Configuring Wireless Client Computers

Previous page
Table of content
Next page

Configuring Wireless Client Computers

To configure wireless client computers, complete the tasks described in the following sections:

  • Install the computer certificate.

  • Install the user certificate.

  • Configure 802.1X authentication for EAP-TLS.

Installing the Computer Certificate

For computer authentication with EAP-TLS, you must install a computer certificate on the wireless client computer. For installation on a wireless client computer running Windows Server 2003, Windows XP, or Windows 2000, connect to the organization s intranet by using an Ethernet port, and do the following:

  • If the domain is configured for autoenrollment of computer certificates, each computer that is a member of the domain requests a computer certificate when computer Group Policy is refreshed. To force a refresh of computer Group Policy for a computer running Windows Server 2003 or Windows XP, restart the computer or type gpupdate /target:computer at a command prompt. To force a refresh of computer Group Policy for a computer running Windows 2000, restart the computer or type secedit /refreshpolicy machine_policy at a command prompt.

  • If the domain is not configured for autoenrollment, you can request a computer certificate using the Certificates snap-in (this procedure is described in the Obtaining and Installing a Computer Certificate section of this chapter), or you can execute a CAPICOM script to install a computer certificate. For information about CAPICOM, see http://msdn.microsoft.com/.

NOTE
An enterprise organization s information technology (IT) group can install a computer certificate before the computer, typically a laptop, is delivered to its user.

Installing the User Certificate

For user authentication with EAP-TLS, you must use a locally installed user certificate or a smart card. The locally installed user certificate can be obtained by autoenrollment, Web enrollment, requesting the certificate using the Certificates snap-in, importing a certificate file, or running a CAPICOM program or script. An organization s IT group or security group is usually responsible for issuing smart cards to users.

The easiest ways to install user certificates assume that network connectivity already exists, such as using an Ethernet port. When users connect to the intranet, they can obtain a user certificate through autoenrollment or by submitting a user certificate request using Web enrollment or the Certificates MMC snap-in. Alternately, they can run a CAPICOM program or script provided by the network administrator. The user logon script can be used to automate the execution of the CAPICOM program or script.

If you have configured autoenrollment of user certificates, the wireless user must update User Configuration Group Policy to obtain a user certificate. If you do not use autoenrollment for user certificates, you can obtain a user certificate by doing one of the following procedures (described in the following sections):

  • Install via Web enrollment.

  • Request a certificate.

  • Install from a certificate file on a floppy disk.

Installing User Certificates via Web Enrollment

To submit a user certificate request via the Web, do the following:

  1. Open Internet Explorer.

  2. Connect to http://servername/certsrv, where servername is the name of the CA computer. The CA must also be running Internet Information Services (IIS).

  3. Click Request A Certificate and then click Next.

  4. On the Choose Request Type Web page, select the type of certificate you want to request under User Certificate Request and click Next.

  5. On the Identifying Information Web page, do one of the following:

    • If you see the message All The Necessary Identifying Information Has Already Been Collected. You May Now Submit Your Request, click Submit.

      Or

    • Enter your identifying information for the certificate request and click Submit.

  6. If you see the Certificate Issued Web page, click Install This Certificate.

  7. Close Internet Explorer.

Requesting a Certificate

To request a certificate using the Certificates snap-in, do the following:

  1. Open a Microsoft Management Console (MMC) that contains Certificates Current User.

  2. In the console tree, right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Request Wizard.

  3. In the Certificate Request Wizard, select the type of certificate you want to request. If you selected the Advanced check box:

    • Choose the cryptographic service provider (CSP) you will use.

    • Choose the key length (measured in bits) of the public key associated with the certificate.

    • Do not enable strong private key protection. Enabling strong private key protection requires user intervention (such as typing in a password) when the private key is used, which interferes with automatic access to wireless networks.

    • If you have more than one CA available, select the name of the CA that will issue the certificate.

  4. Type a friendly name for your new certificate.

  5. After the Certificate Request Wizard successfully finishes, click OK.

Installing from a Certificate File on a Floppy Disk

Another method of installing a user certificate is to export the user certificate onto a floppy disk and then import it onto the wireless client computer. For a floppy disk-based enrollment, perform the following:

  1. Obtain a user certificate for the wireless client s user account from the CA through Web-based enrollment.

  2. Open an MMC console containing Certificates Current User.

  3. Open Personal and then open Certificates.

  4. In the details pane, right-click the certificate you want to export, point to All Tasks, and then click Export.

  5. On the Welcome To The Certificate Export Wizard page, click Next.

  6. On the Export Private Key page, click Export The Private Key. (This option appears only if the private key is marked as exportable and you have access to the private key.) Click Next.

  7. On the Export File Format page, select Personal Information Exchange PKCS (.PFX) as the export file format. Select other options as needed and then click Next.

  8. On the Password page, type a password in Password and Confirm Password to protect the private key in the certificate and then click Next.

  9. On the File To Export page, type the certificate filename or click Browse to specify the name and location of the certificate file. Click Next.

  10. On the Completing The Certificate Export Wizard page, click Finish.

  11. On the wireless client computer, open an MMC console containing Certificates Current User.

  12. Open the Personal folder.

  13. On the Action menu, point to All Tasks and then click Import.

  14. On the Welcome To The Certificate Export Wizard page, click Next.

  15. For File Name on the File To Import page, either type the name of the certificate file stored in step 9 or click Browse to locate it.

  16. On the Password page, type the password used to protect the private key in Password. Do not select Enable Strong Private Key Protection. If you intend to move this certificate in the future, click Mark This Key as Exportable.

  17. On the Certificate Store page, click Next.

  18. On the Completing The Certificate Import Wizard page, click Finish.

Configuring 802.1X Authentication for EAP-TLS

If you have configured Wireless Network (IEEE 802.11) Policies Group Policy settings and specified the use of EAP-TLS authentication for your wireless network the Smart Card Or Other Certificate authentication method no other configuration for wireless clients running Windows XP (SP1 or later) or Windows Server 2003 is needed.

To manually configure EAP-TLS authentication on a wireless client running Windows XP (SP1 or later) or Windows Server 2003

  1. Obtain the properties of the wireless connection in the Network Connections folder. Click the Wireless Networks tab, click the name of the wireless network in the list of preferred networks, and then click Properties.

  2. Click the Authentication tab and select Enable IEEE 802.1X Authentication For This Network and the Smart Card Or Other Certificate EAP type.

  3. Click Properties.

  4. In the Smart Card Or Other Certificate dialog box, click Use a Certificate On This Computer to use a locally installed user certificate or Use My Smart Card for a smart card-based user certificate.

  5. Select Validate Server Certificate to validate the computer certificate of the IAS server. If you want to specify the names of the authentication servers that must perform validation, select Connect To These Servers and type the server names.

  6. Click OK to save changes to the Smart Card Or Other Certificate EAP type.

To manually configure EAP-TLS authentication on a wireless client running Windows XP (prior to SP1)

  1. Obtain properties of the wireless connection in the Network Connections folder.

  2. On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X and the Smart Card Or Other Certificate EAP type. Both of these configuration settings are enabled by default.

  3. Click Properties. The Smart Card Or Other Certificate dialog box displays.

  4. In the Smart Card Or Other Certificate dialog box, click Use A Certificate On This Computer to use a locally installed user certificate.

  5. Select Validate Server Certificate to validate the computer certificate of the IAS server (enabled by default). If you want to specify how the names of the authentication servers end, select Connect Only If Server Name Ends With and type the string.

  6. Click OK to save changes to the Smart Card Or Other Certificate EAP type.

To configure EAP-TLS authentication on a wireless client running Windows 2000 and Microsoft 802.1X Authentication Client

  1. Obtain properties of the wireless connection in the Dial-up And Network Connections folder.

  2. On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X (enabled by default) and the Smart Card Or Other Certificate EAP type.

  3. Click Properties. The Smart Card Or Other Certificate dialog box displays.

  4. In the Smart Card Or Other Certificate dialog box, click Use A Certificate On This Computer to use a locally installed user certificate or Use My Smart Card for a smart card based user certificate.

  5. Select Validate Server Certificate to validate the computer certificate of the IAS server (enabled by default). If you want to specify the names of the authentication servers that must perform validation, select Connect To These Servers and type the server names.

  6. Click OK to save changes to the Smart Card Or Other Certificate EAP type.


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
The .NET Developers Guide to Directory Services Programming
Cisco CallManager Fundamentals (2nd Edition)
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Mastering Delphi 7
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy