Back to Contents Page

Setting up Connection Security: Intel(R) PRO/Wireless 2200BG User's Guide


Security and Encryption

Setting up Data Encryption and Authentication
Encryption Overview
How to Enable WEP Encryption
System Administrator Tasks
Setting up the Client for WEP and MD5 authentication
Setting up the Client for WPA-PSK using WEP or TKIP authentication
Setting up the Client for WPA using TKIP encryption and TLS authentication
Setting up the Client for WPA using TKIP encryption and TTLS or PEAP authentication
Setting up the Client for CCX using CKIP encryption and LEAP authentication


Setting up Data Encryption and Authentication

Wired Equivalent Privacy (WEP) encryption and shared authentication helps provide protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.  The WEP encryption algorithm is vulnerable to passive and active network attacks. TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings.

Open and Shared Key authentication

802.11 support two types of network authentication methods; Open System and Shared that use 64-bit and 128-bit WEP encryption. Open does not require an encryption authentication method to associate to a specific access point. Supported authentication schemes are Open and Shared authentication:

Network Keys

When Data Encryption (WEP, CKIP or TKIP) is enabled, a network key is used for encryption. A network key can be provided for you automatically (for example, it might be provided on your wireless network adapter, or you can enter it yourself and specify the key the key length (64-bits or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The longer the key length, the more secure the key. Every time the length of a key is increased by one bit, the number of possible keys double.

Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.

Encryption Static and Dynamic Key Types

802.1x uses two types of encryption keys, static and dynamic. Static encryption keys are changed manually and are more vulnerable. MD5 authentication only uses static encryption keys. Dynamic encryption keys are renewed automatically on a periodic basis. This makes the encryption key(s) more secure. To enable dynamic encryption keys, you must use 802.1x authentication methods, such as TLS, TTLS, PEAP or LEAP.


Encryption Overview

Security in the WLAN can be supplemented by enabling data encryption using WEP (Wireless Encryption Protocol). You can choose a 64 or 128 bit level encryption. Also, the data can then be encrypted with a key. Another parameter called the key index is provides the option to create multiple keys for that profile. However, only one key can be used at a time. You can also choose to password protect the profile to ensure privacy.

The pass phrase is used to generate a WEP key automatically. You have the option of either using a pass phrase or entering a WEP key manually. Using 64-bit encryption, the pass phrase is 5 characters long and you can choose to enter any arbitrary and easy to remember phrase like, Acme1, or enter 10 Hexadecimal characters for the WEP key that matches the network that the connects to. For 128-bit encryption, the pass phrase is 13 characters long or you can enter a 26 hexadecimal characters for the WEP key to get connected to the appropriate network.

Note: You must use the same encryption type, key index number, and WEP key as other devices on your wireless network.


How to Enable WEP Encryption

The following example describes how to edit an existing profile and apply WEP encryption.

Note: Before you begin, contact your system administrator for the network WEP pass phrase or Hex Key.
 

To enable WEP encryption:

  1. From the General page, click the Networks tab.
  2. Select the profile from the Profile List and click the Edit button.
  3. Click the Security tab.
  4. Select any Network Authentication mode (Open is recommended).
  5. Select WEP for Data Encryption.
  6. Select 64-bit or 128-bit for the Encryption Level.
  7. Select a key index number 1, 2, 3, or 4
  8. Select either of the following:
  1. Click OK to save the profiles settings.

System Administrator Tasks

NOTE: The following information is intended for system administrators.  

How to Obtain a Client Certificate

If you do not have any certificates for EAP-TLS, or EAP-TTLS you must get a client certificate to allow authentication. Typically you need to consult with your system network administrator for instructions on how to obtain a certificate on your network. Certificates can be managed from "Internet Settings", accessed from either Internet Explorer or the Windows Control Panel applet. Use the "Content" page of "Internet Settings".

Windows XP and 2000: When obtaining a client certificate, do not enable strong private key protection. If you enable strong private key protection for a certificate, you will need to enter an access password for the certificate each time this certificate is used. You must disable strong private key protection for the certificate if you are configuring the service for TLS/TTLS authentication. Otherwise the 802.1x service will fail authentication because there is no logged in user to whom it can display the prompt dialog.

Notes about Smart Cards

After installing a Smart Card, the certificate is automatically installed on your computer and can be select from the person certificate store and root certificate store.

Setting up the Client for TLS authentication

Step 1: Getting a certificate

To allow TLS authentication, you need a valid client (user) certificate in the local repository for the logged-in user’s account.  You also need a trusted CA certificate in the root store.

The following information provides two methods for getting a certificate;

Getting a certificate from a Windows 2000 CA:

  1. Start Internet Explorer and browse to the Certificate Authority HTTP Service (use a URL such as http://yourdomainserver.yourdomain/certsrv with certsrv being the command that brings you to the certificate authority. You can also use the IP address of the server machine, such as"192.0.2.12/certsrv."
  2. Logon to the CA with the name and password of the user account you created (above) on the authentication server. The name and password do not have to be the same as the Windows logon name and password of your current user.
  3. On the Welcome page of the CA select Request a certificate task and submit the form.
  4. On the Choose Request Type page, select Advanced request, then click Next.
  5. On the Advanced Certificate Requests page, select Submit a certificate request to this CA using a form, then click Submit.
  6. On the Advanced Certificate Request page choose the User certificate template. Select "Mark keys as exportable", and click Next. Use the provided defaults shown.
  7. On the Certificate Issued page select Install this certificate.

Note: If this is the first certificate you have obtained, the CA will first ask you if it should install a trusted CA certificate in the root store. The dialog will not say this is a trusted CA certificate, but the name on the certificate shown will be that of the host of the CA. Click yes, you need this certificate for both TLS and TTLS.

  1. If your certificate was successfully installed, you will see the message, "Your new certificate has been successfully installed."
  2. To verify the installation, click Internet Explorer > Tools > Internet Options > Content > Certificates. The new certificate should be installed in "Personal" folder.

Importing a certificate from a file

  1. Open Internet Properties (right-click on the Internet Explorer icon on the desktop and select Properties.
  2. Click the Certificates button on the Content page. This will open the list of installed certificates.
  3. Click the Import button under the list of certificates. This will start the Certificate Import Wizard. (Note: Steps 1 through 3 may also be accomplished by double-clicking the icon for the certificate.
  4. Select the file and proceed to the Password page.
  5. On the Password page specify your access password for the file. Clear the Enable strong private key protection option.
  6. On the Certificate store page select "Automatically select certificate store based on the type of certificate" (the certificate must be in the User accounts Personal store to be accessible in the Configure dialog of the Client; this will happen if ‘automatic’ is selected).
  7. Proceed to "Completing the Certificate Import" and click the Finish button.

The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.

Setting up the Client for TLS authentication

Step 2: Specifying the certificate used by Intel(R) PROSet for Wireless

  1. Obtain and install a client certificate, refer to Step 1 or consult your system administrator.
  2. From the General page, click the Networks tab.
  3. Click the Add button.
  4. Enter the profile and network (SSID) name.
  5. Select Infrastructure for the operating mode.
  6. Click Next.
  7. Select Open for the Network Authentication. You can also select any other available authentication mode.
  8. Select WEP as the Data Encryption. You can also select any other available encryption type.
  9. Click the 802.1x Enabled checkbox.
  10. Set the authentication type to TLS to be used with this connection.
  11. Click the Configure button to open the settings dialog.
  12. Enter your user name in the User Name field.
  13. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.
  14. Enter the Server name.
  15. Under the "Client certificate" option click the Select button to open a list of installed certificates.
  16. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
  17. Click Close.
  18. Click the Finish button to save the security settings for the profile.

Setting up the Client for WEP and MD5 authentication 

To add WEP and MD5 authentication to a new profile: 

Note: Before you begin, contact your system administrator for the username and password on the RADIUS server.

  1. From the General page, click the Networks tab.
  2. Click the Add button from the Profile List.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click Next.
  6. Select Open (recommended) for the Network Authentication.
  7. Select WEP as the Data Encryption.
  8. Select either 64 or 128-bit for the Encryption Level.
  9. Select the key index 1, 2, 3 or 4.
  10. Enter the required pass phrase or hex key.
  11. Click the 802.1x Enabled checkbox.
  12. Select MD5 as the 802.1x Authentication Type.
  13. Select the Use Windows Logon checkbox. This feature allows the 802.1x credentials to match your Windows user name and password. Before connection, the Credentials dialog displays prompting you for your Windows logon credentials.
NOTE: To install the 802.1x password synchronization capability feature (Use Windows Logon), refer to Installing or Uninstalling the 802.1x Password Synchronization Capability Feature for installation instructions.     
  1. If Use Windows Logon is not selected, the user name and password of the user account created on the authentication server must be entered. Click Configure to open the credentials dialog. Enter the user name and password of the user account created on the authentication server. Check the Save User Credentials checkbox to save the credentials for future use with this 802.1x profile. The user name and password do not have to be the same as the name and password of your current Windows user login.
  2. Click Close to save the settings.
  3. If the Password Protection checkbox was checked on the General settings page, then click Next display the Password page and enter a profile password.
  4. Click the Finish button to save the profile settings.
  5. Select the Networks tab.
  6. Select the profile and click Connect.
  7. If you did not select Use Windows logon (step 13) on the Security Settings dialog and also did not configure user credentials, an Enter Credentials dialog will display when attempting to connect with this profile. Enter your Windows user name and password. Check the Save User Credentials checkbox to save the credentials for future use with this 802.1x profile.
  8. Click OK to save the settings and connect to the network.

Setting up the Client for WPA-PSK using WEP or TKIP authentication

Use Wi-Fi Protected Access - Pre Shared Key (WPA-PSK) mode if there is no authentication server being used. This mode does not use any 802.1x authentication protocol, It can be used with the data encryption types: WEP or TKIP. WPA-PSK requires configuration of a pre-shared key (PSK). You must enter a pass phrase or 64 hex characters for a Pre-Shared Key of length 256-bits. The data encryption key is derived from the PSK.

To configure a profile using WPA-PSK:

  1. From the General page, click the Networks tab.
  2. Click the Add button.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click Next.
  6. Select WPA-PSK for the Network Authentication. You can also select authentication mode.
  7. Select WEP or TKIP as the Data Encryption.
  8. Select either of the following:
  9. Click the Finish button to save the security settings for the profile.

Setting up the Client for WPA using TKIP encryption and TLS authentication

Wi-Fi Protected Access (WPA) mode can be used with TLS, TTLS, or PEAP. This 802.1x authentication protocol using data encryption options; WEP or TKIP. Wi-Fi Protected Access (WPA) mode binds with 802.1x authentication. The data encryption key is received from the 802.1x key exchange. To improve data encryption, Wi-Fi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a re-keying method.

  1. Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.
  2. From the General page, click the Networks tab.
  3. Click the Add button.
  4. Enter the profile and network (SSID) name.
  5. Select Infrastructure for the operating mode.
  6. Click Next.
  7. Select WPA for the Network Authentication.
  8. Select TKIP as the Data Encryption.
  9. Set the authentication type to TLS to be used with this connection.
  10. Click the Configure button to open the settings dialog.
  11. Enter your user name in the User Name field.
  12. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.
  13. Enter the Server name.
  14. Use Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.
  15. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
  16. Click Close.
  17. Click the Finish button to save the security settings for the profile.

Setting up the Client for WPA using TKIP encryption and TTLS or PEAP authentication

Using TTLS authentication: These settings define the protocol and the credentials used to authenticate a user. In TTLS, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols, such as MD5 Challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.

Using PEAP authentication: PEAP settings are required for the authentication of the client to the authentication server. In PEAP, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and server. The client can use another EAP mechanism, such as Microsoft Challenge Authentication Protocol (MSCHAP) Version 2, over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.

The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.

  1. Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.
  2. From the General page, click the Networks tab.
  3. Click the Add button.
  4. Enter the profile and network (SSID) name.
  5. Select Infrastructure for the operating mode.
  6. Click Next.
  7. Select WPA for the Network Authentication.
  8. Select TKIP as the Data Encryption.
  9. Select the Use Windows Logon checkbox. This feature allows the 802.1x credentials to match your Windows user name and password. The user name and password in step 17 and 18 are not required. Before connection, the Credentials dialog displays prompting you for your Windows logon credentials.
NOTE: To install the 802.1x password synchronization capability feature (Use Windows Logon), refer to Installing or Uninstalling the 802.1x Password Synchronization Capability Feature for installation instructions.     
  1. If Use Windows Logon is not selected, the user name and password of the user account created on the authentication server are entered (see step 17 and 18).
  2. Set the authentication type to TTLS or PEAP to be used with this connection.
  3. Click the Configure button to open the settings dialog.
  4. Enter the roaming identity name in the Roaming Identity field. This optional feature is the 802.1X identity supplied to the authenticator. It is recommended that this field not contain a true identity, but instead the desired realm (e.g. anonymous@myrealm).
  5. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.
  6. Enter the Server name.
  7. Authentication Protocol:
  8. Enter the user name. This username must match the user name that is set in the authentication server by the IT administrator prior to client's authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This user’s identity is securely transmitted to the server only after an encrypted channel has been verified and established.
  9. Enter the user password. Specifies the user password. This password must match the password that is set in the authentication server.
  10. Check the Save User Credentials checkbox to save the credentials for future use with this profile. Note: The user name and password do not have to be the same as the name and password of your current Windows user.
  11. Re-enter the user password. If confirmed, displays the same password characters entered in the Password field.
  12. Use Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.
  13. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
  14. Click Close.
  15. Click the Finish button to save the security settings for the profile.
  16. Select the profile from the Profile List and click Connect.
  17. If you did not select Use Windows logon (step 9) on the Security Settings dialog and also did not configure user credentials, an Enter Credentials dialog will display when attempting to connect with this profile. Enter your Windows user name and password. Check the Save User Credentials checkbox to save the credentials for future use with this 802.1x profile.
  18. Click OK to save the settings and connect to the network.

Setting up the Client for CCX using CKIP encryption and LEAP authentication

Configuring LEAP using Intel(R) PROSet for Wireless
NOTE: A LEAP profile can only be configured using Intel(R) PROSet for Wireless.  

An Intel(R) PROSet for Wireless CCX (v1.0) profile must be configured to connect to a specific ESS or Wireless LAN network. The profiles settings include LEAP, CKIP and Rogue AP detection settings.

To configure a profile for CCX security settings:

  1. From the General page, click the Networks tab.
  2. Click the Add button.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click the Cisco Client eXtentions check box to enable CCX security. If you have checked the Cisco's "Mixed-Cell" box in the Advanced Setting, this option must also be checked. Note: The Network authentication and the Data Encryption now include the CCX security options: Open, Shared for 802.11 Authentication and none, WEP, CKIP for Data encryption.
  6. Click Next.
  7. Select Open in the Network Authentication options.
  8. Select CKIP as the Data encryption.
  9. Click the 802.1x Enabled checkbox to enable the 802.1x security option.
  10. Select LEAP as the 802.1x Authentication Type.
  11. Select the Use Windows Logon checkbox. This feature allows the 802.1x credentials to match your Windows user name and password. Before connection to the wireless network, the Credentials dialog displays prompting you for your Windows logon credentials.
NOTE: To install the 802.1x password synchronization capability feature (Use Windows Logon), refer to Installing or Uninstalling the 802.1x Password Synchronization Capability Feature for installation instructions.     
  1. If the Use Windows Logon is not checked, click Configure to open the credentials dialog. Enter the user name and password of the user account created on the authentication server. Check the Save User Credentials checkbox to save the credentials for future use with this 802.1x profile. Note: The user name and password do not have to be the same as the name and password of your current Windows user login.
  2. Click on the Enable Rogue AP Detection if the network is setup to account for rogue APs. This setting should also be made if only the "Network-EAP" checkbox is selected in the AP configuration settings (applies to all Cisco APs).
  3. Click Close to save the settings. 
  4. Select the Networks tab.
  5. Select the CCX profile from the Profile List and click Connect.
  6. If you did not select Use Windows logon (step 11) on the Security Settings dialog and also did not configure user credentials, an Enter Credentials dialog will display when attempting to connect with this profile. Enter your Windows user name and password. Check the Save User Credentials checkbox to save the credentials for future use with this 802.1x profile.
  7. Click OK to save the settings and connect to the network.

CCX Access Point and Client Configurations

The access point provides settings to select different authentication types depending on the WLAN environment. The client sends an Authentication algorithm field during the 802.11 authentication handshake that takes place between the client and the AP during connection establishment. The Authentication algorithm values recognized by a CCX enabled AP is different for the different authentication types. For instance "Network-EAP" which denotes LEAP has a value of 0x80 while "Open" which is the 802.11 specified Open authentication and "Required EAP" which requires an EAP handshake exchange have values of 0x0.

Network-EAP only

AP: For CCX enabled networks using LEAP authentication only the authentication type is set with "Network-EAP" checkbox selected, and "Open" and "Required EAP" boxes unchecked. The AP is then configured to allow LEAP clients ONLY to authenticate and connect. In this case, the AP expects the 802.11 authentication algorithm to be set to 0x80 (LEAP), and rejects clients that attempt authentication with an Authentication algorithm value 0x0.

Client: In this case the client needs to send out an authentication algorithm value of 0x80 else the 802.11 authentication handshake would fail. During boot, when the Wireless LAN driver is already loaded, but the Intel(R) PROSet for Wireless supplicant is still unloaded, the client sends 802.11 authentication with an Authentication algorithm value of 0x0. Once the Intel(R) PROSet for Wireless supplicant loads, and engages the LEAP profile, it sends 802.11 authentication with an Authentication algorithm value of 0x80. However, the supplicant sends out 0x80 only if the Rogue AP box is checked.

Network-EAP, Open and Required EAP

AP: If Network-EAP, Open and Required EAP boxes are checked then it would accept both types of 802.11 authentication algorithm values 0x0 and 0x80. However, once the client is associated and authenticated the AP expects an EAP handshake to take place. For any reason if the EAP handshake does not take place quickly, the AP would not respond to the client for about 60 seconds.

Client: Here the client could send out an authentication algorithm value of 0x80 or 0x0. Both values are acceptable and the 802.11 authentication handshake would succeed. During boot, when the Wireless LAN driver is already loaded and the client sends 802.11 authentication with an Authentication algorithm value of 0x0. This is sufficient to get authenticated but the corresponding EAP or LEAP credentials need to be communicated to the AP to establish a connection.

Open and Required EAP only

AP: In the case where the AP is configured with Network-EAP unchecked, but Open and Required EAP checked, the AP will reject any client attempting to 802.11 authenticate using an authentication algorithm value of 0x80. The AP would accept any client using an authentication algorithm value of 0x0, and expects EAP handshake to commence soon after. In this case, the client uses MD5, TLS, LEAP or any other appropriate EAP method suitable for the specific network configuration.

Client: The client in this case is required to send out an authentication algorithm value of 0x0. As mentioned before the sequence involves a repeat of the initial 802.11 authentication handshake. First, the Wireless LAN driver initiates authentication with a value of 0x0 and later the supplicant would repeat the process. However, the authentication algorithm value used by the supplicant depends status of the Rogue AP checkbox. When the Rogue AP box is unchecked, the client sends an 802.11 authentication with Authentication algorithm value of 0x0 even after the supplicant loads and engages the LEAP profile.

Some non-Intel clients, for example, when set to LEAP, cannot authenticate in this case. However, the Intel Wireless LAN client can authenticate, if the Rogue AP is unchecked.  

Rogue AP Checkbox configuration

When the checkbox is checked it ensures that the client implements the Rogue AP feature as required by CCX. The client makes note of APs that it failed to authenticate with and sends this information to the AP that allows it to authenticate and connect. Also, the supplicant sets the Authentication algorithm type to 0x80 when the Rogue AP box is checked. There may be some network configurations implementing and Open and Required EAP only as described above. For this setup to work, the client must use an Authentication Algorithm value of 0x0, as opposed to the need to use 0x80 for Network-EAP only described above. Therefore, the Rogue AP checkbox also enables the client to support Network-EAP only and Open and Required EAP only.

Cisco CCX Feature Support

The Cisco mandatory Client Compliance Specifications Version1.0:

Note: Please refer to Cisco Client extensions version 1.0 document available at www.cisco.com for more details.

Back to Contents Page


Please read all restrictions and disclaimers.