WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication
16 April 2009, 09:56 PM
#1
Moderator
Thread Starter
Join Date: Dec 1998
Location: Staffs
Posts: 23,573
Likes: 0
Received 0 Likes
on
0 Posts
WLAN Server Certificate for PEAP-MS-CHAP v2 Wireless Authentication
MS send you off to Verisign:
Wireless LAN Server Certificates - Product Description - WLAN Certificate from VeriSign, Inc.
but 350USD is a bit steep.
Anyone know of any cheaper alternatives (outside generating your own certificate)?
Wireless LAN Server Certificates - Product Description - WLAN Certificate from VeriSign, Inc.
but 350USD is a bit steep.
Anyone know of any cheaper alternatives (outside generating your own certificate)?
Last edited by ChrisB; 16 April 2009 at 09:58 PM.
17 April 2009, 10:31 AM
#4
Moderator
Thread Starter
Join Date: Dec 1998
Location: Staffs
Posts: 23,573
Likes: 0
Received 0 Likes
on
0 Posts
At the moment I'm running it as a test lab with self signed, but there's future potential to roll it out for proper use on customer sites.
I've got one laptop (XP SP3) working fine, but two other laptops are giving me grief authenticating (XP SP3 using the MS WiFi client and XP SP2 using Intel ProSet)
I've got one laptop (XP SP3) working fine, but two other laptops are giving me grief authenticating (XP SP3 using the MS WiFi client and XP SP2 using Intel ProSet)
17 April 2009, 01:57 PM
#5
Scooby Regular
not sure if this helps, but I produced the below document for a customer, was a few years ago when I designed and installed an enterprise wireless solution (3Com WX4400 Wireless Management switches Win2k3 AD and IAS - Radius server) for a customer
Intel Proset Wireless Configuration
8021.x profile
1. The client machine needs to trust the Enterprise Root Authority in order to trust the Radius server for authentication. Obtain a coy of the Enterprise root certificate in .crt file format.
2. Open a new MMC console. (Start > Run > MMC > Enter), go to File > Add / Remove Snap-in > click Add > select Certificates > click Add > select Computer Account > click Next > leave Local Computer Account selected > click Finish > select Close and then OK.
3. Expand certificates node > Expand Trusted Root Certification Authorities > right click on Certificates and select All Tasks > select Import > click Next > browse for the .crt certificate file > click Next > click Next then Finish. A message will appear to confirm the import was successful. Verify that the certificate now appears in the certificate list.
4. Close the MMC console.
5. Download latest Intel Proset/Wireless software - version 10.5
(Wireless - Get software/drivers & technical support information for Intel wireless products)
6. Run installation program > accept defaults for file extraction > click Install software (if not already running) > on the software features install page ensure that all the options are selected including: - ‘Single Sign On’, ‘Pre-Logon Connect’ and ‘Administrator Toolkit’ > Continue the install accepting defaults.
7. Launch the Intel Proset wireless software > click on Tools > Administrator tool > the first time this option runs it will ask you to enter a password to be used in future to secure the wireless profiles > enter a memorable password twice.
8. Select Create a new package > OK. To create a domain logon profile, select the Profiles tab > select the Pre-logon/Common sub tab > click add > enter a profile name i.e. secure > enter an SSID name i.e. secure > ensure that the Pre-logon/Common profile tick box is selected > click Next.
9. On the Security Settings page select Enterprise Security > under Network Authentication select WPA – Enterprise > ensure TKIP is selected under Data Encryption > enable 802.1x should be selected > under Authentication Type select PEAP > under PEAP user section ensure that Authentication Protocol is MS-CHAP-V2 > select ‘Use Windows Logon’ under User Credentials> leave the Roaming Identity as %domain%\%username%. > click next.
10. Under PEAP Server selection ensure Validate Server Certificate is selected > now select the certificate that you imported earlier under the Certificate issuer section > Click Finish.
11. On the Adapter Settings page > check the Include Adapter Settings in this Package checkbox > under ‘Roaming Aggressiveness’ change the value to 1 > click Close.
12. You will be prompted to save the changes > click Yes > select a location to store the saved .exe profile. i.e. c:\wirelessprofile.exe > accept the XML format select > click Close > click Finish.
Important – You will now be presented with a Package Save dialog > on the bottom of this window is an ‘Apply this package to this computer’ checkbox – ensure this is ticked before selecting OK.
13. The profile stored in the .exe file i.e. c:\wirelessprofile.exe can now be easily copied to further machines. Once inside the admin tool area (step 7 above) select ‘Open and existing package’ rather than creating a new one each time. Ensure that the ‘Apply this package to this computer’ is also selected.
14. The profile is now created and applied to the machine. The software will now try to connect to the wireless network with the given profile. Provided the user account that is currently logged on i.e. domain\administrator is allowed wireless logon through the security group that is linked to the Radius server profile, connection will be successful.
or maybe use smart cards
Intel Proset Wireless Configuration
8021.x profile
1. The client machine needs to trust the Enterprise Root Authority in order to trust the Radius server for authentication. Obtain a coy of the Enterprise root certificate in .crt file format.
2. Open a new MMC console. (Start > Run > MMC > Enter), go to File > Add / Remove Snap-in > click Add > select Certificates > click Add > select Computer Account > click Next > leave Local Computer Account selected > click Finish > select Close and then OK.
3. Expand certificates node > Expand Trusted Root Certification Authorities > right click on Certificates and select All Tasks > select Import > click Next > browse for the .crt certificate file > click Next > click Next then Finish. A message will appear to confirm the import was successful. Verify that the certificate now appears in the certificate list.
4. Close the MMC console.
5. Download latest Intel Proset/Wireless software - version 10.5
(Wireless - Get software/drivers & technical support information for Intel wireless products)
6. Run installation program > accept defaults for file extraction > click Install software (if not already running) > on the software features install page ensure that all the options are selected including: - ‘Single Sign On’, ‘Pre-Logon Connect’ and ‘Administrator Toolkit’ > Continue the install accepting defaults.
7. Launch the Intel Proset wireless software > click on Tools > Administrator tool > the first time this option runs it will ask you to enter a password to be used in future to secure the wireless profiles > enter a memorable password twice.
8. Select Create a new package > OK. To create a domain logon profile, select the Profiles tab > select the Pre-logon/Common sub tab > click add > enter a profile name i.e. secure > enter an SSID name i.e. secure > ensure that the Pre-logon/Common profile tick box is selected > click Next.
9. On the Security Settings page select Enterprise Security > under Network Authentication select WPA – Enterprise > ensure TKIP is selected under Data Encryption > enable 802.1x should be selected > under Authentication Type select PEAP > under PEAP user section ensure that Authentication Protocol is MS-CHAP-V2 > select ‘Use Windows Logon’ under User Credentials> leave the Roaming Identity as %domain%\%username%. > click next.
10. Under PEAP Server selection ensure Validate Server Certificate is selected > now select the certificate that you imported earlier under the Certificate issuer section > Click Finish.
11. On the Adapter Settings page > check the Include Adapter Settings in this Package checkbox > under ‘Roaming Aggressiveness’ change the value to 1 > click Close.
12. You will be prompted to save the changes > click Yes > select a location to store the saved .exe profile. i.e. c:\wirelessprofile.exe > accept the XML format select > click Close > click Finish.
Important – You will now be presented with a Package Save dialog > on the bottom of this window is an ‘Apply this package to this computer’ checkbox – ensure this is ticked before selecting OK.
13. The profile stored in the .exe file i.e. c:\wirelessprofile.exe can now be easily copied to further machines. Once inside the admin tool area (step 7 above) select ‘Open and existing package’ rather than creating a new one each time. Ensure that the ‘Apply this package to this computer’ is also selected.
14. The profile is now created and applied to the machine. The software will now try to connect to the wireless network with the given profile. Provided the user account that is currently logged on i.e. domain\administrator is allowed wireless logon through the security group that is linked to the Radius server profile, connection will be successful.
or maybe use smart cards
17 April 2009, 04:36 PM
#6
Moderator
Thread Starter
Join Date: Dec 1998
Location: Staffs
Posts: 23,573
Likes: 0
Received 0 Likes
on
0 Posts
Excellent, cheers for that.
I managed to crack the other two laptops - they were missing part of the certificate chain for my self generated. For the one that worked though, I don't know how the 2nd cert go onto that though... Ah well
I managed to crack the other two laptops - they were missing part of the certificate chain for my self generated. For the one that worked though, I don't know how the 2nd cert go onto that though... Ah well
Thread
Thread Starter
Forum
Replies
Last Post
Danny0608
Subaru
6
27 September 2015 02:16 PM
andy97
Computer & Technology Related
12
16 September 2015 08:07 PM
