WLAN setup in Windows XP Pro

Discussion in 'Wireless Networking' started by Ray, Aug 9, 2004.

  1. Ray

    Ray Guest

    Can someone explain to me the function of "Enable IEEE 802.1x authentication
    for this network and EAP type: Smart Card or other Certificate" in wireless
    network properties. I found in some notebook computers that enabling it
    will cause intermittent connection dropout and I have to disable it to have
    a steady connection. Your advice is highly appreciated.

    Thanks,

    Ray
     
    Ray, Aug 9, 2004
    #1
    1. Advertising

  2. Here read this. For visuals go here:
    http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx

    Below is the article wihout the visuals:

    For a list and additional information on all The Cable Guy columns, click
    here.

    The IEEE 802.1X standard defines port-based, network access control that is
    used to provide authenticated network access for Ethernet networks.
    Port-based network access control uses the physical characteristics of a
    switched LAN infrastructure to authenticate devices that are attached to a
    switch port. The ability to send and receive frames using an Ethernet switch
    port is denied if the authentication process fails. While this standard is
    designed for wired Ethernet networks, it has been adapted for use on IEEE
    802.11 wireless LANs. Windows XP supports IEEE 802.1X authentication for all
    LAN-based network adapters, including Ethernet and wireless.

    IEEE 802.1X defines the following terms:

    • Port access entity

    • Authenticator

    • Supplicant

    • Authentication server


    Port Access Entity

    A port access entity (PAE), also known as a LAN port, is a logical entity
    that supports the IEEE 802.1X protocol that is associated with a port. A LAN
    port can adopt the role of authenticator, supplicant, or both.

    Authenticator

    An authenticator is a LAN port that enforces authentication before allowing
    access to services that are accessed through the port. For wireless
    connections, the authenticator is the logical LAN port on a wireless access
    point (AP) through which wireless clients, operating in infrastructure mode,
    gain access to the wired network.

    Supplicant

    The supplicant is a LAN port that requests access to services that are
    accessed through the authenticator. For wireless connections, the supplicant
    is the logical LAN port on a wireless LAN network adapter that requests
    access to the wired network. It does this by associating with, and then
    authenticating itself to, an authenticator.

    Whether they are used for wireless connections or wired Ethernet
    connections, the supplicant and authenticator are connected by a logical or
    physical point-to-point LAN segment.

    Authentication server

    To verify the credentials of the supplicant, the authenticator uses an
    authentication server. The authentication server checks the credentials of
    the supplicant on behalf of the authenticator, and then responds to the
    authenticator, indicating whether or not the supplicant is authorized to
    access the authenticator's services. The authentication server might be:

    • A component of the AP.

    The AP must be configured with the sets of user credentials that correspond
    to the clients that are attempting to connect. This is typically not
    implemented for wireless APs.

    • A separate entity.

    The AP forwards the credentials of the connection attempt to a separate
    authentication server. Typically, a wireless AP uses the Remote
    Authentication Dial-In User Service (RADIUS) protocol to send the connection
    attempt parameters to a RADIUS server.




    On This Page
    Controlled and Uncontrolled Ports
    Extensible Authentication Protocol
    Windows XP Support for IEEE 802.1X
    For More Information

    Controlled and Uncontrolled Ports
    The authenticator's port-based, access control defines the following types
    of logical ports, which access the wired LAN through a single, physical LAN
    port:

    • Uncontrolled port

    The uncontrolled port allows an uncontrolled exchange of data between the
    authenticator (the wireless AP) and other networking devices on the wired
    network, regardless of any wireless client's authorization state. A good
    example of this is the exchange of RADIUS messages between a wireless AP and
    a RADIUS server on the wired network, which provides authentication and
    authorization of wireless connections. Frames that are sent by the wireless
    client are never forwarded by the wireless AP through the uncontrolled port.

    • Controlled port

    The controlled port allows data to be sent between a wireless client and the
    wired network, but only if the wireless client is authenticated. Before
    authentication, the switch is open and no frames are forwarded between the
    wireless client and the wired network. After the wireless client is
    successfully authenticated using IEEE 802.1X, the switch is closed and frames
    are forwarded between the wireless client and nodes on the wired network.


    The relationship of the controlled and uncontrolled port for a wireless AP
    is shown in the following figure.



    See full-sized image.


    On an authenticating Ethernet switch, the wired Ethernet client can send
    Ethernet frames to the wired network as soon as authentication is completed.
    The switch identifies the traffic of a specific wired Ethernet client by
    using the physical port to which the Ethernet client is connected. Typically,
    only a single Ethernet client is connected to a physical port on the Ethernet
    switch.

    Because multiple wireless clients contend for access to and send data using
    the same channel, an extension to the basic IEEE 802.1X protocol is required
    to allow a wireless AP to identify the secured traffic of a specific wireless
    client. This is done through the mutual determination of a per-client unicast
    session key by the wireless client and wireless AP. Only authenticated
    wireless clients have a correctly determined per-client unicast session key.
    Without a valid unicast session key tied to a successful authentication,
    frames that are sent by an unauthenticated wireless client are silently
    discarded by the wireless AP.

    Top of page
    Extensible Authentication Protocol
    To provide a standard authentication mechanism for IEEE 802.1X, IEEE chose
    the Extensible Authentication Protocol (EAP). EAP is a Point-to-Point
    Protocol (PPP)-based authentication technology that was adapted for use on
    point-to-point LAN segments. Because EAP messages were originally defined to
    be sent as the payload of PPP frames, the IEEE 802.1X standard defines EAP
    over LAN (EAPOL), which is a method of encapsulating EAP messages so that
    they can be sent over Ethernet or wireless LAN segments.

    For the authentication of wireless connections, Windows XP uses the
    EAP-Transport Level Protocol (EAP-TLS). EAP-TLS is defined in RFC 2716 and is
    used in certificate-based security environments. The EAP-TLS exchange of
    messages provides mutual authentication, integrity-protected cipher suite
    negotiation, and mutual determination of encryption and signing key material
    between the wireless client and the authenticating server (the RADIUS
    server). After authentication and authorization, the RADIUS server sends the
    encryption and signing keys to the wireless AP by using the RADIUS
    Access-Accept message.

    EAP-TLS, with registry-based user and computer certificates, is the
    authentication method for Windows XP-based wireless connectivity for the
    following reasons:

    • EAP-TLS does not require any dependencies on the user account password.

    • EAP-TLS authentication occurs automatically, with no intervention by the
    user.

    • EAP-TLS uses certificates, providing a strong authentication scheme.


    Top of page
    Windows XP Support for IEEE 802.1X
    In Windows XP, IEEE 802.1X authentication with the EAP-TLS authentication
    type is enabled by default for all LAN-based network adapters. To configure
    802.1X settings on a computer running Windows XP, use the Authentication tab
    on the properties of a LAN connection in Network Connections.

    The Authentication tab is shown in the following figure.




    See full-sized image.


    On the Authentication tab, you can configure the following:

    • Enable network access control using IEEE 802.1X This check box specifies
    whether you want to use IEEE 802.1X to perform authentication for this
    connection. This option is enabled by default.

    A Windows XP LAN connection sends three EAP-Start messages in an attempt to
    prompt the authenticator (the Ethernet switch or wireless AP) to begin the
    EAP-based authentication process. If an EAP-Request/Identity message is not
    received, IEEE 802.1X authentication is not required for the port and the LAN
    connection sends normal traffic to configure network connectivity. If an
    EAP-Request/Identity message is received, IEEE 802.1X authentication begins.

    Therefore, for an Ethernet LAN connection, leaving this setting enabled when
    the Ethernet switch does not support IEEE 802.1X does not impair
    connectivity. However, disabling this setting when the Ethernet switch does
    require IEEE 802.1X authentication does impair network connectivity.

    • EAP type You can use this option to select the EAP type to use for IEEE
    802.1X authentication. The list corresponds to the EAP dynamic link libraries
    (DLLs) installed on the computer. The default EAP types are MD-5 Challenge
    and Smart Card or other Certificate. The Smart Card or other Certificate type
    is for EAP-TLS. By default, Smart Card or other Certificate EAP is selected
    and must be used for secure wireless access.

    • Properties Click to configure the properties of the selected EAP type.
    Properties are not available for the MD-5 Challenge EAP type.

    • Authenticate as computer with computer information is available This check
    box specifies whether the computer attempts to authenticate using computer
    credentials (such as a computer certificate), without the user logging on.
    This option is enabled by default.

    • Authenticate as guest when user or computer information is unavailable
    This check box specifies whether the computer attempts to authenticate as a
    guest when either user or computer credentials are not available. This option
    is disabled by default.


    The properties of the Smart Card or other Certificate Properties EAP type
    (corresponding to EAP-TLS) is shown in the following figure.




    See full-sized image.


    From the Smart Card or other Certificate Properties dialog box, you can view
    and configure the following:

    • When connecting To use a certificate in the Current User or Local Computer
    certificate stores for authentication, select Use a certificate on this
    computer (this is selected by default). When there are multiple user
    certificates installed, the user is prompted to select a specific user
    certificate for the first association. The use of that user certificate is
    cached for reassociations, which will occur until the Windows XP user session
    has ended. Windows XP does not support the use of smart cards for secure
    wireless authentication.

    • Validate server certificate This check box specifies whether you want to
    validate the computer certificate of the authenticating server (typically a
    RADIUS server). This option is enabled by default.

    • Connect only if server name ends with This check box specifies whether you
    want to provide text that must match the last part of the name in the
    authenticating server's computer certificate. This option is disabled by
    default. For most deployments, in which more than one RADIUS server is used,
    you can type the part of the Domain Name System (DNS) name that is common to
    all of the RADIUS servers. For example, if you have two RADIUS servers named
    rad1.example.microsoft.com and rad2.example.microsoft.com, then type the text
    "example.microsoft.com". If you enable this option and type the wrong text,
    wireless authentication will fail.

    • Trusted root certificate authority This option enables you to select the
    specific root certification authority (CA) of the authenticating server's
    computer certificate. The list corresponds to the list of root CA
    certificates in your Trusted Root Certification Authorities certificate store.

    There is no specific trusted root CA that is selected by default. If you
    select an incorrect trusted root CA, you are prompted during authentication
    to accept (or reject) the root CA of the authenticating server certificate.
    When you accept the authenticating server's certificate, the trusted root CA
    is automatically set to the root CA of the authenticating server certificate.

    • Use a different user name for the connection This check box specifies
    whether you want to use a user name for authentication that is different from
    the user name in the certificate. This option is disabled by default. If it
    is enabled, you are prompted with a dialog box to select a user certificate,
    even if only one user certificate is installed. The selected certificate is
    used until the Windows XP user session has ended.


















    "Ray" wrote:

    > Can someone explain to me the function of "Enable IEEE 802.1x authentication
    > for this network and EAP type: Smart Card or other Certificate" in wireless
    > network properties. I found in some notebook computers that enabling it
    > will cause intermittent connection dropout and I have to disable it to have
    > a steady connection. Your advice is highly appreciated.
    >
    > Thanks,
    >
    > Ray
    >
    >
    >
     
    =?Utf-8?B?bW9udDQ5ODI=?=, Aug 9, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Henrik

    Setup WLAN card for USA/EMEA std. ?

    Henrik, Jun 2, 2005, in forum: Wireless Networking
    Replies:
    3
    Views:
    730
    oldguy
    Jun 3, 2005
  2. Problem about WLAN on windows 2000 pro.

    , Aug 21, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    499
    David {MVP}
    Aug 21, 2005
  3. neednetworkhelp21

    trying to setup WLAN...

    neednetworkhelp21, Aug 20, 2006, in forum: General Computer Support
    Replies:
    1
    Views:
    859
    subra4u
    Aug 21, 2006
  4. =?Utf-8?B?eW9ya2U=?=

    WLAN setup for one laptop

    =?Utf-8?B?eW9ya2U=?=, Dec 2, 2006, in forum: Wireless Networking
    Replies:
    3
    Views:
    2,849
  5. Chris Mitchell
    Replies:
    5
    Views:
    12,616
    Barb Bowman
    Dec 26, 2007
Loading...

Share This Page