Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Wireless Networking > WLAN setup in Windows XP Pro

Reply
Thread Tools

WLAN setup in Windows XP Pro

 
 
Ray
Guest
Posts: n/a
 
      08-09-2004
Can someone explain to me the function of "Enable IEEE 802.1x authentication
for this network and EAP type: Smart Card or other Certificate" in wireless
network properties. I found in some notebook computers that enabling it
will cause intermittent connection dropout and I have to disable it to have
a steady connection. Your advice is highly appreciated.

Thanks,

Ray


 
Reply With Quote
 
 
 
 
=?Utf-8?B?bW9udDQ5ODI=?=
Guest
Posts: n/a
 
      08-09-2004
Here read this. For visuals go here:
http://www.microsoft.com/technet/com...uy/cg0402.mspx

Below is the article wihout the visuals:

For a list and additional information on all The Cable Guy columns, click
here.

The IEEE 802.1X standard defines port-based, network access control that is
used to provide authenticated network access for Ethernet networks.
Port-based network access control uses the physical characteristics of a
switched LAN infrastructure to authenticate devices that are attached to a
switch port. The ability to send and receive frames using an Ethernet switch
port is denied if the authentication process fails. While this standard is
designed for wired Ethernet networks, it has been adapted for use on IEEE
802.11 wireless LANs. Windows XP supports IEEE 802.1X authentication for all
LAN-based network adapters, including Ethernet and wireless.

IEEE 802.1X defines the following terms:

• Port access entity

• Authenticator

• Supplicant

• Authentication server


Port Access Entity

A port access entity (PAE), also known as a LAN port, is a logical entity
that supports the IEEE 802.1X protocol that is associated with a port. A LAN
port can adopt the role of authenticator, supplicant, or both.

Authenticator

An authenticator is a LAN port that enforces authentication before allowing
access to services that are accessed through the port. For wireless
connections, the authenticator is the logical LAN port on a wireless access
point (AP) through which wireless clients, operating in infrastructure mode,
gain access to the wired network.

Supplicant

The supplicant is a LAN port that requests access to services that are
accessed through the authenticator. For wireless connections, the supplicant
is the logical LAN port on a wireless LAN network adapter that requests
access to the wired network. It does this by associating with, and then
authenticating itself to, an authenticator.

Whether they are used for wireless connections or wired Ethernet
connections, the supplicant and authenticator are connected by a logical or
physical point-to-point LAN segment.

Authentication server

To verify the credentials of the supplicant, the authenticator uses an
authentication server. The authentication server checks the credentials of
the supplicant on behalf of the authenticator, and then responds to the
authenticator, indicating whether or not the supplicant is authorized to
access the authenticator's services. The authentication server might be:

• A component of the AP.

The AP must be configured with the sets of user credentials that correspond
to the clients that are attempting to connect. This is typically not
implemented for wireless APs.

• A separate entity.

The AP forwards the credentials of the connection attempt to a separate
authentication server. Typically, a wireless AP uses the Remote
Authentication Dial-In User Service (RADIUS) protocol to send the connection
attempt parameters to a RADIUS server.




On This Page
Controlled and Uncontrolled Ports
Extensible Authentication Protocol
Windows XP Support for IEEE 802.1X
For More Information

Controlled and Uncontrolled Ports
The authenticator's port-based, access control defines the following types
of logical ports, which access the wired LAN through a single, physical LAN
port:

• Uncontrolled port

The uncontrolled port allows an uncontrolled exchange of data between the
authenticator (the wireless AP) and other networking devices on the wired
network, regardless of any wireless client's authorization state. A good
example of this is the exchange of RADIUS messages between a wireless AP and
a RADIUS server on the wired network, which provides authentication and
authorization of wireless connections. Frames that are sent by the wireless
client are never forwarded by the wireless AP through the uncontrolled port.

• Controlled port

The controlled port allows data to be sent between a wireless client and the
wired network, but only if the wireless client is authenticated. Before
authentication, the switch is open and no frames are forwarded between the
wireless client and the wired network. After the wireless client is
successfully authenticated using IEEE 802.1X, the switch is closed and frames
are forwarded between the wireless client and nodes on the wired network.


The relationship of the controlled and uncontrolled port for a wireless AP
is shown in the following figure.



See full-sized image.


On an authenticating Ethernet switch, the wired Ethernet client can send
Ethernet frames to the wired network as soon as authentication is completed.
The switch identifies the traffic of a specific wired Ethernet client by
using the physical port to which the Ethernet client is connected. Typically,
only a single Ethernet client is connected to a physical port on the Ethernet
switch.

Because multiple wireless clients contend for access to and send data using
the same channel, an extension to the basic IEEE 802.1X protocol is required
to allow a wireless AP to identify the secured traffic of a specific wireless
client. This is done through the mutual determination of a per-client unicast
session key by the wireless client and wireless AP. Only authenticated
wireless clients have a correctly determined per-client unicast session key.
Without a valid unicast session key tied to a successful authentication,
frames that are sent by an unauthenticated wireless client are silently
discarded by the wireless AP.

Top of page
Extensible Authentication Protocol
To provide a standard authentication mechanism for IEEE 802.1X, IEEE chose
the Extensible Authentication Protocol (EAP). EAP is a Point-to-Point
Protocol (PPP)-based authentication technology that was adapted for use on
point-to-point LAN segments. Because EAP messages were originally defined to
be sent as the payload of PPP frames, the IEEE 802.1X standard defines EAP
over LAN (EAPOL), which is a method of encapsulating EAP messages so that
they can be sent over Ethernet or wireless LAN segments.

For the authentication of wireless connections, Windows XP uses the
EAP-Transport Level Protocol (EAP-TLS). EAP-TLS is defined in RFC 2716 and is
used in certificate-based security environments. The EAP-TLS exchange of
messages provides mutual authentication, integrity-protected cipher suite
negotiation, and mutual determination of encryption and signing key material
between the wireless client and the authenticating server (the RADIUS
server). After authentication and authorization, the RADIUS server sends the
encryption and signing keys to the wireless AP by using the RADIUS
Access-Accept message.

EAP-TLS, with registry-based user and computer certificates, is the
authentication method for Windows XP-based wireless connectivity for the
following reasons:

• EAP-TLS does not require any dependencies on the user account password.

• EAP-TLS authentication occurs automatically, with no intervention by the
user.

• EAP-TLS uses certificates, providing a strong authentication scheme.


Top of page
Windows XP Support for IEEE 802.1X
In Windows XP, IEEE 802.1X authentication with the EAP-TLS authentication
type is enabled by default for all LAN-based network adapters. To configure
802.1X settings on a computer running Windows XP, use the Authentication tab
on the properties of a LAN connection in Network Connections.

The Authentication tab is shown in the following figure.




See full-sized image.


On the Authentication tab, you can configure the following:

• Enable network access control using IEEE 802.1X This check box specifies
whether you want to use IEEE 802.1X to perform authentication for this
connection. This option is enabled by default.

A Windows XP LAN connection sends three EAP-Start messages in an attempt to
prompt the authenticator (the Ethernet switch or wireless AP) to begin the
EAP-based authentication process. If an EAP-Request/Identity message is not
received, IEEE 802.1X authentication is not required for the port and the LAN
connection sends normal traffic to configure network connectivity. If an
EAP-Request/Identity message is received, IEEE 802.1X authentication begins.

Therefore, for an Ethernet LAN connection, leaving this setting enabled when
the Ethernet switch does not support IEEE 802.1X does not impair
connectivity. However, disabling this setting when the Ethernet switch does
require IEEE 802.1X authentication does impair network connectivity.

• EAP type You can use this option to select the EAP type to use for IEEE
802.1X authentication. The list corresponds to the EAP dynamic link libraries
(DLLs) installed on the computer. The default EAP types are MD-5 Challenge
and Smart Card or other Certificate. The Smart Card or other Certificate type
is for EAP-TLS. By default, Smart Card or other Certificate EAP is selected
and must be used for secure wireless access.

• Properties Click to configure the properties of the selected EAP type.
Properties are not available for the MD-5 Challenge EAP type.

• Authenticate as computer with computer information is available This check
box specifies whether the computer attempts to authenticate using computer
credentials (such as a computer certificate), without the user logging on.
This option is enabled by default.

• Authenticate as guest when user or computer information is unavailable
This check box specifies whether the computer attempts to authenticate as a
guest when either user or computer credentials are not available. This option
is disabled by default.


The properties of the Smart Card or other Certificate Properties EAP type
(corresponding to EAP-TLS) is shown in the following figure.




See full-sized image.


From the Smart Card or other Certificate Properties dialog box, you can view
and configure the following:

• When connecting To use a certificate in the Current User or Local Computer
certificate stores for authentication, select Use a certificate on this
computer (this is selected by default). When there are multiple user
certificates installed, the user is prompted to select a specific user
certificate for the first association. The use of that user certificate is
cached for reassociations, which will occur until the Windows XP user session
has ended. Windows XP does not support the use of smart cards for secure
wireless authentication.

• Validate server certificate This check box specifies whether you want to
validate the computer certificate of the authenticating server (typically a
RADIUS server). This option is enabled by default.

• Connect only if server name ends with This check box specifies whether you
want to provide text that must match the last part of the name in the
authenticating server's computer certificate. This option is disabled by
default. For most deployments, in which more than one RADIUS server is used,
you can type the part of the Domain Name System (DNS) name that is common to
all of the RADIUS servers. For example, if you have two RADIUS servers named
rad1.example.microsoft.com and rad2.example.microsoft.com, then type the text
"example.microsoft.com". If you enable this option and type the wrong text,
wireless authentication will fail.

• Trusted root certificate authority This option enables you to select the
specific root certification authority (CA) of the authenticating server's
computer certificate. The list corresponds to the list of root CA
certificates in your Trusted Root Certification Authorities certificate store.

There is no specific trusted root CA that is selected by default. If you
select an incorrect trusted root CA, you are prompted during authentication
to accept (or reject) the root CA of the authenticating server certificate.
When you accept the authenticating server's certificate, the trusted root CA
is automatically set to the root CA of the authenticating server certificate.

• Use a different user name for the connection This check box specifies
whether you want to use a user name for authentication that is different from
the user name in the certificate. This option is disabled by default. If it
is enabled, you are prompted with a dialog box to select a user certificate,
even if only one user certificate is installed. The selected certificate is
used until the Windows XP user session has ended.


















"Ray" wrote:

> Can someone explain to me the function of "Enable IEEE 802.1x authentication
> for this network and EAP type: Smart Card or other Certificate" in wireless
> network properties. I found in some notebook computers that enabling it
> will cause intermittent connection dropout and I have to disable it to have
> a steady connection. Your advice is highly appreciated.
>
> Thanks,
>
> Ray
>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
WLAN setup for one laptop =?Utf-8?B?eW9ya2U=?= Wireless Networking 3 10-18-2008 01:55 AM
Help needed locating driver for ACER WLAN 11g USB Dongle (WLAN-G-US1) Chris Mitchell Wireless Networking 5 12-26-2007 05:48 PM
trying to setup WLAN... neednetworkhelp21 General Computer Support 1 08-21-2006 06:00 AM
Problem about WLAN on windows 2000 pro. qianwch@icss.com.cn Wireless Networking 1 08-21-2005 01:28 PM
Setup WLAN card for USA/EMEA std. ? Henrik Wireless Networking 3 06-03-2005 01:22 PM



Advertisments