WIFITECHBLOG

WPA security configuration is called 802.1x authentication on the WLAN configuration page of the WS5100. This involves several steps but they can broadly be categorized into the following groups:

-          Radius Server Setup

-          User Database Setup

-          PKI/ Certificate Server Setup

There are 3 options for a Radius setup to be used for 802.1x authentication:

-          WS5100 Onboard Radius and built-in User Database.

-          WS5100 Onboard Radius and External User Database (configured using LDAP)*

-          External Radius and External User Database. (Example: Using a Windows Server 2003’s Radius Server - IAS along with the Windows Active Directory User Database).

This document provides a step-by-step procedure for setting up PEAP and EAP TLS authentication. TTLS authentication has not been covered. The setup procedure for TTLS is similar to PEAP as both require a Server Certificate and do not mandate using a User Certificate. TLS authentication has been covered as it involves some additional step for generating and importing User Certificates.

PEAP and TTLS authentication can be fully configured and terminated on the WS5100 without requiring any external Radius Servers/ Certificate Servers. In the example that follows we will setup PEAP authentication using the WS5100 3.0 onboard Radius Server with User Database and the Onboard Certificate Server.

TLS will require a User Certificate and the Certificate Server onboard the WS5100 3.0 does not generate User Certificates. Hence for the TLS example we will use a Windows 2003 Certificate Server for the Server and User Certificate(s).

*For both examples (PEAP and TLS) we will use the WS5100 Onboard Radius and built-in User Database. The LDAP configuration section in this document has the steps for using the WS5100 Onboard Radius with an External User Database like Active Directory. (the external user database is accessed by the WS5100 using the LDAP Interface)

Step 1: As a first step create a WLAN with the following ESSID  “PEAP-TEST”.

Enable 802.1x authentication for this WLAN by clicking on the 802.1x EAP radio button under Authentication. Select WEP128 under Encryption.

Step 2: Click on the Radius Config button at the bottom. Enter the WS5100’s IP address in the Radius Server Address and set the Shared Secret as symbol.

Step 3: Click OK twice to exit from the WLAN Edit menu. Click enable to enable this ESSID.

Step 4: Repeat Steps 1 – 3 to create another ESSID called TLS-TEST

Make sure you have a DHCP server and other configurations like VLAN’s etc setup appropriately.

In this section we look at configuring the onboard Radius server with built-in database for PEAP and EAP-TLS authentication.

Step 1: Click on Security à Radius Server à Configuration à Add

Enter the WS5100 IP address and shared secret. (this step adds the WS5100 as a Radius client to the onboard Radius Server)

Click Ok. Click Yes on the message – Restart the Radius Server)

Step 2: Click on the Authentication tab (under Radius Server) and select All from the EAP and Auth Type dropdown. Click Apply

Step 3: Click on the Groups tab (under Radius Server) and click Add. Give the Group a name – WPA Test. Select the PEAT-TEST and TLS-TEST Essids from the Available WLAN’s list and click on the Add arrow button. Click OK.

Step4: Click on the Users tab (under Radius Server) and click Add. Add the User name demo and password demo. Select the WPA Test group from the available groups list and click the Add arrow. Click ok.

In this example we will configure a Windows XP laptop to connect to the PEAP-TEST essid. Remember we are using the WS5100 onboard Radius server with its built in database (where we created a user demo in the previous step).

PEAP only requires a Server Certificate. The WS5100 3.0 has a default-trustpoint already setup (by default!!).  This default-trustpoint includes a self signed server certificate for the onboard Radius Server, so there is no additional certificate generation steps required. However because the Server Certificate in the default-trustpoint is self signed there is no CA Root Certificate available under the default-trustpoint.

An important part of the PEAP authentication process is the mobile device authenticating the network. This is done by the WS5100/ server presenting its Server Certificate to the mobile device and the device validating this Server Certificate by checking it against the signing CA’s - CA Root Certificate. Since the Server Certificate we are using is a self signed certificate you will need to import the CA Root Certificate into the certificate store of the mobile device for this to work.

Since there is no CA Root Certificate available and because the Server Certificate is self signed – you can import the Server Certificate into the mobile device as the CA Root Certificate (they both have the same Public Key). In order to import the Server Certificate into the mobile device you wil first need to export the Server Certificate from the WS5100. You can export the Server Certificate by clicking on Server Certificates à Transfer Trustpoints (bottom right).

Select From à Wireless Switch and Specify the Ip address of a FTP/ TFTP Server, give the path etc and click Transfer.

Doing this will export 2 files default-trustpoint.crt and default-trustpoint.prv to that FTP/TFTP servers folder. You will need to copy the default-trustpoint.crt file and transfer it to the mobile device using Activesync. Once on the mobile device, this certificate can be installed by double clicking it.

Although it is not recommended - you can configure many supplicants (including WinXP and Fusion 2.x) to bypass this Server Certificate Authentication. Bypassing the Server Certificate validation will save you the process of exporting the CA Root Certificate and importing it on the mobile device. 

Step 1: Double click on the Wireless Network Connection. Find the essid PEAP-TEST. Click on Change Advanced Settings on the Right.

 Step 2: Click on the Wireless Network tab, select the essid PEAP-TEST and click Configure

Step 3: Click on the Association tab. Under Network Authentication, select Open, Data Encryption select WEP. Select the option “The Key is provided to me automatically”.

Step 4: Click on the Authentication tab. Select Protected EAP (PEAP). Click on Properties.

Step 5: Unselect “Validate Server Certificate” (this is not recommended for a real deployment – its being done to avoid importing the CA  Root Certificate). Click Ok.

Step 6: Optional: Integrated Windows Authentication: If you need to use the Windows domain login credentials for PEAP authentication, click on Configure at the bottom instead of Ok. Select the “Automatically use my Windows logon name…” and click Ok. Click Ok again to complete the PEAP profile setup.

 Step 7: Wait a few seconds and then click on the message next to the Wireless Network Connection buttom in the system tray (bottom right) to get the PEAP credentials pop up. Enter User id = demo Password = demo. Click Ok.

Step 8: Verify the laptop’s wireless connection to the PEAP-TEST ESSID.