Configure Advanced Wireless Connections
Use the Intel Advanced Network Security Settings to configure EAP WiFi network settings that are not available from Windows Vista* or Windows* 7.
See Security Overview for more information about the different security options for wireless networks.
Set up a New Wireless Connection
Configure Intel Connection Settings
Set up a Connection with LEAP Network Authentication
Set up a Connection with PEAP Network Authentication
Set up a Connection with EAP-FAST Network Authentication
Set up a Connection with EAP-SIM Network Authentication
Set up a Connection with EAP-TTLS Network Authentication
Set up a Connection with EAP-AKA Network Authentication
Set up a New Wireless Connection
To set up a new wireless connection and enable Intel Connection Settings:
- Open the Windows* Network and Sharing Center. For Windows Vista*, click Start > Network > Network and Sharing Center. For Windows* 7, click Start > Control Panel > Network and Internet > Network and Sharing Center.
- Click Set up a connection or network.
- Select Manually connect to a wireless network.
- Click Next to enter the wireless network information.
NOTE: If you have installed Intel® My WiFi Technology, you will have to Choose a wireless adapter. Select Intel WiFi STA.
- Network name: Enter the network identifier (SSID).
- Security type: Select 802.1X.
- Encryption type: Defaults to WEP.
- Security Key/Passphrase: Not required.
- Optional settings:
- Start this connection automatically (default).
- Connect even if the network is not broadcasting.
- Click Next for confirmation that the network was successfully added.
-
Optional: Click the Change connection settings option.
Configure Intel Connection Settings
- Select Enable Intel connection settings to configure Band Selection, Mandatory Access Point, Application Auto Launch, and/or Cisco Options.
- Click Configure.
- At this panel you can configure the following parameters.
Name |
Description |
Band Selection |
Here you can select the band to use for this connection profile:
- Mixed band (default): Select this to have the Intel® PROSet/Wireless WiFi Connection Utility attempt to connect this profile to an available network with either of the two bands.
- 2.4 GHz band: Select this to have the WiFi connection utility attempt to connect this profile to an available network using only the 2.4 GHz band.
- 5.2 GHz band: Select this to have the WiFi connection utility attempt to connect this profile to an available network using only the 5.2 GHz band.
|
Mandatory Access Point |
Forces the WiFi adapter to connect to an access point that uses a specific MAC address. Enter the MAC address of the access point (BSSID), 48-bit, 12 hexadecimal digits. For example, 00:06:25:0E:9D:84.
Clear: Clear current address.
NOTE: This feature is unavailable when ad hoc operating mode is used. |
Application Auto Launch |
Automatically starts a batch file, executable file, or script whenever you connect to this network. For example, start a Virtual Private Network (VPN) session automatically whenever you connect to a wireless network.
- Click Enable Application Auto Launch.
- Enter the path and filename of the program that you want to start or click Browse to locate the file on your hard disk. For example, C:\Program Files\myprogram\myVPNfile.exe.
- Click OK to close the Connection Settings.
|
Cisco Options |
Enable Radio Measurement: Turns off or on this service. Lets you configure Cisco settings for Radio Measurement and related services. Select to have WiFi adapter provide radio management to the Cisco infrastructure. If the Cisco Radio Management utility is used on the infrastructure, it configures radio parameters, detects interference and rogue access points. The default setting is off. |
- To add additional security, select Security tab. The Wireless Network properties opens.
- Security type: Select Intel - CCKM - Enterprise.
- Encryption type: Select one of the following:
- WEP: default when Intel - CCKM - Enterprise is selected as security type.
- TKIP: Provides per packet key mixing, a message integrity check, and a rekeying mechanism.
- AES - CCMP: (Advanced Encryption Standard - Counter CBC-MAC Protocol) Used as the data encryption method whenever strong data protection is important. AES -CCMP is recommended.
- Click OK to close this window.
Set up a Connection with LEAP Network Authentication
LEAP is an authentication type for wireless LANs that supports strong mutual authentication between the client and a backend server using a logon password as the shared secret. It provides dynamic per-user, per-session encryption keys. Cisco LEAP provides:
- True single login with an existing user name and password using Windows NT/2000 Active Directory
- Simplified, inexpensive deployment and administration for IT managers
- Reliable, scalable, centralized security management
- High-performance, upgradeable enterprise-class security
- Dynamic privacy protection when used in conjunction with TKIP or the AES
Set up LEAP Network Authentication
- At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
- Under Encryption type, select the desired encryption.
- Under Choose a network authentication method, select LEAP.
- Click Settings.
Configure Network Credentials

- Select the Network Credentials tab. Configure the username and password by choosing one of the following options:
- Use Windows username and password. This option uses the Windows username and password as the LEAP credentials for network authentication.
- Prompt automatically for username and password. This option uses a separate LEAP username and password for network authentication. The username and password need to be registered with the backend server.
- Use saved username and password. This option uses a saved LEAP username and password for network authentication. This option does not require you to enter a LEAP username and password each time. Authentication occurs automatically as needed using a saved username and password (which are registered with the backend server).
To configure the saved username and password:
- Enter the saved username and domain in the Username field, up to 256 characters. Use one of these formats:
> Domain-qualified username (domain\user)
> UPN format (user@domain)
- Enter the password in the Password field, up to 256 characters.
- Re-enter the password in the Confirm Password field.
- Click OK to save your settings and close the LEAP Properties dialog box.
Set up a Connection with PEAP Network Authentication
PEAP is an authentication type for wireless LANs. PEAP provides strong security, user database extensibility, and support for one-time token authentication and password change or aging. PEAP is based on server-side EAP-TLS. With PEAP, organizations can avoid the issues associated with installing digital certificates on every client machine as required by EAP-TLS; instead, they can select the methods of client authentication, such as logon passwords or OTPs, that best suit their corporate needs. The Cisco PEAP client includes the ability to hide user name identities until the TLS encrypted tunnel is established, which provides additional confidentiality that user names are not being broadcast during the authentication phase. PEAP provides the following security benefits:
- Relies on TLS to allow nonencrypted authentication types such as EAP-GTC and OTP support
- Uses server-side PKI-based digital certification authentication
- Allows authentication to an extended suite of directories, including LDAP, Novell NDS*, and OTP databases
- Uses TLS to encrypt all user-sensitive authentication information
- Supports password change at expiration
- Does not expose the logon user name in the EAP identity response
- Is not vulnerable to dictionary attacks
- Provides dynamic privacy protection when used in conjunction with TKIP or the AES
Set up PEAP Authentication
- At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
- Under Encryption type, select the desired encryption.
- Under Choose a network authentication method, Select Cisco: PEAP.
- Click Settings.
Configure User Credentials

- Select the User Credentials tab. Configure the username and password by choosing one of the following options:
- Use one-time password. This option prompts the user for a one-time password as the PEAP credentials for network authentication.
When you use the One-Time Password option, you need to generate a one-time password. The credentials are not cached; every time that the server requests credentials, the user is prompted to enter credentials.
- Use Windows username and password. This option uses the Windows username and password as the PEAP credentials for network authentication.
- Prompt automatically for username and password. This option uses a separate PEAP username and password for network authentication. The username and password need to be registered with the backend server.
- Use saved username and password. This option uses a saved PEAP username and password for network authentication. This option does not require you to enter a PEAP username and password each time. Authentication occurs automatically as needed using a saved username and password (which are registered with the backend server).
To configure the saved username and password:
- Enter the saved username and domain in the Username field, up to 256 characters. Use one of these formats:
> Domain-qualified username (domain\user)
> UPN format (user@domain)
- Enter the password in the Password field, up to 256 characters.
- Re-enter the password in the Confirm Password field.
- Select the Connection tab to configure, or click OK to save your settings and close the PEAP Properties dialog box.
Configure the Connection
Use the Connection tab to configure the settings that control the establishment of the connection.
- Select the Connection tab.
- Check the Use anonymous outer identity box if you want to enable identity privacy protection.
- Enter an outer identity in the field. This identity is used as the outer identity in response to the EAP Identity Request. The default value is "anonymous"; check with your administrator if this value should be changed. (You can enter up to 256 characters.)
- If you use an authenticated server certificate to establish the tunnel, check the Validate server certificate box.
- To enter an optional server name that must match the server certificate that is presented by the server, check the Connect to only these servers box, and enter the server name in the field. To enter multiple server names, separate them with a semicolon.
NOTE: PEAP only allows the connection to continue if the Common Name and subject Alternative Name in the server certificate matches any of the server names entered.
- To select a trusted root CA certificate that is used to validate the server certificate, check the trusted certificate or certificates from the Trusted Root Certificate Authority (CA) box.
NOTE: Only trusted CA certificates that are installed on the host system are displayed in the drop-down list. Double-click a trusted root CA certificate to view certificate details.
- When you check the Do not prompt user to authorize new servers or trusted certification authorities box, you specify that, if the server name does not match or if the server certificate is not signed by one of the selected trusted CA, the user is not prompted to authorize the connection. Instead, the authentication fails.
- Check Enable Fast Reconnect to allow fast reconnect.
- click OK to save your settings and close the PEAP Properties dialog box.
Set up a Connection with EAP-FAST Network Authentication
EAP-FAST is a publicly accessible EAP type developed by Cisco Systems. There are several EAP protocols available for deployment in both wired and wireless networks. The most common EAP protocols are Cisco LEAP, PEAP, and EAP-TLS. In addition to these protocols, Cisco has developed and implemented the EAP-FAST protocol as a standardized EAP protocol available for deployment across wired and wireless LAN networks. The main features of EAP-FAST are:
- Secure mutual authentication within TLS tunnel encryption to prevent dictionary attacks
- TLS tunnel encryption and cryptographic binding work to prevent MITM attacks. Efficient and lightweight for ease of deployment (no requirement for certificates or PKI)
- Identity privacy protection
- Fast reconnect
- Protection and flexibility to support popular user databases through various inner methods
- Efficiency and options to reduce server resource consumption
This implementation of EAP-FAST also supports:
- Single sign-on support, integrated with the Windows Vista* and Windows* 7 logon process and EAPHost framework
- Password aging (support for server-based password expiration)
- Key Cisco Unified Wireless LAN features, such as fast secure roaming, CCKM, and local RADIUS authentication
- Cisco NAC and Microsoft NAP support for posture validation
Set up EAP-FAST Authentication
- At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
- Under Encryption type, select the desired encryption.
- Under Choose a network authentication method, select EAP-FAST.
- Click Settings.
Configure User Credentials

- Select the User Credentials tab. Configure the username and password by choosing one of the following options:
- Use certificate on this computer. The certificate has already been issued by the certificate authority and is specific to this user.
- Use one-time password. This option prompts the user for a one-time password as the EAP-FAST credentials for network authentication.
When you use the One-Time Password option, you need to generate a one-time password. The credentials are not cached; every time that the server requests credentials, the user is prompted to enter credentials.
- Use Windows username and password. This option uses the Windows username and password as the EAP-FAST credentials for network authentication.
- Prompt automatically for username and password. This option uses a separate EAP-FAST username and password for network authentication. The username and password need to be registered with the backend server.
- Use saved username and password. This option uses a saved EAP-FAST username and password for network authentication. This option does not require you to enter a EAP-FAST username and password each time. Authentication occurs automatically as needed using a saved username and password (which are registered with the backend server).
To configure the saved username and password:
- Enter the saved username and domain in the Username field, up to 256 characters. Use one of these formats:
> Domain-qualified username (domain\user)
> UPN format (user@domain)
- Enter the password in the Password field, up to 256 characters.
- Re-enter the password in the Confirm Password field.
- Select the Connection tab to configure, or click OK to save your settings and close the EAP-FAST Properties dialog box.
Configure the Connection Settings
Use the Connection tab to configure the settings that control the establishment of the connection.
- At the Connection tab, check the Use anonymous outer identity box if you want to enable identity privacy protection.
- Enter an outer identity in the field. This identity is used as the outer identity in response to the EAP Identity Request. The default value is "anonymous"; check with your administrator if this value should be changed. (Up to 256 characters.)
- If you use a PAC to establish a tunnel, check the Use Protected Access Credentials (PAC) box. If you do not check this box, then EAP-FAST acts as PEAP and uses only the authenticated server certificate to establish the tunnel every time.
- To enable the automatic retrieval of a PAC during EAP-FAST authentication, check the Allow automatic PAC provisioning box.
- (Optional) Select a PAC authority from the PAC Authority drop-down list, or click Import... to import a *.pac file.
NOTE: The drop-down list contains the names of all of the PAC authorities from which you have previously provisioned a tunnel PAC. If you have not provisioned a PAC, then "none" is the only option. You can also select "none" to force the host to request provisioning a PAC.
- If you use an authenticated server certificate to establish the tunnel, check the Validate server certificate box.
NOTE: You can check both the Use Protected Access Credentials (PAC) box and the Validate server certificate box to establish a tunnel. In this case, EAP-FAST always tries to use the PAC first; EAP-FAST will fall back to using the server certificate if the PAC is missing or rejected by the server.
- To enter an optional server name that must match the server certificate that is presented by the server, check the Only connect to these servers box and enter the server name in the field. Separate multiple server names with a semi-colon.
NOTE: EAP-FAST only allows the connection to continue if the subject field in the server certificate matches any of the server names entered.
- Select a trusted root CA certificate that is used to validate the server certificate from the Trusted Root Certificate Authority (CA) list. Only trusted CA certificates that are installed on the host system are displayed in the drop-down list. You can select more than one trusted root CA. Double-click a trusted root CA certificate to view certificate details.
- When you check the Do not prompt user to authorize new servers or trusted certification authorities box, you specify that, if the server name does not match or if the server certificate is not signed by one of the selected trusted CA, the user is not prompted to authorize the connection. Instead, the authentication fails.
- Select another tab to configure, or click OK to save your settings and close the EAP-FAST Properties dialog box.
Configure Authentication Settings
Use the Authentication tab to configure the authentication settings.
- At the Authentication tab, select the authentication method from the drop down list. Select one of the following methods:
- Any method (default setting) — this option allows EAP-FAST to choose any of the supported methods that the EAP server requests.
- EAP-GTC — this option is the only available option if you selected the Use one-time password option on the User Credentials tab.
- EAP-MS-CHAP-V2
- EAP-TLS — this option is the only available option if you selected the Use a certificate on this computer option on the User Credentials tab.
NOTE: The Configure button is not enabled in Version 2.0 of the EAP-FAST module.
- Check Enable fast reconnect to allow session resumption.
- Check Enable posture validation to allow the health information of the host machine to be queried.
- Select another tab to configure, or click OK to save your settings and close the EAP-FAST Properties dialog box.
Set up a Connection with EAP-SIM Network Authentication
EAP-SIM uses a dynamic session-based WEP key (which is derived from the client adapter and RADIUS server) to encrypt data. EAP-SIM requires you to enter a user verification code, or PIN, for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card used by Global System for Mobile Communications (GSM) based digital cellular networks.
NOTE: When creating an administrator profile for Windows Vista* or Windows* 7 that uses EAP-SIM authentication, Shared is not available as a network authentication type. Additionally, Persistent Administrator profiles cannot be created with EAP-SIM authentication.
NOTE: When creating an administrator profile for Windows Vista* or Windows* 7, if Network Authentication is set to Open, then Data Encryption is fixed on WEP.
Set up EAP-SIM Authentication
- At the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
- Under Encryption type, select the desired encryption.
- Under Choose an network authentication method, select EAP-SIM.
- Click Settings.
- At the panel below, Specify user name (identity) Click to specify the user name.
- User Name Enter the user name assigned to the SIM card.
- Click OK.
Set up a Connection with EAP-TTLS Network Authentication
TTLS authentication: These settings define the protocol and credentials used to authenticate a user. The client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol. Typically password-based protocols challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel. TTLS implementations today support all methods defined by EAP.
Authentication Protocols
- PAP: Password Authentication Protocol is a two-way handshake protocol designed for use with PPP. Password Authentication Protocol is a plain text password used on older SLIP systems. It is not secure.
- CHAP: Challenge Handshake Authentication Protocol is a three-way handshake protocol that is considered more secure than PAP Authentication Protocol.
- MS-CHAP (MD4): Uses a Microsoft version of RSA Message Digest 4 challenge-and-reply protocol. This only works on Microsoft systems and enables data encryption. To select this authentication method causes all data to be encrypted.
- MS-CHAP-V2: Introduces an additional feature not available with MS-CHAP-V1 or standard CHAP authentication, the change password feature. This feature allows the client to change the account password if the RADIUS server reports that the password has expired.
Set up EAP-TTLS Network Authentication
Step 1 of 2: TTLS User
To set up a connection with EAP-TTLS authentication:
- On the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
- Under Encryption type, select the desired encryption.
- Under Choose a network authentication method: Select EAP-TTLS.
- Click Settings.
- Authentication Protocol: This parameter specifies the authentication protocol operating over the TTLS tunnel. The protocols are: PAP (Default), CHAP, MS-CHAP and MS-CHAP-V2. See Security Overview for more information.
- User Credentials:
Select either Prompt each time I connect or Use the following, or Use Windows Login.
Name |
Description |
Prompt each time I connect |
Select to prompt for user name and password before you connect to the wireless network. The user name and password must be first set in the authentication server by the administrator. |
Use the following |
The user name and password are securely (encrypted) saved in the profile.
-
User Name: This user name must match the user name that is set in the authentication server.
-
Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com). Contact your administrator to obtain the domain name.
-
Password: This password must match the password that is set in the authentication server. The entered password characters display as asterisks.
-
Confirm Password: Reenter the user password.
|
Use Windows Login |
Simply uses the Windows login parameters and does not query the user for additional information. |
- Roaming Identity: If the Roaming Identity field is cleared, %domain%\%username% is the default identity.
When 802.1X MS RADIUS is used as an authentication server, the server authenticates the device that uses the Roaming Identity user name from the WiFi connection utility, and ignores the Authentication Protocol MS-CHAP-V2 user name. This feature is the 802.1X identity supplied to the authenticator. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for EAP clients. When 802.1X MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) instead of a true identity.
Step 2 of 2: TTLS Server
-
Select one of the following options:
Name |
Description |
Validate Server Certificate |
Certificate Issuer: The server certificate received during the TTLS message exchange must have been issued by this certificate authority (CA). Trusted intermediate certificate authorities and root authorities whose certificates exist in the system store are available for selection. If Any Trusted CA is selected, any CA in the list is acceptable. |
Specify Server or Certificate Name |
Server or Certificate Name: Enter the server name.
The server name or domain to which the server belongs depends on which option below has been selected:
-
Server name must match the specified entry exactly: When selected, the server name must match exactly the server name found on the certificate. The server name should include the complete domain name (for example, Servername.Domain name). The server name can include all characters, including special characters.
-
Domain name must end with the specified entry: When selected, the server name identifies a domain, and the certificate must have a server name that belongs to this domain or to one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com). These parameters should be obtained from the administrator.
|
- Click OK to save the setting and close the page.
Set up a Connection with EAP-AKA Network Authentication
EAP-AKA (Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement) is an EAP mechanism for authentication and session key distribution, using the Universal Mobile Telecommunications System (UMTS) Subscriber Identity Module (USIM). The USIM card is a special smart card used with cellular networks to validate a given user with the network.
Set up a EAP-AKA Authentication
- On the Wireless Network Properties window, Security tab, under Security type, select WPA-Enterprise, WPA2-Enterprise, 802.1X, or Intel-CCKM-Enterprise.
- Under Encryption type, select the desired encryption.
- Under Choose a network authentication method: Select EAP-AKA.
- Click Settings.
- Specify user name (identity): Click to specify the user name.
- User Name: Enter the user name assigned to the USIM card.
- Click OK.