Table of Contents

1 Overview __________________________________________________________ 2
1.1 Our Lab environment is configured as follows: ______________________________ 3
2 Set up your Certificate Authority Server________________________________ 4
2.1 To configure a computer certificate enrollment for a Certificate Authority Server,
do the following:_____________________________________________________________ 4
2.2 Configure a User Certificate Template to use the Wave CSP ___________________ 5
2.3 To create a User Certificate Template that uses the Wave CSP follow these steps:__ 8
3 RADIUS Configuration using Microsoft’s Internet Authentication Service __ 15
3.1 Configuring IAS ______________________________________________________ 15
3.2 Installing a RADIUS Service Certificate ___________________________________ 25
4 Configuring Wireless Access Points for 802.1x __________________________ 26
5 Configure your Enterprise Domain Policy for Wireless 802.1x authentication 29
5.1 To configure Wireless Network (IEEE 802.11) Policies Group Policy settings, do
the following: ______________________________________________________________ 29
6 Installing User Certificates __________________________________________ 33
6.1 Configuring User Certificates for autoenrollment ___________________________ 33
6.2 Installing a User Certificate via a Web Request _____________________________ 35
7 Configure your wireless client to access your Enterprise network using secure
802.1x _______________________________________________________________ 42
7.1 Steps taken to configure your wireless client: _______________________________ 42
8 Table of Figures ___________________________________________________ 50

Secure 802.1x Wireless Solution Page 1 of 51

1 Overview

This article describes the steps taken to deploy secure 802.11 wireless access,
employing Microsoft Windows-based client computers with 802.1x authentication,
using wireless access point in our lab. Our lab’s wireless authentication
infrastructure consists of Microsoft Windows 2003 Server Domain Controller,
Certification Authority Server, Internet Authentication Service Server (also known as
a RADIUS server) and a Wireless Access point that is 802.1x compatible.

This article does not go into details regarding the evolution of wireless technology
and security standards. To learn more about this, you could visit the following links:

Wireless Networking
http://www.microsoft.com/technet/itsolutions/network/wifi/default.mspx

Wireless LAN Technologies and Microsoft Window

http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/wrlsxp.mspx

Deployment of Secure 802.11 Networks Using Microsoft Windows

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

Securing Wireless LANs with Certificate Services

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/pkiwire
/PGCH03.mspx?mfr=true

This article discusses the process taken to configure secure 802.11 wireless
infrastructures in our Lab.

• Configuring the Certificate Authority Infrastructure to use Wave CSP

• Configuring the Internet Authentication Server (RADIUS)
• Configuring Active Directory Group Policy
• Configuring the Access Point using a NETGEAR® WG302
• Installing User Certificate
• Configuring the Client (Dell Latitude D620)

Secure 802.1x Wireless Solution Page 2 of 51

1.1 Our Lab environment is configured as follows:

• Wireless Client computers (Dell Latitude D620) running Microsoft Windows XP

Pro and the Wave Systems Embassy Trust Suite software.

Windows XP has built-in support for IEEE 802.11 wireless access and IEEE
802.1 authentication using Extensible Authentication Protocol (EAP).

• Our RADIUS (Remote Authentication Dial-In User Service) Server consists of

a Microsoft Windows 2003 Server running Internet Authentication Service
(IAS).

It is recommended that you have at least 2 IAS servers (a primary and

secondary) to provide fault tolerance for RADIUS-based authentication.

• Our Active Directory Domain consists of Microsoft Windows 2003 Server.

The domain active directory contains the user accounts, computer accounts
and dial-in properties that each RADIUS Server requires to authenticate
credentials and evaluate authorization.

• Certificate Authority Server consists of Microsoft Windows 2003 Enterprise

Edition.

A Microsoft Windows 2003 Enterprise edition was used, in order to take

advantage of autoenrollment of user certificates and to be able to modify the
user certificate template to use the Wave CSP.

• NETGEAR® ProSafe™ 802.11g Wireless Access Point WG302.

This device complies with industry security standards for wireless data
encryption and user authorization. WPA and 802.1x support enables strong
mutual authentication to ensure only valid clients can communicate with the
Enterprises.

Secure 802.1x Wireless Solution Page 3 of 51

2 Set up your Certificate Authority Server

Regardless of which authentication method you use for wireless connections, EAP-
TLS or PEAP-MS-CHAP v2, you must install computer certificates on the RADIUS
servers.

The computer certificate is installed on the RADIUS server computer so that during
EAP-TLS authentication, the RADIUS server has a certificate to send to the wireless
client computer for mutual authentication, regardless of whether the wireless client
computer authenticates with a computer certificate or a user certificate.

To install Certificate Authority (CA) on your domain, log on as Domain Administrator.

Click on http://technet2.microsoft.com/WindowsServer/en/library/7a2c636a-bf86-
479a-8729-d9b005514ee61033.mspx and perform the steps, as shown.

Configure your Certificate Authority to meet the needs of your Enterprise PKI
policies. Our lab CA server was configured as a Enterprise root certificate authority.
Once the Certificate Authority service was configured on the server, a computer
certificate was needed for the server.

2.1 To configure a computer certificate enrollment for a

Certificate Authority Server, do the following:

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, double-click Active Directory Users and Computers, right-
click the domain name to which your CA belongs. Click Properties.

3. On the Group Policy tab, click the appropriate Group Policy object (the default
object is Default Domain Policy. Click Edit.

4. In the console tree, open Computer Configuration, Windows Settings, then

Security Settings, Public Key Policies, Automatic Certificate Request Settings.

5. Right-click Automatic Certificate Request Settings, point to New. Click

Automatic Certificate Request.

6. The Automatic Certificate Request wizard appears. Click Next.

7. In Certificate templates, click Computer. Click Next.

8. Your Enterprise CA appears on the list.

9. Click the Enterprise CA, click Next. Click Finish.

10. To immediately obtain a computer certificate for the CA Server, type the
following at a command prompt:
gpupdate /target:computer

Secure 802.1x Wireless Solution Page 4 of 51

2.2 Configure a User Certificate Template to use the Wave CSP

In order for the Wave CSP to be available in the Certificate Authority Server, you
need to make some modifications to your Certificate Authority Server Registry.

Before making any modifications to your Servers Registry, it is strongly

recommended to make a backup of your registry.
1. To back up the whole registry, you may use the Backup utility which will back
up the system state. The system state includes the registry, the COM+ Class
Registration Database and your boot files. Or, you could open the Registry
Editor and Export the registry to be saved into a file. (See Figures 1,2 & 3.)

Figure 1: Registry Editor

Figure 2: Use the Export to make a backup

Secure 802.1x Wireless Solution Page 5 of 51

Figure 3: Select location to save backup

2. Once your Server Registry has been backed up, you need to create the
following files using Notepad (see Figures 4 & 5). These files will be used to
import the Wave CSP information into the Certificate Authority Server.

Figure 4: Wave TCG-Enabled CSP registry information

Secure 802.1x Wireless Solution Page 6 of 51

Figure 5: Wave TCG-Enabled SChannel CSP registry information

3. Once these files have been created you may double click on each file (see
Figure 6). You will be prompted to verify that you want to import the content
of the file into the registry (see Figures 7 & 8). Select Yes.

Figure 6: Wave TCG-Enabled CSP registry files

Figure 7: Importing Wave TCG-Enabled CSP into the server's registry

Figure 8: Importing Wave TCG-Enabled SChannel into server's registry

Secure 802.1x Wireless Solution Page 7 of 51

 4. Then you will need to reboot the Certificate Authority Server before being
able to use the Wave CSP on the certificate templates. Once the server has
been rebooted, the Wave CSP and Wave SChannel CSP will be available. You
will then be able to configure the user certificate template to use the Wave
CSP.

2.3 To create a User Certificate Template that uses the Wave

CSP follow these steps:

1. Open the Microsoft Management Console (mmc) and add the Certificate
Templates snap-in and the Certificate Authority snap-in.
2. Select the Certificate Templates.
3. On the right pane, select User (see Figure 9). Right-click and select
Duplicate Template (see Figure 10).
4. On the right pane, you will see a new template called Copy of User. Select
and open, in order to modify it. (See Figure 11.)
5. In our Lab environment, I called this new User Certificate Template Wireless
User (see Figure 12), making sure you select the “Publish Certificate in
Active Directory” checkbox. Select Apply.
6. Select the “Request Handling” tab of the Wireless User Certificate Template
(see Figure 13); in Purpose, select “Signature and Smartcard logon.”
7. On the “Request Handling” tab, select “Prompt the user during
enrollment and require user input when the private key is used.”
8. On the “Request Handling” tab, press the CSPs button; this will allow you to
restrict the type of CSP with which this User Certificate will work. (See Figure
14.)
9. On the CSP Selection window, make sure you have selected “Request must
use one of the following CSPs,” and under the list of CSPs, select “Wave
TCG-Enabled CSP and Wave TCG- Enabled SChannel CSP.” Select OK.
Using this CSP will allow the private key of the Certificate to be stored in the
TPM.
10. Go to the Subject Name tab of the Wireless User Certificate Properties. Select
Build from this Active Directory information. Select Subject name and include
other information according to your Enterprise policies (see Figure 15).
11. Create a group in Active Directory called Wireless Users. Users in this group
will be allowed to Enroll and Autoenroll User certificates. In the Security tab
of the Certificate template ensure that this group has access to Enroll and
Autoenroll by checking the Allow box next to the Permissions (see Figure
16).
12. In the mmc, select the Certificate Authority, select the Certificate Authority
and Certificate Templates. Right-click (see Figure 17). Select New –
Certificate Template to Issue and select Wireless User. You can now see
(Figure 18) that the Wireless User Certificate Template is available.

Secure 802.1x Wireless Solution Page 8 of 51

Figure 9: Certificate Authority Templates

Figure 10: Duplicate User Template

Secure 802.1x Wireless Solution Page 9 of 51

Figure 11: Modify Template General Properties

Figure 12: Modify Template Name

Secure 802.1x Wireless Solution Page 10 of 51

Figure 13: Certificate Request handling properties

Secure 802.1x Wireless Solution Page 11 of 51

Figure 14: Select CSP for User Certificate

Secure 802.1x Wireless Solution Page 12 of 51

Figure 15: Certificate Subject Name properties

Figure 16: Certificate Template Security

Secure 802.1x Wireless Solution Page 13 of 51

Figure 17: Issuing a new Certificate Template

Figure 18: Certificate Authority Templates

Note: Now the “Wireless User” user certificate which uses the Wave TCG CSP is
available to be used….and it gets configured in Domain Group Policy for User
Certificate Auto-Enrollment

Secure 802.1x Wireless Solution Page 14 of 51

3 RADIUS Configuration using Microsoft’s Internet
Authentication Service

This section provides direction for building a RADIUS (Remote Authentication Dial-In
User Service) infrastructure for wireless LAN (WLAN) security based on Microsoft
Windows Server 2003 Internet Authentication Service (IAS). The objective of this
section is to provide the steps taken to configure the RADIUS service in our Lab
infrastructure; this section does not try to explain any of the general concepts of
RADIUS or how IAS implements the RADIUS protocol.

This section makes the following assumptions about the existing IT infrastructure:
• A deployed Windows 2003 Active Directory domain infrastructure exists.
• All users of the RADIUS infrastructure in this solution should be members of
domains within the same active directory domain.
• Server hardware capable of running Windows Server 2003 IAS is available

For instructions on installing IAS, see the following article written by Microsoft:
http://support.microsoft.com/kb/317588

3.1 Configuring IAS

1. In order to enable IAS Service to communicate with Active Directory, you

must register the IAS Service. To do so, start the IAS snap-in. Select
Internet Authentication Service (Local). Right-click. Choose Register
Server in Active Directory (see Figure 19).
2. Right-click Clients. Click New Client. This will open the New Radius client
window (see Figure 20).
3. On the New Radius client window, enter the information for your Access Point
(see Figure 21).
4. Once the Wireless Access Point has been added as a client it will be shown on
the right pane of the IAS snap-in (see Figure 22).
5. Select the radius client and right-click. Select Properties (see Figure 23).
This is where you enter the Shared secret, which is also configured on the
Access point.
6. Now go to Remote Access Policies in the IAS snap-in (see Figure 24).
Right-click. Select New Remote Access Policy. This will open the New
Remote Access Policy Wizard (Figure 25). Select Next.
7. At this point, the New Remote Access Policy Wizard will ask you to select
how to set up this polic, and to give this policy a name (see Figure 26). Press
Next.
8. Now the New Remote Access Policy Wizard will prompt you to select the
method of access for this policy (see Figure 27). Select Wireless. Click on
Next to continue.
9. Now the New Remote Access Policy Wizard will prompt you to enter the
User or Groups that will be granted access through this policy (see Figure
28); it is recommended that you choose a group for ease of operation. Once
you have entered the Users/Groups to gain access, press Next to continue.

Secure 802.1x Wireless Solution Page 15 of 51

 10. Now you will be prompted to select the type of EAP to be used for this policy.
We chose SmartCard or other certificate (see Figure 29), then press Next
to continue.
11. You will now see the new policy in the right side of the IAS snap-in. You
could modify its properties by right-clicking on the policy and selecting
Properties (see Figures 30, 31, 32 and 33).

Figure 19: Internet Authentication Service Console

Secure 802.1x Wireless Solution Page 16 of 51

Figure 20: Create a new RADIUS client

Figure 21: Creating new RADIUS client

Secure 802.1x Wireless Solution Page 17 of 51

Figure 22: RADIUS client

Figure 23: Modify RADIUS client properties

Secure 802.1x Wireless Solution Page 18 of 51

Figure 24: Create a New Remote Access Policy

Figure 25: Remote Access Policy Wizard Starts

Secure 802.1x Wireless Solution Page 19 of 51

Figure 26: How do you want to set up policy?

Figure 27: Select Method of access for this policy

Secure 802.1x Wireless Solution Page 20 of 51

Figure 28: Select User or Group access

Secure 802.1x Wireless Solution Page 21 of 51

Figure 29: Select Authentication method

Figure 30: Configure Policy properties

Secure 802.1x Wireless Solution Page 22 of 51

Figure 31: Select Policy conditions

Figure 32: Verify Authentication information

Secure 802.1x Wireless Solution Page 23 of 51

Figure 33: Selecting EAP providers

Secure 802.1x Wireless Solution Page 24 of 51

3.2 Installing a RADIUS Service Certificate

In order for the RADIUS server to be able to process certificate login, it needs to
have a certificate install for that service. To get the certificate for the Radius server,
you need to do the following:

1. Logon to the CA server and open the CA console.

2. Go the certificate templates module and click Action > New > Certificate
Template to Install.
3. Click the RAS and IAS Server template and click OK.
4. Logon to the Radius server as the domain administrator.
5. Click Start > Run, type mmc.
6. Click File > Add / Remove Snap-in.
7. Click Add.
8. Click Certificates. Click OK.
9. Click Computer account. Click Next.
10. Click Finish.
11. Click Close.
12. Click OK.
13. Expand certificates.
14. Click Personal.
15. Click Action > All Tasks > Request New certificate.
16. Select the RAS and IAS certificate. Click Next.
17. Give it a name. Click Next.
18. Click Finish.

Secure 802.1x Wireless Solution Page 25 of 51

4 Configuring Wireless Access Points for 802.1x

The procedure for configuring Wireless Access Points (APs) varies depending on the
make and model of the device. However, wireless AP vendors will generally provide
instructions for configuring the device. The following are the essential items to
configure the AP for 802.1x authentication:
• 802.1x networking settings
• IP Address for primary RADIUS server
• RADIUS shared secret for primary RADIUS server
• IP address for secondary RADIUS server
• RADIUS shared secret for secondary RADIUS server

It is recommended that you have a primary and a secondary RADIUS server for
redundancy. For the purpose of this document, we only configured a primary
RADIUS server and that information was entered into the access point as follows.

We used a NETGEAR® ProSafe™ 802.11g Wireless Access Point WG302 and the
instructions and figures displayed in this section pertain to configuring such a device.

The figures shown below are the essential information for configuring the access
point used in our Lab to communicate with the Lab’s RADIUS Server.

Figure 34: RADIUS Server configuration

Secure 802.1x Wireless Solution Page 26 of 51

Figure 35: Access Point Security Profile settings

Figure 36: Select proper network Authentication

Secure 802.1x Wireless Solution Page 27 of 51

Figure 37: Select the proper data encryption

Secure 802.1x Wireless Solution Page 28 of 51

5 Configure your Enterprise Domain Policy for
Wireless 802.1x authentication

Windows Server 2003 provides the Wireless Network (IEEE 802.11) Policies Group
Policy extension. This enables administrators to specify a list of preferred networks
and their settings to automatically configure wireless LAN settings for clients running
Windows XP with SP1, Windows XP with SP2, Windows Server 2003 .

For each preferred network, you can specify association settings (such as the SSID,
authentication, encryption method) and 802.1x authentication settings; such as, the
specific EAP type.

5.1 To configure Wireless Network (IEEE 802.11) Policies

Group Policy settings, do the following:

1. Open the Active Directory Users and Computers snap-in.

2. In the console tree, double-click Active Directory Users and Computers,
right-click the domain system container that contains the wireless user
accounts. Click Properties.
3. On the Group Policy tab, click the appropriate Group Policy object (the
default object is Default Domain Policy). Click Edit.
4. In the console tree, open Computer Configuration, Windows Settings,
Security Settings, Wireless Network (IEEE 802.11) Policies.
5. Right-click Wireless Network (IEEE 802.11) Policies. Click Create
Wireless Network Policy. In the Wireless Network Policy Wizard, type a
name and description.
6. In the details pane, double-click your newly created wireless network policy.
7. Change settings on the General tab as needed. (See Figure 38.)
8. Click the Preferred Networks tab. Click Add to add a preferred network.
9. On the Network Properties tab, type the wireless network name (SSID) and
change wireless network key settings as needed (see Figure 39).
10. In our environment, the Network Name (SSID) is WaveLab.
11. Click the IEEE 802.1x tab. Change 802.1x settings as needed, including
specifying and configuring the correct EAP type. In our Lab environment, we
used an EAP type of SmartCard or other certificate (see Figure 40).
12. Click OK twice to save changes.

Secure 802.1x Wireless Solution Page 29 of 51

Figure 38: Wireless network policies properties

Secure 802.1x Wireless Solution Page 30 of 51

Figure 39: Wireless network preferred networks properties

Secure 802.1x Wireless Solution Page 31 of 51

Figure 40: Wireless network policy – IEEE 802.1 properties

Secure 802.1x Wireless Solution Page 32 of 51

6 Installing User Certificates

As an IT administrator in your organization, you have two options for installing user’s
certificates in your enterprise:
• Use your domain autoenrollment feature
• Have the user manually request and install the user certificate

6.1 Configuring User Certificates for autoenrollment

If you are using a Windows Server 2003, Enterprise Edition or Windows Server 2003,
Datacenter Edition, Enterprise CA as an issuing CA, you can install User Certificates
through autoenrollment. Configuring user certificate autoenrollment for wireless user
certificates requires you to duplicate existing certificate templates, a feature that is
only supported for Windows Server 2003, Enterprise Edition or Windows Server
2003, Datacenter Edition, Enterprise CAs. (See section Configure a User Certificate
Template to use the Wave CSP.)

Figure 41: Set up User for Certificate autoenrollment

Secure 802.1x Wireless Solution Page 33 of 51

6.1.1 To configure User Certificate enrollment for an enterprise
Certificate Authority:

1. Click Start, click Run, type mmc. Click OK.

2. On the File menu, click Add/Remove Snap-in. Click Add.
3. Under Snap-in, double-click Certificate Templates, click Close. Click OK.
4. In the console tree, click Certificate Templates. All of the certificate templates
will be displayed in the details pane.
5. In the details pane, click the User template.
6. On the Action menu, click Duplicate Template.
7. In the Display Name field, type Wireless User (you can use your company
naming policies).
8. Make sure that the Publish Certificate in the Active Directory checkbox is
selected.
9. Click the Request Handling tab.
10. Make sure to Prompt the user during enrollment and require user input when
the private key in use is selected.
11. Click the CSPs button.
12. Select the Wave TCG-Enabled CSPs. Click OK.
13. Click the Security tab.
14. In the Group or user names field, click Domain Users.
15. In the Permissions for Domain Users list, select the Enroll and Autoenroll
permission checkboxes. Click OK.
16. Open the Certification Authority snap-in.
17. In the console tree, open Certification Authority, CA name, Certificate
templates.
18. On the Action menu, point to New. Click Certificate to Issue.
19. Click Wireless User (example). Click OK.
20. Open the Active Directory Users and Computers snap-in.
21. In the console tree, double-click Active Directory Users and Computers.
Right-click the domain system container that contains the wireless user
accounts. Click Properties.
22. On the Group Policy tab, click the appropriate Group Policy object (the default
object is Default Domain Policy). Click Edit.
23. In the console tree, open User Configuration, Windows Settings, Security
Settings, Public Key Policies.
24. In the details pane, double-click Autoenrollment Settings.
25. Click Enroll certificates automatically. (See Figure 41.)
26. Select the Renew expired certificates, update pending certificates and remove
revoked certificates checkbox.
27. Select the Update certificates that use certificate templates checkbox. Click
OK.

Note:
(1) Next time the user logs into the network they will see a prompt in their system
tray that informs them of the installation of a user certificate.
(2) The instructions provided above are for a Certificate Authority running in a
Microsoft Windows Server 2003, Enterprise Edition or Windows Server 2003,
Datacenter Edition.

Secure 802.1x Wireless Solution Page 34 of 51

6.2 Installing a User Certificate via a Web Request

If your environment does not support a user autoenrollment, you could require that
the user enroll manually by installing a User Certificate via a Web request.
Please remember that when you are doing Certificate Request via the Web, you must
have a Web server Service running at the Certificate Authority Server:

6.2.1 To install a User Certificate via Web Request:

1. Open Internet Explorer.I In the Address section, type

http://ServerName/Certsrv. ServerName is the name of the windows server
where the certification authority (CA) that you want to access is located. (See
Figure 42.)
2. Click on Request a Certificate.
3. In Request a Certificate (see Figure 43), click on Advanced Certificate
Request.
4. In the Advance Certificate Request (see Figure 44), click on Create and
submit a request to this CA.
5. You will now be able to choose the Certificate Template that you created with
the Wave TCG-Enabled CSP (see Figure 45 for details). Click Submit.
6. If your Certificate Authority Server is not trusted in by your computer, you
will be notified that the website is requesting a new certificate on your behalf
(see Figure 46). Click Yes.
7. At this point, the Certificate Authority server is generating a certificate
request (see Figure 47). You will be prompted to authenticate several times
as the TPM keys are created and verified. For the best user experience, you
should use the EMBASSY Security Center to create a TCG Security Password
Vault ahead of time.
8. When the Certificate Request has been complete, you will be prompted to
install the certificate (see Figure 48). Click on Install this certificate. Once
the certificate has been successfully installed, you will be notified (see Figure
49).

Secure 802.1x Wireless Solution Page 35 of 51

Figure 42: Request a Certificate

Secure 802.1x Wireless Solution Page 36 of 51

Figure 43: Request a Certificate

Secure 802.1x Wireless Solution Page 37 of 51

Figure 44: Advanced Certificate Request

Secure 802.1x Wireless Solution Page 38 of 51

Figure 45: Advanced Certificate Request

Figure 46: Website requesting certificate on your behalf

Secure 802.1x Wireless Solution Page 39 of 51

Figure 47: Generating certificate

Secure 802.1x Wireless Solution Page 40 of 51

Figure 48: Certificate issued

Figure 49: Certificate successfully installed

Secure 802.1x Wireless Solution Page 41 of 51

7 Configure your wireless client to access your
Enterprise network using secure 802.1x

Once the user has installed their User Certificate either by autoenrollment or by a
web request, he/she is ready to configure the Wireless portion. For the purpose of
the cookbook, we used a Dell Latitude D620 with an Intel ® PRO/Wireless 3945ABG
Network adapter, using the Intel® PROSet/Wireless Software Version 10.1.0.3 to
configure our Wireless access.

7.1 Steps taken to configure your wireless client:

1. Go to the system Tray and open the Intel PROSet/Wireless utility (see
Figure 50).
2. Select the Wireless Network in question (see Figure 51). Click on
Profiles.
3. Verify the Profile Name and Wireless Network Name select Network as
the operating mode (see Figure 52). Click Next.
4. Configure Security Settings section, as follows (see Figures 53,53 &
54):
a) Select Enterprise Security.
b) Check the “Enable 802.1x” box.
c) Set Network Authentication: WPA2 – Enterprise.
d) Set Data Encryption: TKIP.
e) Set Authentication Type: TLS.
5. Configure the TLS User as follows (see Figure 55):
a) Select Use a User Certificate on this computer.
b) Click the Select button. Select a User Certificate that was
created using the Wave CSP TCP (Wireless User Certificate
Template). Click OK.
c) Click on Next.
6. Configure the TLS Server as follows (see Figures 56 & 57):
a) Check the “Validate Server Certificate” box.
b) Select from the Certificate Issuer List. Choose the Certificate
Authority from which the Wireless User Certificate Template
was issued.
c) Click OK.
7. Click Connect (see Figure 58). This will start the 802.1x
authentication process.
8. A window will be displayed (see Figure 59), prompting you to
authenticate to your TCG Security Password Vault. If you are using
biometrics, you will need to swipe your finger (see Figure 60). This
method of authentication assumes that you have used the EMBASSY
Security Center to initialize a TCG Security Password Vault. If not, you
will be prompted for an individual password here.
9. Once the authentication is validated, the connection will be established
(see Figures 61 & 62).

Secure 802.1x Wireless Solution Page 42 of 51

Figure 50: Intel PROSet/Wireless utility

Figure 51: Intel PROSet/Wireless utility

Secure 802.1x Wireless Solution Page 43 of 51

Figure 52: Wireless profile properties - general settings

Figure 53: Wireless profile properties - security settings

Secure 802.1x Wireless Solution Page 44 of 51

Figure 54: Wireless profile properties - security settings

Figure 55: Wireless profile properties - security settings - TLS User

Secure 802.1x Wireless Solution Page 45 of 51

Figure 56: Select User Certificate

Figure 57: Wireless profile properties - security settings - TLS Server

Secure 802.1x Wireless Solution Page 46 of 51

Figure 58: Connect to your wireless

Figure 59: Ready to Authenticate

Secure 802.1x Wireless Solution Page 47 of 51

Figure 60: Swipe your fingerprint

Figure 61: Connecting to your wireless network

Secure 802.1x Wireless Solution Page 48 of 51

Figure 62: You are now connected to your wireless network

Secure 802.1x Wireless Solution Page 49 of 51

8 Table of Figures

Figure 1: Registry Editor....................................................................................5

Figure 2: Use the Export to make a backup ..........................................................5
Figure 3: Select location to save backup ..............................................................6
Figure 4: Wave TCG-Enabled CSP registry information ..........................................6
Figure 5: Wave TCG-Enabled SChannel CSP registry information ............................7
Figure 6: Wave TCG-Enabled CSP registry files ....................................................7
Figure 7: Importing Wave TCG-Enabled CSP into the server's registry .....................7
Figure 8: Importing Wave TCG-Enabled SChannel into server's registry...................7
Figure 9: Certificate Authority Templates ............................................................9
Figure 10: Duplicate User Template....................................................................9
Figure 11: Modify Template General Properties .................................................. 10
Figure 12: Modify Template Name.................................................................... 10
Figure 13: Certificate Request Handling properties ............................................. 11
Figure 14: Select CSP for User Certificate.......................................................... 12
Figure 15: Certificate Subject Name properties .................................................. 13
Figure 16: Certificate Template Security ........................................................... 13
Figure 17: Issuing a new Certificate Template.................................................... 14
Figure 18: Certificate Authority Templates.......................................................... 14
Figure 19: Internet Authentication Service Console............................................. 16
Figure 20: Create a new RADIUS client ............................................................. 17
Figure 21: Creating new RADIUS client ............................................................. 17
Figure 22: RADIUS client ................................................................................ 18
Figure 23: Modify RADIUS client properties ........................................................ 18
Figure 24: Create a New Remote Access Policy .................................................. 19
Figure 25: Remote Access Policy Wizard Starts .................................................. 19
Figure 26: How do you want to set up policy? .................................................... 20
Figure 27: Select Method of access for this policy ............................................... 20
Figure 28: Select User or Group access............................................................. 21
Figure 29: Select Authentication method........................................................... 22
Figure 30: Configure Policy properties ............................................................... 22
Figure 31: Select Policy conditions ................................................................... 23
Figure 32: Verify Authentication information...................................................... 23
Figure 33: Selecting EAP Providers ................................................................... 24
Figure 34: RADIUS Server configuration ............................................................ 26
Figure 35: Access Point Security Profile settings ................................................. 27
Figure 36: Select proper network Authentication ................................................ 27
Figure 37: Select the proper data encryption ..................................................... 28
Figure 38: Wireless Network Policies properties.................................................. 30
Figure 39: Wireless Network preferred networks properties ................................. 31
Figure 40: Wireless Network Policy – IEEE 802.1 Properties ................................. 32
Figure 41: Set up User for Certificate autoenrollment.......................................... 33
Figure 42: Request a Certificate....................................................................... 36
Figure 43: Request a Certificate....................................................................... 37
Figure 44: Advanced Certificate Request ........................................................... 38
Figure 45: Advanced Certificate Request ........................................................... 39
Figure 46: Website requesting certificate on your behalf...................................... 39
Figure 47: Generating certificate...................................................................... 40
Figure 48: Certificate issued............................................................................ 41
Figure 49: Certificate successfully installed........................................................ 41

Secure 802.1x Wireless Solution Page 50 of 51

Figure 50: Intel PROSet/Wireless utility ............................................................ 43
Figure 51: Intel PROSet/Wireless utility ............................................................ 43
Figure 52: Wireless profile properties - general settings ...................................... 44
Figure 53: Wireless Profile properties - security settings..................................... 44
Figure 54: Wireless Profile properties - security settings...................................... 45
Figure 55: Wireless Profile properties - security settings - TLS User ...................... 45
Figure 56: Select User Certificate ..................................................................... 46
Figure 57: Wireless Profile properties - security settings - TLS Server ................... 46
Figure 58: Connect to your wireless ................................................................. 47
Figure 59: Ready to Authenticate ..................................................................... 47
Figure 60: Swipe your fingerprint..................................................................... 48
Figure 61: Connecting to your wireless network ................................................. 48
Figure 62: You are now connected to your wireless network ................................ 49

Secure 802.1x Wireless Solution Page 51 of 51