Configuration of Secure Wireless Networking

IS4011 Configuration of Secure Wireless Networking
Configuration of Secure
Wireless Networking
Page 1 of 12
User Guide
IS4011
Using UoN-secure with Microsoft Windows XP
and Macintosh OS X
Table of Contents
1.
2.
3.
Introduction ..................................................................................................... 1
Scope of this document ..................................................................................... 1
Windows XP ..................................................................................................... 2
3.1
Wireless network adaptor ............................................................................ 2
3.2
Authentication ........................................................................................... 2
3.3
802.1x supplicants ..................................................................................... 2
3.4
Configuration of the 802.1x client ................................................................ 3
4. Windows Vista .................................................................................................. 7
5. Other issues ................................................................................................... 10
6. Macintosh OS X .............................................................................................. 11
6.1
Wireless network adapter .......................................................................... 11
7. Reporting problems......................................................................................... 12
1. Introduction
Wireless connectivity is increasingly becoming an essential part of the data network. Many
Schools and research projects now need greater wireless provision, and are moving from a
requirement for hot spots to whole buildings and even school-wide coverage.
The development of an encrypted wireless service will allow all staff and students to easily
and securely access resources available on the data network, in accordance with the IT
Audit recommendations.
2. Scope of this document
This document describes the prerequisites and steps necessary to configure a computer to
use the network using UoN-secure. It is not intended to fully define the hardware or
software base as this is in constant flux.
The UoN-secure wireless network is based on the 802.11g standard and provides support
for data encryption. The facility requires a username and password. This is the same as
that obtained when registering for the core IT services.
A successful connection requires a compatible wireless network adaptor, registered Novell
Directory Service (NDS) account and a supported 802.1x supplicant. For Windows XP the
native operating system supplicant is utilised.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 2 of 12
3. Windows XP
3.1 Wireless network adaptor
UoN-secure uses 802.11i standard (WPA21). The wireless network adaptor must support
WPA2 Enterprise. Adaptor with support only for WPA or WPA-PSK will not work. WPA2 uses
AES (Advanced Encryption Standard), WPA relies on TKIP (Temporal Key Integrity Protocol)
using RC4.
Both the hardware and software features of the adaptor need to be checked. The adaptor
may require a driver upgrade downloadable from the vendor web site to support the
WPA2. It is recommended to use 802.11g and 802.11i (WPA2) compatible wireless adaptor
cards.
3.2 Authentication
Each user is required to authenticate against their registered NDS account. The user
credentials held in the NDS/LDAP (Lightweight Directory Access Protocol) database are
used to verify the client. The password held in the database must be in a special format in
order for it to work. If not done recently, it is a requirement that the NDS password must
be changed. There are two methods by which this can be achieved:
1) Novell client for Windows 2000/XP (v4.91 or better):
i. Press the computer Ctrl-Alt-Del keyboard keys and select “Change Password”
button from the Novell client for Windows.
ii. At the Change Password window, enter old password, new password, confirm
new password, hint (optional) and
iii. okay it.
2) change-pw web-page:
i. At the URL https://www.nottingham.ac.uk/is/change-pw/index.jsp, enter
username, current password, new password,
ii. re-enter new password and submit the form.
It is recommended to use the second of the two methods above.
After successful account checking, the access to the wireless network is allowed. In case of
failure, confirm the password change has taken effect and is stored in the required format.
It may help to allow some time for the system processes to synchronize.
3.3 802.1x supplicants
The Windows XP (SP2) needs an update applied to support WPA2 and 802.1x.
1. Check that this is installed. The relevant WPA2 update for Windows XP SP2 is 917021
which is available at R:\Cc\IT Support Section\DSL\Wireless or from:
http://support.microsoft.com/?id=917021
2. The computer needs to be restarted after applying the update.
1
WPA is Wi-Fi Protected Access. 802.11i, is an amendment to the 802.11 standard an is
known as WPA2.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 3 of 12
Also, the HotFix 923154 will need to be loaded to fix some EAP problems if dropouts from the secure network are experienced. This can be found at R:\Cc\IT
Support Section\DSL\Wireless
Please note that these are not automatically installed with any of the Critical or
Optional Windows updates but must be specifically installed.
The Windows Vista 802.1x supplicant is very similar to the XP one and works just the
same. Any laptop/desktop/handheld/MacBook/linux platform providing support for WPA or
WPA-PSK only will not work. It is important not to install the wireless network devices
proprietary client software. Alternatively, you may disable it to allow the Windows
supplicant to assume control.
3.4 Configuration of the 802.1x client
1. Open the Windows XP Wireless Network
Connection by double clicking on icon in the
Taskbar.
2. Click on View Wireless Networks.
Confirm the existence of the UoN-secure
wireless network.
3. Select Change advanced settings on the left
hand side under Related Tasks.
4. Select Wireless Networks tab.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 4 of 12
5. Then click the Advanced button at the lower
right to display this dialog:
6. Change the default Any available network
setting to Access point as shown. You should
also be sure that Automatically connect to
non-preferred networks is NOT checked.
7. You will now be back at the WiFi Properties
dialog. You MUST also disable broadcasting
for each of your Preferred networks.
8. Do this by selecting each network in the
Preferred networks list then clicking Properties to display the dialog box on the
right:
9. YOU MUST UNCHECK the Connect even if this network is not broadcasting option to
prevent your system from broadcasting its own 'beacon' announcing the names of your
preferred networks.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 5 of 12
10. In the UoN-secure properties window,
under Association tab select WPA2 for
Authentication EAP(PEAP) and AES for Data
encryption. If WPA2 options are not seen
here then either updated network card
drivers are required or WPA2 is not
supported on the hardware that you have.
11. In the UoN-secure properties window, click
on the Authentication tab and select EAP type
to be Protected EAP(PEAP). Confirm Enable
IEEE 802.1x authentication for this network is
ticked. Do not select other check boxes.
12. In the UoN-secure properties window, click
on Properties button and ensure Validate
server certificate and Enable Fast
Reconnect are not selected. Confirm
Authentication Method selected is Secured
password (EAP-MSCHAPv2).
13. In the Protected EAP Properties window,
click on the Configure button. Ensure the
box for automatically using the Windows
logon name is not ticked.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 6 of 12
14. Click OK to Protected EAP Properties
15. Click OK to UoN-secure Properties
16. Click OK to Wireless Network Connection
Properties window.
17. Windows will prompt for a username and
password by showing a balloon at the bottom
right-hand side of the desktop screen. Click on
the balloon. Enter the username and password
and click OK. You should now be connected to the
Wireless Network UoN-secure with WPA2
encryption.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 7 of 12
4. Windows Vista
1. Click Start, Control panel,
Network and Internet.
2. Click on Connect to a Network
3. Click on Set up a connection or
network
4. Select Manually connect to a
wireless network and click Next
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 8 of 12
5. Choose a wireless adapter as shown
and click Next
6. Enter information in the form and click
Next
7. Select Change Connection settings
8. Untick Connect to a more preferred network
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 9 of 12
9. Select the Security tab and ensure settings are
set as shown
10. Click the Settings button and ensure that
settings are as shown
11. Click Configure and untick the box as shown
12. Click OK to get back and then click Close. The
network should then connect and you will see a
balloon near the task bar
13. Click the balloon and fill in the login box
14. This will then authenticate your credentials and log
you into the UoN-secure wireless service.
When restarting the PC it should automatically connect.
In the event it does not then go to Network and Internet,
Network & Sharing Centre, Manage wireless networks and
ensure that UoN-secure is the top of the list. You may
need to go into the properties of other networks and
ensure that all boxes are unticked.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 10 of 12
5. Other issues
If UoN-secure access is required to be configured on pool laptops which are likely to be
used by a number of different users, then there is currently a “feature” of Windows XP
which caches an encoded username/password pair in the registry. Therefore, a small
addition is required on these machines to force logging in each time connection is made.
This is achieved by running a small registry change on such machines. The registry
change is available here:
R:/Cc/Wireless Network/WLAN Encryption/Colin/clearEAPOL
The file to set this functionality is “installClearEAPOL.reg”. Double click the file and after a
short pause you will get a message to inform you that the registry patch has been applied.
If it should be necessary to remove this functionality at a later date it can be removed by
running the file “clear_EAPOL1.reg” from the same location.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 11 of 12
6. Macintosh OS X
6.1 Wireless network adapter
The only wireless adapters tested were those used by the MacBook, an Airport Extreme
(0x168C, 0x87) at version 1.0.47 under Max OS X 10.4.9 and 10.4.10, and an Airport
Extreme (0x168C, 0x86) Firmware version 0.1.31.1 also running OS X 10.4.9 and
10.4.10.
There is generally a top menu bar icon for the Airport card which, when clicked, gives a
drop down menu allowing various options.
1. From this menu you should select Other … as
shown.
2. This brings up the following dialog box
where you should make the selections
shown and entering the appropriate
username and password.
3. Once this is entered click OK. You will
then see the following confirmation
dialogue box
4. Select Continue or just press the Enter
key. Authentication will then take place
and connection will be made to the UoNsecure wireless service.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
IS4011 Configuration of Secure Wireless Networking
Page 12 of 12
7. Reporting problems
As the wireless service becomes increasingly pervasive, capturing the right information to
deal with support issues becomes increasingly important. It is necessary to gather as
much of the following information as possible so that the best response can be provided:

Location – Building and room number. Important to determine if the problem is
related to a specific access point or physical network problem in that area.

MAC Address of client – important to diagnose what has been seen of the client
on the wireless network, as activity from individual MAC addresses are logged

Which WLAN – Important to diagnose if only one aspect of the service is affected.
Please also ascertain if more than one SSID connection attempt has been tried and
if so which were successful and which were not.

IP address of the client – if the connection progressed that far.

Username of the user trying to connect and whether they have ever managed to
connect to the wireless service before and which ones they have previously used –
ie have they only ever used UoN-standard and it worked well and this is the first
time trying to connect to UoN-secure.

What they are trying to access – are they trying to get to University only pages
and have connected to Telegeneration or EduRoam?
All of these things will help to get calls passed to the most appropriate team and get the
most effective response.
http://www.nottingham.ac.uk/is/support/knowledgebase/guides/IS4011.pdf
Last review: 03 August 07
Next review: 03 August 08
Download PDF