Back to Contents

Configure Advanced Wireless Connections


Use the Intel Advanced Network Security Settings to configure EAP WiFi network settings that are not available from Windows Vista* or Windows* 7.

See Security Overview for more information about the different security options for wireless networks.


Set up a New Wireless Connection
Configure Intel Connection Settings
Set up a Connection with LEAP Network Authentication
Set up a Connection with PEAP Network Authentication
Set up a Connection with EAP-FAST Network Authentication
Set up a Connection with EAP-SIM Network Authentication
Set up a Connection with EAP-TTLS Network Authentication
Set up a Connection with EAP-AKA Network Authentication


Set up a New Wireless Connection

To set up a new wireless connection and enable Intel Connection Settings:

  1. Open the Windows* Network and Sharing Center. For Windows Vista*, click Start > Network > Network and Sharing Center. For Windows* 7, click Start > Control Panel > Network and Internet > Network and Sharing Center.
  2. Click Set up a connection or network.
  3. Select Manually connect to a wireless network.

connect to wireless

  1. Click Next to enter the wireless network information.

NOTE: If you have installed Intel® My WiFi Technology, you will have to Choose a wireless adapter. Select Intel WiFi STA.

enter information

  1. Network name: Enter the network identifier (SSID).
  2. Security type: Select 802.1X.
  3. Encryption type: Defaults to WEP.
  4. Security Key/Passphrase: Not required.
  5. Optional settings:
  6. Click Next for confirmation that the network was successfully added.

change settings

  1. Optional: Click the Change connection settings option.


Configure Intel Connection Settings

enable settings

  1. Select Enable Intel connection settings to configure Band Selection, Mandatory Access Point, Application Auto Launch, and/or Cisco Options.
  2. Click Configure.

connection settings

  1. At this panel you can configure the following parameters.

Name

Description

Band Selection

Here you can select the band to use for this connection profile:

  • Mixed band (default): Select this to have the Intel® PROSet/Wireless WiFi Connection Utility attempt to connect this profile to an available network with either of the two bands.
  • 2.4 GHz band: Select this to have the WiFi connection utility attempt to connect this profile to an available network using only the 2.4 GHz band.
  • 5.2 GHz band: Select this to have the WiFi connection utility attempt to connect this profile to an available network using only the 5.2 GHz band.

Mandatory Access Point

Forces the WiFi adapter to connect to an access point that uses a specific MAC address. Enter the MAC address of the access point (BSSID), 48-bit, 12 hexadecimal digits. For example, 00:06:25:0E:9D:84.

Clear: Clear current address.

NOTE: This feature is unavailable when ad hoc operating mode is used.

Application Auto Launch

Automatically starts a batch file, executable file, or script whenever you connect to this network. For example, start a Virtual Private Network (VPN) session automatically whenever you connect to a wireless network.

  1. Click Enable Application Auto Launch.
  2. Enter the path and filename of the program that you want to start or click Browse to locate the file on your hard disk. For example, C:\Program Files\myprogram\myVPNfile.exe.
  3. Click OK to close the Connection Settings.

Cisco Options

Enable Radio Measurement: Turns off or on this service. Lets you configure Cisco settings for Radio Measurement and related services. Select to have WiFi adapter provide radio management to the Cisco infrastructure. If the Cisco Radio Management utility is used on the infrastructure, it configures radio parameters, detects interference and rogue access points. The default setting is off.

  1. To add additional security, select Security tab. The Wireless Network properties opens.

wireless network properties

  1. Security type: Select Intel - CCKM - Enterprise.
  2. Encryption type: Select one of the following:
  3. Click OK to close this window.

Set up a Connection with LEAP Network Authentication

LEAP is an authentication type for wireless LANs that supports strong mutual authentication between the client and a backend server using a logon password as the shared secret. It provides dynamic per-user, per-session encryption keys. Cisco LEAP provides:


Set up LEAP Network Authentication

  1. At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
  2. Under Encryption type, select the desired encryption.
  3. Under Choose a network authentication method, select LEAP.
  4. Click Settings.

Configure Network Credentials

  1. Select the Network Credentials tab. Configure the username and password by choosing one of the following options:
  1. Click OK to save your settings and close the LEAP Properties dialog box.

Set up a Connection with PEAP Network Authentication

PEAP is an authentication type for wireless LANs. PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. PEAP is based on server-side EAP-TLS. With PEAP, organizations can avoid the issues associated with installing digital certificates on every client machine as required by EAP-TLS; instead, they can select the methods of client authentication, such as logon passwords or OTPs, that best suit their corporate needs. The Cisco PEAP client includes the ability to hide user name identities until the TLS encrypted tunnel is established, which provides additional confidentiality that user names are not being broadcast during the authentication phase. PEAP provides the following security benefits:


Set up PEAP Authentication

  1. At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
  2. Under Encryption type, select the desired encryption.
  3. Under Choose a network authentication method, Select Cisco: PEAP.
  4. Click Settings.

Configure User Credentials

  1. Select the User Credentials tab. Configure the username and password by choosing one of the following options:
  1. Select the Connection tab to configure, or click OK to save your settings and close the PEAP Properties dialog box.

Configure the Connection

Use the Connection tab to configure the settings that control the establishment of the connection.

  1. Select the Connection tab.
  2. Check the Use anonymous outer identity box if you want to enable identity privacy protection.
  3. Enter an outer identity in the field. This identity is used as the outer identity in response to the EAP Identity Request. The default value is "anonymous"; check with your administrator if this value should be changed. (You can enter up to 256 characters.)
  4. If you use an authenticated server certificate to establish the tunnel, check the Validate server certificate box.
  5. To enter an optional server name that must match the server certificate that is presented by the server, check the Connect to only these servers box, and enter the server name in the field. To enter multiple server names, separate them with a semicolon.

NOTE: PEAP only allows the connection to continue if the Common Name and subject Alternative Name in the server certificate matches any of the server names entered.

  1. To select a trusted root CA certificate that is used to validate the server certificate, check the trusted certificate or certificates from the Trusted Root Certificate Authority (CA) box.

NOTE: Only trusted CA certificates that are installed on the host system are displayed in the drop-down list. Double-click a trusted root CA certificate to view certificate details.

  1. When you check the Do not prompt user to authorize new servers or trusted certification authorities box, you specify that, if the server name does not match or if the server certificate is not signed by one of the selected trusted CA, the user is not prompted to authorize the connection. Instead, the authentication fails.
  2. Check Enable Fast Reconnect to allow fast reconnect.
  3. click OK to save your settings and close the PEAP Properties dialog box.

Set up a Connection with EAP-FAST Network Authentication

EAP-FAST is a publicly accessible EAP type developed by Cisco Systems. There are several EAP protocols available for deployment in both wired and wireless networks. The most common EAP protocols are Cisco LEAP, PEAP, and EAP-TLS. In addition to these protocols, Cisco has developed and implemented the EAP-FAST protocol as a standardized EAP protocol available for deployment across wired and wireless LAN networks. The main features of EAP-FAST are:

This implementation of EAP-FAST also supports:


Set up EAP-FAST Authentication

  1. At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
  2. Under Encryption type, select the desired encryption.
  3. Under Choose a network authentication method, select EAP-FAST.
  4. Click Settings.

Configure User Credentials

  1. Select the User Credentials tab. Configure the username and password by choosing one of the following options:
  1. Select the Connection tab to configure, or click OK to save your settings and close the EAP-FAST Properties dialog box.

Configure the Connection Settings

Use the Connection tab to configure the settings that control the establishment of the connection.

  1. At the Connection tab, check the Use anonymous outer identity box if you want to enable identity privacy protection.
  2. Enter an outer identity in the field. This identity is used as the outer identity in response to the EAP Identity Request. The default value is "anonymous"; check with your administrator if this value should be changed. (Up to 256 characters.)
  3. If you use a PAC to establish a tunnel, check the Use Protected Access Credentials (PAC) box. If you do not check this box, then EAP-FAST acts as PEAP and uses only the authenticated server certificate to establish the tunnel every time.
  4. To enable the automatic retrieval of a PAC during EAP-FAST authentication, check the Allow automatic PAC provisioning box.
  5. (Optional) Select a PAC authority from the PAC Authority drop-down list, or click Import... to import a *.pac file.

NOTE: The drop-down list contains the names of all of the PAC authorities from which you have previously provisioned a tunnel PAC. If you have not provisioned a PAC, then "none" is the only option. You can also select "none" to force the host to request provisioning a PAC.

  1. If you use an authenticated server certificate to establish the tunnel, check the Validate server certificate box.

NOTE: You can check both the Use Protected Access Credentials (PAC) box and the Validate server certificate box to establish a tunnel. In this case, EAP-FAST always tries to use the PAC first; EAP-FAST will fall back to using the server certificate if the PAC is missing or rejected by the server.

  1. To enter an optional server name that must match the server certificate that is presented by the server, check the Only connect to these servers box and enter the server name in the field. Separate multiple server names with a semi-colon.

NOTE: EAP-FAST only allows the connection to continue if the subject field in the server certificate matches any of the server names entered.

  1. Select a trusted root CA certificate that is used to validate the server certificate from the Trusted Root Certificate Authority (CA) list. Only trusted CA certificates that are installed on the host system are displayed in the drop-down list. You can select more than one trusted root CA. Double-click a trusted root CA certificate to view certificate details.
  2. When you check the Do not prompt user to authorize new servers or trusted certification authorities box, you specify that, if the server name does not match or if the server certificate is not signed by one of the selected trusted CA, the user is not prompted to authorize the connection. Instead, the authentication fails.
  3. Select another tab to configure, or click OK to save your settings and close the EAP-FAST Properties dialog box.

Configure Authentication Settings

Use the Authentication tab to configure the authentication settings.

  1. At the Authentication tab, select the authentication method from the drop down list. Select one of the following methods:
  1. Check Enable fast reconnect to allow session resumption.
  2. Check Enable posture validation to allow the health information of the host machine to be queried.
  3. Select another tab to configure, or click OK to save your settings and close the EAP-FAST Properties dialog box.

Set up a Connection with EAP-SIM Network Authentication

EAP-SIM uses a dynamic session-based WEP key (which is derived from the client adapter and RADIUS server) to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card used by Global System for Mobile Communications (GSM) based digital cellular networks.

NOTE: When creating an administrator profile for Windows Vista* or Windows* 7 that uses EAP-SIM authentication, Shared is not available as a network authentication type. Additionally, Persistent Administrator profiles cannot be created with EAP-SIM authentication.

NOTE: When creating an administrator profile for Windows Vista* or Windows* 7, if Network Authentication is set to Open, then Data Encryption is fixed on WEP.


Set up EAP-SIM Authentication

  1. At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
  1. Under Encryption type, select the desired encryption.
  2. Under Choose an network authentication method, select EAP-SIM.
  3. Click Settings.
  4. At the panel below, Specify user name (identity) Click to specify the user name.
  5. User Name Enter the user name assigned to the SIM card.
  6. Click OK.

eap-sim user


Set up a Connection with EAP-TTLS Network Authentication

TTLS authentication: These settings define the protocol and credentials used to authenticate a user. The client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol. Typically password-based protocols challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel. TTLS implementations today support all methods defined by EAP.

Authentication Protocols


Set up EAP-TTLS Network Authentication

Step 1 of 2: TTLS User

To set up a connection with EAP-TTLS authentication:

  1. On the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
  2. Under Encryption type, select the desired encryption.
  3. Under Choose a network authentication method: Select EAP-TTLS.

  1. Click Settings.

  1. Authentication Protocol: This parameter specifies the authentication protocol operating over the TTLS tunnel. The protocols are: PAP (Default), CHAP, MS-CHAP and MS-CHAP-V2. See Security Overview for more information.
  2. User Credentials: Select either Prompt each time I connect or Use the following, or Use Windows Login.

Name

Description

Prompt each time I connect

Select to prompt for user name and password before you connect to the wireless network. The user name and password must be first set in the authentication server by the administrator.

Use the following

The user name and password are securely (encrypted) saved in the profile.

  • User Name: This user name must match the user name that is set in the authentication server.

  • Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com). Contact your administrator to obtain the domain name.

  • Password: This password must match the password that is set in the authentication server. The entered password characters display as asterisks.

  • Confirm Password: Reenter the user password.

Use Windows Login

Simply uses the Windows login parameters and does not query the user for additional information.

  1. Roaming Identity: If the Roaming Identity field is cleared, %domain%\%username% is the default identity.

When 802.1X MS RADIUS is used as an authentication server, the server authenticates the device that uses the Roaming Identity user name from the WiFi connection utility, and ignores the Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1X identity supplied to the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP clients. When 802.1X MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) instead of a true identity.

Step 2 of 2: TTLS Server

  1. Select one of the following options:

Name

Description

Validate Server Certificate

Certificate Issuer: The server certificate received during the TTLS message exchange must have been issued by this certificate authority (CA). Trusted intermediate certificate authorities and root authorities whose certificates exist in the system store are available for selection. If Any Trusted CA is selected, any CA in the list is acceptable.

Specify Server or Certificate Name

Server or Certificate Name: Enter the server name.

The server name or domain to which the server belongs depends on which option below has been selected:

  • Server name must match the specified entry exactly: When selected, the server name must match exactly the server name found on the certificate. The server name should include the complete domain name (for example, Servername.Domain name). The server name can include all characters, including special characters.

  • Domain name must end with the specified entry: When selected, the server name identifies a domain, and the certificate must have a server name that belongs to this domain or to one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com). These parameters should be obtained from the administrator.

  1. Click OK to save the setting and close the page.

Set up a Connection with EAP-AKA Network Authentication

EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement) is an EAP mechanism for authentication and session key distribution, using the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The USIM card is a special smart card used with cellular networks to validate a given user with the network.


Set up a EAP-AKA Authentication

  1. On the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
  2. Under Encryption type, select the desired encryption.
  3. Under Choose a network authentication method: Select EAP-AKA.

  1. Click Settings.

  1. Specify user name (identity): Click to specify the user name.
  2. User Name: Enter the user name assigned to the USIM card.
  3. Click OK.

Back to Top

Back to Contents

Trademarks and Disclaimers