WPA-Enterprise for Small Business (Part 5)

By Eric Geier

October 30, 2008

In the fifth and final installment of our series on WPA-Enterprise for small businesses, Eric Geier offers step-by-step guidance for configuring computers on your network with WPA and 802.1x settings.

In the fifth and final installment of our series on WPA-Enterprise for small businesses, Eric Geier offers step-by-step guidance for configuring computers on your wireless network with WPA and 802.1x settings. (Suggested reading: Part 3 to learn how to set up an Elektron RADIUS server; Part 4, to learn how to configure a wireless router and/or access points (APs) and install a digital certificate.)

Configuring Windows for WPA and 802.1x

Unlike when using WEP for encryption, a network profile or preferred network entry must be configured with the appropriate WPA and 802.1x settings before Windows will connect to a WPA Enterprise network. Once initially configured, users can connect to the network just like any other using the list of available wireless networks.

Follow these steps to configure Windows XP with the appropriate settings:

  1. Double-click the wireless network icon in the system tray. If the icon isn’t visible, click Start, Network Connections, right-click the wireless connection, and select Properties.
  2. On the Local Area Connection Status window, click the Properties button.
  3. On the Local Area Connection Properties window, select the Wireless Networks tab.
  4. If an entry already exists for the network name or SSID of your WPA-enabled wireless network, select it and click Properties. If no entry exists, click Add.
  5. On the Association tab of the Wireless Network Properties window, enter the desired SSID or network name, if adding a new entry. For the Network Authentication field, select WPA or WPA2, based upon what version is set up on the RADIUS server. If selecting WPA, choose TKIP for the Data Encryption field, or AES if using WPA2.
  6. Choose the Authentication tab, ensure Protected EAP (PEAP) is chosen for the EAP Type, and deselect both checkboxes, unless the RADIUS server is specifically set up to accommodate these situations. See Figure 1 for an example.

Tutorial - Geier E - 1064 - Figure 1.jpg

Figure 1

  1. On the Authentication tab, click the Properties button, check the first checkbox, Validate server certificate, and uncheck the second checkbox. Connect to these servers. If the RADIUS server is configured with a self-signed certificate, select the certificate (organization name followed by Elektron CA) in the Trusted Root Certification Authorities list box. If a certificate was purchased from a third-party CA, such as VeriSign, select the appropriate CA from the list. For the Select Authentication Method field, make sure Secured password (EAP-MSCHAP v2) is selected and click Configure. On the dialog box that appears, uncheck the option labeled “Automatically use my Windows logon name and password” (and domain if any), and click OK. See Figure 2 for an example of both windows.

Tutorial - Geier E - 1064 - Figure 2.jpg

Figure 2

  1. Click OK on each of the windows to save the network settings.

Similar guidelines apply in Windows Vista when configuring WPA Enterprise; however, the exact steps differ. Follow these steps to set up the WPA and 802.1x network in Vista:

  1. Right-click the network icon in the system tray and select Network and Sharing Center.
  2. On the Network and Sharing Center window, click the Manage wireless networks link on the left task pane.
  3. If an entry already exists for the network name or SSID of your WPA-enabled wireless network, double-click it and skip to Step 6. If no entry exists, click Add and proceed with the steps as usual.
  4. If adding a new entry, click “Manually create a network profile” on the window that appears, enter the settings for the network, and click Next.
  5. On the Successfully Added window, click Change connection settings.
  6. On the Wireless Network Properties window, select the Security tab. Ensure the security and encryption types are set correctly, based upon what version is set up on the RADIUS server. Uncheck or check the checkbox option as desired to save the user name and password when connecting.
  7. Ensure Protected EAP (PEAP) is chosen for the network authentication method and click the Settings button. On the Protected EAP Properties window, check the first checkbox, Validate server certificate, and uncheck the second checkbox, Connect to these servers. Select the certificate (organization name followed by Elektron CA) in the Trusted Root Certification Authorities list box. If a certificate was purchased from a third-party CA, such as VeriSign, select the appropriate CA from the list. For the Select Authentication Method field, make sure Secured password (EAP-MSCHAP v2) is selected and click Configure. On the dialog box that appears, uncheck the option labeled Automatically use my Windows logon name and password (and domain if any), and click OK.
  8. Click OK on each of the windows to save the network settings, and then proceed with the next section to connect.

Connecting to WPA Enterprise networks in Windows

After configuring the network settings in Windows, right-click on the wireless icon in the system tray, select View Available Wireless Networks (in XP) or Connect to (in Vista), and then double-click the network from the list. Click the notification in the lower right corner of Windows.

On the Enter Credentials dialog box that appears, enter the user name and password of an account set up on the RADIUS server, leaving the Logon Domain field blank (unless Domains are specifically set up on the network and the server), and then press Enter. The client should successfully connect within a few seconds.

Connecting to WPA Enterprise networks in Mac OS X

Connecting to 802.1x networks in Mac OS X is much easier than in Windows. To get started, connect to the network as normal; choose the desired network from the wireless icon in the upper right corner of the desktop. In the password dialog box, enter a user name and password that’s set up on the RADIUS server and click OK.

If a self-signed certificate is loaded on the RADIUS server, or if the certificate wasn’t obtained from a third-party CA, like VeriSign, that Mac OS X automatically trusts, the Verify Certificate dialog box appears. If this is the case, click the Show Certificate button and verify it’s the legitimate certificate by reviewing the details. To prevent the certificate verification on further connections to the network, select the always trust checkbox. When finished, click Continue to connect to the network.

A job well done

We started this tutorial series with a basic overview of WPA Enterprise. We discussed why WPA Enterprise encryption provides better protection than its easier-to-setup cousin, WPA Personal or Pre-Shared Key (PSK), and explored methods to obtain the required RADIUS server to make WPA Enterprise and 802.1x possible. In addition to mentioning hosted services and APs with built-in RADIUS servers, we discussed the main steps of setting up an actual RADIUS server. Lastly, we configured a particular server, the Elektron RADIUS server, and setup the computers.

If you’ve followed the steps correctly, you should now have a fully functional WPA Enterprise wireless network, providing bulletproof encryption for your small business. Wireless eavesdroppers should not be able to connect or decrypt network communications.

Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi hotspot network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft® Windows Vista (Que 2007).



Comment and Contribute
(Maximum characters: 1200). You have
characters left.