Back to Contents Page

Security and Encryption: PRO/Wireless LAN Mini PCI Adapter User's Guide

Security and Encryption

Setting up Data Encryption and Authentication
Encryption Overview
How to Enable WEP Encryption
System Administrator Tasks
Setting up the Client for WEP and MD5 authentication
Setting up the Client for WPA-PSK using WEP or TKIP authentication
Setting up the Client for WPA using TKIP encryption and TLS authentication
Setting up the Client for WPA using TKIP encryption and TTLS or PEAP authentication
Setting up the Client for CCX using CKIP encryption and LEAP authentication

Setting up Data Encryption and Authentication

Wired Equivalent Privacy (WEP) encryption and shared authentication helps provide protection for your data on the network. WEP uses an encryption key to encrypt data before transmitting it. Only computers using the same encryption key can access the network or decrypt the encrypted data transmitted by other computers. Authentication provides an additional validation process from the adapter to the access point.  The WEP encryption algorithm is vulnerable to passive and active network attacks. TKIP and CKIP algorithms include enhancements to the WEP protocol that mitigate existing network attacks and address its shortcomings

Open and Shared Key authentication 

802.11 support two types of network authentication methods; Open System and Shared Key. Supported authentication schemes are Open and Shared-Key authentication:

Network Keys

When Data Encryption (WEP, CKIP or TKIP) is enabled, a network key is used for encryption. A network key can be provided for you automatically (for example, it might be provided on your wireless network adapter, or you can enter it yourself and specify the key the key length (64-bits or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The longer the key length, the more secure the key. Every time the length of a key is increased by one bit, the number of possible keys double.

Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.

Encryption Static and Dynamic Key Types

802.1x uses two types of encryption keys, static and dynamic. Static encryption keys are changed manually and are more vulnerable. MD5 authentication only uses static encryption keys. Dynamic encryption keys are renewed automatically on a periodic basis. This makes the encryption key(s) more secure. To enable dynamic encryption keys, you must use 802.1x authentication methods, such as TLS, TTLS, PEAP or LEAP.

Encryption Overview

Security in the WLAN can be supplemented by enabling data encryption using WEP (Wireless Encryption Protocol). You can choose a 64 or 128 bit level encryption. Also, the data can then be encrypted with a key. Another parameter called the key index is provides the option to create multiple keys for that profile. However, only one key can be used at a time. You can also choose to password protect the profile to ensure privacy.

The pass phrase is used to generate a WEP key automatically. You have the option of either using a pass phrase or entering a WEP key manually. Using 64-bit encryption, the pass phrase is 5 characters long and you can choose to enter any arbitrary and easy to remember phrase like Acme1 or enter 10 Hexadecimal numbers for the WEP key corresponding to the network the user wants to connect to. For 128-bit encryption, the pass phrase is 13 characters long or you can enter a 26 hexadecimal numbers for the WEP key to get connected to the appropriate network.

Note: You must use the same encryption type, key index number, and WEP key as other devices on your wireless network. Also, if 802.1x authentication is being used, WEP encryption must be disabled.

How to Enable WEP Encryption

The following example describes how to edit an existing profile and apply WEP encryption.

To enable WEP encryption:

  1. From the General page, click the Networks tab.
  2. Select the profile from the Profile List and click the Edit button.
  3. Click the Security tab.
  4. Select any Network Authentication mode (Open is recommended).
  5. Select WEP for Data Encryption.
  6. Select 64-bit or 128-bit for the Encryption Level.
  7. Select a key index number 1, 2, 3, or 4
  8. Select either of the following:
  1. Click OK to save the profiles settings.

 
NOTE: You must use the same encryption type, index number, and WEP key as other devices on your wireless network.  

System Administrator Tasks

 
NOTE: The following information is intended for system administrators.  

How to Obtain a Client Certificate

If you do not have any certificates for EAP-TLS, or EAP-TTLS you must get a client certificate to allow authentication. Typically you need to consult with your system network administrator for instructions on how to obtain a certificate on your network. Certificates can be managed from “Internet Settings”, accessed from either Internet Explorer or the Windows Control Panel applet. Use the “Content” page of “Internet Settings”.

Windows XP and 2000: When obtaining a client certificate, do not enable strong private key protection. If you enable strong private key protection for a certificate, you will need to enter an access password for the certificate each time this certificate is used. You must disable strong private key protection for the certificate if you are configuring the service for TLS/TTLS authentication. Otherwise the 802.1x service will fail authentication because there is no logged in user to whom it can display the prompt dialog.

Notes about Smart Cards

After installing a Smart Card, the certificate is automatically installed on your computer and can be select from the person certificate store and root certificate store.

Setting up the Client for TLS authentication

Step 1: Getting a certificate

To allow TLS authentication, you need a valid client (user) certificate in the local repository for the logged-in user’s account.  You also need a trusted CA certificate in the root store.

The following information provides two methods for getting a certificate;

Getting a certificate from a Windows 2000 CA:

  1. Start Internet Explorer and browse to the Certificate Authority HTTP Service (use a URL such as http://myCA.myDomain.com).
  2. Logon to the CA with the name and password of the user account you created (above) on the authentication server. The name and password do not have to be the same as the Windows logon name and password of your current user.
  3. On the Welcome page of the CA select Request a certificate task and submit the form.
  4. On the Choose Request Type page, select Advanced request, then click Next.
  5. On the Advanced Certificate Requests page, select Submit a certificate request to this CA using a form, then click Submit.
  6. On the Advanced Certificate Request page choose the User certificate template. Select "Mark keys as exportable", and click Next. Use the provided defaults shown.
  7. On the Certificate Issued page select Install this certificate.

Note: If this is the first certificate you have obtained, the CA will first ask you if it should install a trusted CA certificate in the root store. The dialog will not say this is a trusted CA certificate, but the name on the certificate shown will be that of the host of the CA. Click yes, you need this certificate for both TLS and TTLS.

  1. If your certificate was successfully installed, you will see the message, “Your new certificate has been successfully installed."
  2. To verify the installation, click Internet Explorer > Tools > Internet Options > Content > Certificates. The new certificate should be installed in “Personal” folder.

Importing a certificate from a file
  1. Open Internet Properties (right-click on the Internet Explorer icon on the desktop and select Properties.
  2. Click the Certificates button on the Content page. This will open the list of installed certificates.
  3. Click the Import button under the list of certificates. This will start the Certificate Import Wizard. (Note: Steps 1 through 3 may also be accomplished by double-clicking the icon for the certificate.
  4. Select the file and proceed to the Password page.
  5. On the Password page specify your access password for the file. Clear the Enable strong private key protection option.
  6. On the Certificate store page select "Automatically select certificate store based on the type of certificate" (the certificate must be in the User accounts Personal store to be accessible in the Configure dialog of the Client; this will happen if ‘automatic’ is selected).
  7. Proceed to "Completing the Certificate Import" and click the Finish button.

The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.

Setting up the Client for TLS authentication

Step 2: Specifying the certificate used by Intel(R) PROSet

  1. Obtain and install a client certificate, refer to Step 1 or consult your system administrator.

  2. From the General page, click the Networks tab.

  3. Click the Add button.

  4. Enter the profile and network (SSID) name.

  5. Select Infrastructure for the operating mode.

  6. Click Next.

  7. Select Open for the Network Authentication. You can also select any other available authentication mode.

  8. Select WEP as the Data Encryption. You can also select any other available encryption type.

  9. Click the 802.1x Enabled checkbox.

  10. Set the authentication type to TLS to be used with this connection.

  11. Click the Configure button to open the settings dialog.

  12. Enter your user name in the User Name field.

  13. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.

    • Click the “allow intermediate certificates” checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.

  14. Enter the Server name.

    • If you know the server name enter this name.

    • Select the appropriate option to match the server name exactly or specify the domain name.

  15. Under the "Client certificate” option click the Select button to open a list of installed certificates.

    • Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.

  16. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".

  17. Click Close.

  18. Click the Finish button to save the security settings for the profile.

Setting up the Client for WEP and MD5 authentication 

To add WEP and MD5 authentication to a new profile: 

Note: Before starting, obtain a username and password on the RADIUS server from your system administrator.

  1. From the General page, click the Networks tab.
  2. Click the Add button from the Profile List.
  3. Enter the profile and network (SSID) name.
  4. Select Infrastructure for the operating mode.
  5. Click Next
  6. Select Open (recommended) for the Network Authentication.
  7. Select WEP as the Data Encryption. 
  8. Select either 64 or 128-bit for the Encryption Level.
  9. Select the key index 1, 2, 3 or 4.
  10. Enter the required pass phrase or hex key.
  11. Click the 802.1x Enabled checkbox.
  12. Select MD5 as the 802.1x Authentication Type.
  13. Click Configure to open the MD5 Setting dialog. Enter the user name and password. Note: The user name and password do not have to be the same as name and password of your current Windows user login. 
  14. Click Close to save the settings. 
  15. If the Password Protection checkbox was checked on the General settings page, then
    click Next display the Password page and enter a profile password. 
  16. Click the Finish button to save the profile settings.

Setting up the Client for WPA-PSK using WEP or TKIP authentication

Use Wi-Fi Protected Access - Pre Shared Key (WPA-PSK) mode if there is no authentication server being used. This mode does not use any 802.1x authentication protocol, It can be used with the data encryption types: WEP or TKIP. WPA-PSK requires configuration of a pre-shared key (PSK). You must enter a pass phrase or 64 hex characters for a Pre-Shared Key of length 256-bits. The data encryption key is derived from the PSK.

To configure a profile using WPA-PSK:

  1. From the General page, click the Networks tab.

  2. Click the Add button.

  3. Enter the profile and network (SSID) name.

  4. Select Infrastructure for the operating mode.

  5. Click Next.

  6. Select WPA-PSK for the Network Authentication. You can also select authentication mode.

  7. Select WEP as the Data Encryption.

  8. Select either of the following:

    • Use pass phrase: Click Use Pass Phrase to enable. Enter a text phrase using 8-63 alphanumeric characters ((0-9, a-z or A-Z), in the pass phrase field.

    • Use hex Key: Click Use hex Key to enable. Enter up to 64 alphanumeric characters, 0-9, A-F in the hex key field.

    9.

  9. Click the 802.1x Enabled checkbox.

  10. Set the authentication type to TLS to be used with this connection.

  11. Click the Finish button to save the security settings for the profile.

 

Setting up the Client for WPA using TKIP encryption and TLS authentication

Wi-Fi Protected Access (WPA) mode can be used with TLS, TTLS, or PEAP. This 802.1x authentication protocol using data encryption options; WEP or TKIP. Wi-Fi Protected Access (WPA) mode binds with 802.1x authentication. The data encryption key is received from the 802.1x key exchange. To improve data encryption, Wi-Fi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a re-keying method.

  1. Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.

  2. From the General page, click the Networks tab.

  3. Click the Add button.

  4. Enter the profile and network (SSID) name.

  5. Select Infrastructure for the operating mode.

  6. Click Next.

  7. Select WPA for the Network Authentication.

  8. Select TKIP as the Data Encryption.

  9. Set the authentication type to TLS to be used with this connection.

  10. Click the Configure button to open the settings dialog.

  11. Enter your user name in the User Name field.

  12. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.

    • Click the “allow intermediate certificates” checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.

  13. Enter the Server name.

    • If you know the server name enter this name.

    • Select the appropriate option to match the server name exactly or specify the domain name.

  14. Use Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.

    • Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.

  15. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".

  16. Click Close.

  17. Click the Finish button to save the security settings for the profile.

 

Setting up the Client for WPA using TKIP encryption and TTLS or PEAP authentication

Using TTLS authentication: These settings define the protocol and the credentials used to authenticate a user. In TTLS, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols, such as MD5 Challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.

Using PEAP authentication: PEAP settings are required for the authentication of the client to the authentication server. In PEAP, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and server. The client can use another EAP mechanism, such as Microsoft Challenge Authentication Protocol (MSCHAP) Version 2, over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.

The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.

  1. Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.

  2. From the General page, click the Networks tab.

  3. Click the Add button.

  4. Enter the profile and network (SSID) name.

  5. Select Infrastructure for the operating mode.

  6. Click Next.

  7. Select WPA for the Network Authentication.

  8. Select TKIP as the Data Encryption.

  9. Set the authentication type to TTLS or PEAP to be used with this connection.

  10. Click the Configure button to open the settings dialog.

  11. Enter the roaming identity name in the Roaming Identity field. This optional feature is the 802.1X identity supplied to the authenticator. It is recommended that this field not contain a true identity, but instead the desired realm (e.g. anonymous@myrealm).

  12. Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.

    • Click the “allow intermediate certificates” checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.

  13. Enter the Server name.

    • If you know the server name enter this name.

    • Select the appropriate option to match the server name exactly or specify the domain name.

  14. Authentication Protocol:

    • PEAP: Select MS-CHAP-V2. This parameter specifies the authentication protocol operating over the PEAP tunnel. The protocols are: MS-CHAP-V2 (Default), GTC, and TLS.

    • TTLS: Select PAP. This parameter specifies the authentication protocol operating over the TTLS tunnel. The protocols are: PAP (Default), CHAP, MD5, MS-CHAP and MS-CHAP-V2.

  15. Enter the user name. This username must match the user name that is set in the authentication server by the IT administrator prior to client's authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This user’s identity is securely transmitted to the server only after an encrypted channel has been verified and established.

  16. Enter the user password. Specifies the user password. This password must match the password that is set in the authentication server.

  17. Re-enter the user password. If confirmed, displays the same password characters entered in the Password field.

  18. Use Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.

    • Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and geneA client certificate from the Personal certificate store of the Windows logged-in user, this certificate will be used for client authentication. This means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.

  19. Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".

  20. Click Close.

  21. Click the Finish button to save the security settings for the profile.

Setting up the Client for CCX using CKIP encryption and LEAP authentication

  1. From the General page, click the Networks tab.

  2. Click the Add button.

  3. Enter the profile and network (SSID) name.

  4. Select Infrastructure for the operating mode.

  5. From the General Tab, click the Cisco Client eXtentions check box to enable CCX. Note: The Network authentication and the Data Encryption now include the CCX security options: Open, Shared for 802.11 Authentication and none, WEP, CKIP for Data encryption.
  6. Select Open in the Network Authentication options.
  7. Select CKIP as the Data encryption.
  8. Click the 802.1x Enabled checkbox to enable the 802.1x security option.
  9. Select LEAP as the 802.1x Authentication Type.
  10. Click the Configure button to open the LEAP Setting dialog. Enter the user name and password of the user you have created on the authentication server. The user name and password do not have to be the same as name and password of your current Windows user login. 
  11. Click Close to save the settings. 

CCX Access Point and Client Configurations

The access point provides settings to select different authentication types depending on the WLAN environment. The client sends an Authentication algorithm field during the 802.11 authentication handshake that takes place between the client and the AP during connection establishment. The Authentication algorithm values recognized by a CCX enabled AP is different for the different authentication types. For instance “Network-EAP” which denotes LEAP has a value of 0x80 while “Open” which is the 802.11 specified Open authentication and “Required EAP” which requires an EAP handshake exchange have values of 0x0.

Network-EAP only

AP: For CCX enabled networks using LEAP authentication only the authentication type is set with “Network-EAP” checkbox selected, and “Open” and “Required EAP” boxes unchecked. The AP is then configured to allow LEAP clients ONLY to authenticate and connect. In this case, the AP expects the 802.11 authentication algorithm to be set to 0x80 (LEAP), and rejects clients that attempt authentication with an Authentication algorithm value 0x0.

Client: In this case the client needs to send out an authentication algorithm value of 0x80 else the 802.11 authentication handshake would fail. During boot, when the Wireless LAN driver is already loaded, but the Intel(R) PROSet supplicant is still unloaded, the client sends 802.11 authentication with an Authentication algorithm value of 0x0. Once the Intel(R) PROSet supplicant loads, and engages the LEAP profile, it sends 802.11 authentication with an Authentication algorithm value of 0x80. However, the supplicant sends out 0x80 only if the Rogue AP box is checked.

Network-EAP, Open and Required EAP

AP: If Network-EAP, Open and Required EAP boxes are checked then it would accept both types of 802.11 authentication algorithm values 0x0 and 0x80. However, once the client is associated and authenticated the AP expects an EAP handshake to take place. For any reason if the EAP handshake does not take place quickly, the AP would not respond to the client for about 60 seconds.

Client: Here the client could send out an authentication algorithm value of 0x80 or 0x0. Both values are acceptable and the 802.11 authentication handshake would succeed. During boot, when the Wireless LAN driver is already loaded and the client sends 802.11 authentication with an Authentication algorithm value of 0x0. This is sufficient to get authenticated but the corresponding EAP or LEAP credentials need to be communicated to the AP to establish a connection.

Open and Required EAP only

AP: In the case where the AP is configured with Network-EAP unchecked, but Open and Required EAP checked, the AP will reject any client attempting to 802.11 authenticate using an authentication algorithm value of 0x80. The AP would accept any client using an authentication algorithm value of 0x0, and expects EAP handshake to commence soon after. In this case, the client uses MD5, TLS, LEAP or any other appropriate EAP method suitable for the specific network configuration.

Client: The client in this case is required to send out an authentication algorithm value of 0x0. As mentioned before the sequence involves a repeat of the initial 802.11 authentication handshake. First, the Wireless LAN driver initiates authentication with a value of 0x0 and later the supplicant would repeat the process. However, the authentication algorithm value used by the supplicant depends status of the Rogue AP checkbox. When the Rogue AP box is unchecked, the client sends an 802.11 authentication with Authentication algorithm value of 0x0 even after the supplicant loads and engages the LEAP profile.

Some non-Intel clients, for example, when set to LEAP, cannot authenticate in this case. However, the Intel Wireless LAN client can authenticate, if the Rogue AP is unchecked.  

Rogue AP Checkbox configuration

When the checkbox is checked it ensures that the client implements the Rogue AP feature as required by CCX. The client makes note of APs that it failed to authenticate with and sends this information to the AP that allows it to authenticate and connect. Also, the supplicant sets the Authentication algorithm type to 0x80 when the Rogue AP box is checked. There may be some network configurations implementing and Open and Required EAP only as described above. For this setup to work, the client must use an Authentication Algorithm value of 0x0, as opposed to the need to use 0x80 for Network-EAP only described above. Therefore, the Rogue AP checkbox also enables the client to support Network-EAP only and Open and Required EAP only.

Cisco CCX Feature Support

The Cisco mandatory Client Compliance Specifications Version1.0:

  • Compliance to all mandatory items of 802.11

  • De-fragmentation of MSDUs and MMPDUs

  • Generate CTS in response to an RTS

  • Open and Shared key authentication support

  • Support Active scanning

  • Wi-Fi compliance required

  • On Windows platforms, Microsoft 802.11 NIC compliance

  • 802.1X-2001 Compliance

  • EAP-TLS (Transport Level Security, RFC 2716) support on Windows XP

  • EAP-MD4 (RFC 1320) support on Windows XP

  • EAP packets to be sent unencrypted

  • Broadcast key rotation support

  • CKIP support

  • WEP/RC4 support

  • Support of 4 keys for WEP

  • Both WEP40 and WEP128 keys are supported

  • LEAP support is required

  • Rogue AP reporting support

  • Cisco Extension: Aironet IE support – CWmin and CWmax fields

  • Encapsulation Transformation Rule IE support

  • Cisco Extension: AP IP address IE

  • Cisco Extension: Symbol IE

  • Mixed (WEP and non-WEP) cells

  • AP may respond to more than one SSID – VLAN awareness

  • Stealth mode support - Clients should ignore missing SSIDs in beacons

  • Multiple SSID support – Client should be able to roam up to 3 SSIDs

  • Client to use configured SSID in probe request

Note: Please refer to Cisco Client extensions version 1.0 document available at www.cisco.com for more details.

Back to Contents Page

Please read all restrictions and disclaimers.