5. Configure the TLS User as follows (see Figure 55):a) Select Use a User Certificate on this computer.b) Click the Select button. Select a User Certificate that was

created using the Wave CSP TCP (Wireless User CertificateTemplate). Click OK.

c) Click on Next.6. Configure the TLS Server as follows (see Figures 56 & 57):

a) Check the “Validate Server Certificate” box.b) Select from the Certificate Issuer List. Choose the Certificate

Authority from which the Wireless User Certificate Templatewas issued.

c) Click OK.7. Click Connect (see Figure 58). This will start the 802.1x

authentication process.8. A window will be displayed (see Figure 59), prompting you to

authenticate to your TCG Security Password Vault. If you are usingbiometrics, you will need to swipe your finger (see Figure 60). Thismethod of authentication assumes that you have used the EMBASSYSecurity Center to initialize a TCG Security Password Vault. If not, youwill be prompted for an individual password here.

9. Once the authentication is validated, the connection will be established(see Figures 61 & 62).


Figure 50: Intel PROSet/Wireless utility

Figure 51: Intel PROSet/Wireless utility


Figure 52: Wireless profile properties - general settings

Figure 53: Wireless profile properties - security settings


Figure 54: Wireless profile properties - security settings

Figure 55: Wireless profile properties - security settings - TLS User


Figure 56: Select User Certificate

Figure 57: Wireless profile properties - security settings - TLS Server


Figure 58: Connect to your wireless

Figure 59: Ready to Authenticate


Figure 60: Swipe your fingerprint

Figure 61: Connecting to your wireless network


Figure 62: You are now connected to your wireless network


8 Table of Figures

Figure 1: Registry Editor....................................................................................5Figure 2: Use the Export to make a backup ..........................................................5Figure 3: Select location to save backup ..............................................................6Figure 4: Wave TCG-Enabled CSP registry information ..........................................6Figure 5: Wave TCG-Enabled SChannel CSP registry information ............................7Figure 6: Wave TCG-Enabled CSP registry files ....................................................7Figure 7: Importing Wave TCG-Enabled CSP into the server's registry .....................7Figure 8: Importing Wave TCG-Enabled SChannel into server's registry...................7Figure 9: Certificate Authority Templates ............................................................9Figure 10: Duplicate User Template....................................................................9Figure 11: Modify Template General Properties ..................................................10Figure 12: Modify Template Name....................................................................10Figure 13: Certificate Request Handling properties .............................................11Figure 14: Select CSP for User Certificate..........................................................12Figure 15: Certificate Subject Name properties ..................................................13Figure 16: Certificate Template Security ...........................................................13Figure 17: Issuing a new Certificate Template....................................................14Figure 18: Certificate Authority Templates..........................................................14Figure 19: Internet Authentication Service Console.............................................16Figure 20: Create a new RADIUS client .............................................................17Figure 21: Creating new RADIUS client .............................................................17Figure 22: RADIUS client ................................................................................18Figure 23: Modify RADIUS client properties ........................................................18Figure 24: Create a New Remote Access Policy ..................................................19Figure 25: Remote Access Policy Wizard Starts ..................................................19Figure 26: How do you want to set up policy? ....................................................20Figure 27: Select Method of access for this policy...............................................20Figure 28: Select User or Group access.............................................................21Figure 29: Select Authentication method...........................................................22Figure 30: Configure Policy properties ...............................................................22Figure 31: Select Policy conditions ...................................................................23Figure 32: Verify Authentication information......................................................23Figure 33: Selecting EAP Providers...................................................................24Figure 34: RADIUS Server configuration ............................................................26Figure 35: Access Point Security Profile settings.................................................27Figure 36: Select proper network Authentication ................................................27Figure 37: Select the proper data encryption .....................................................28Figure 38: Wireless Network Policies properties..................................................30Figure 39: Wireless Network preferred networks properties .................................31Figure 40: Wireless Network Policy – IEEE 802.1 Properties .................................32Figure 41: Set up User for Certificate autoenrollment..........................................33Figure 42: Request a Certificate.......................................................................36Figure 43: Request a Certificate.......................................................................37Figure 44: Advanced Certificate Request ...........................................................38Figure 45: Advanced Certificate Request ...........................................................39Figure 46: Website requesting certificate on your behalf......................................39Figure 47: Generating certificate......................................................................40Figure 48: Certificate issued............................................................................41Figure 49: Certificate successfully installed........................................................41


Figure 50: Intel PROSet/Wireless utility ............................................................43Figure 51: Intel PROSet/Wireless utility ............................................................43Figure 52: Wireless profile properties - general settings ......................................44Figure 53: Wireless Profile properties - security settings.....................................44Figure 54: Wireless Profile properties - security settings......................................45Figure 55: Wireless Profile properties - security settings - TLS User ......................45Figure 56: Select User Certificate.....................................................................46Figure 57: Wireless Profile properties - security settings - TLS Server ...................46Figure 58: Connect to your wireless .................................................................47Figure 59: Ready to Authenticate.....................................................................47Figure 60: Swipe your fingerprint.....................................................................48Figure 61: Connecting to your wireless network .................................................48Figure 62: You are now connected to your wireless network ................................49

secure 802.1x wireless solution

Documents