SourceForge.net Logo

7.5. Windows/XP with build-in Supplicant

In this example Windows/XP with Service Pack 2 is used as the supplicant.

The authentication methods listed below are documented in these Windows/XP examples:

7.5.1. Import Certificates

There is no easy way of automating these steps. Watch your steps, because it is easy to make a mistake.

  1. From the start menu run mmc

  2. From the console menu click on the File menu, followed by Add/Remove Snap-in.

    1. Click Add

      1. Select the Certificates snap-in

        1. Click Add

        2. Manage certificates for User Account or Computer Account. See description above.

        3. Click Next

        4. Manage Local Computer

        5. Click Finish

    2. Click Close

  3. Install the Root CA certificate.

    1. Under the Certificates, right-click on Trusted Root Certification Authorities. From All Tasks choose Import.

    2. Click Next

    3. Display files of type Personal Information Exchange (*.p12).

    4. Browse to the location where the CAcert.p12 certificate is stored, and select it.

    5. Click Next

    6. Mark this key as exportable, and enter the password for the private key

    7. Click Next

    8. Place all certificates in Personal Certificates Store

    9. Click Next; Click Finish

    10. Verify that the certificate is listed under the Root Certification Authorities

  4. When EAP-TLS authentication is used, the user certificate needs to be installed also.

    1. Under the Certificates, right-click on Personal. From All Tasks choose Import.

    2. Click Next

    3. Display files of type Personal Information Exchange (*.p12).

    4. Browse to the location where the user certificate is stored, and select it.

    5. Click Next

    6. Mark this key as exportable, and enter the password for the private key

    7. Click Next

    8. Place all certificates in Personal Store

    9. Click Next; Click Finish

    10. Verify that the certificate shows the intended usage as "proves your identity to a remote computer" and the Root CA is known.

  5. To allow the computer to connect to the wireless even before the user logs in, also import the user certificate to the computer account.

    1. Add the Certificates snap-in (see above), but this time to manage the computer account

    2. Import the certificate to the personal store for this computer account using this snap-in.

7.5.2. Authenticate using certificates (EAP-TLS)

  1. Bring up the Wireless Network Connection Properties dialog.

    1. Control Panel -> Network Connections -> (Network and Internet Connections ) -> Wireless Network Connection

    2. Right-click on Wireless Networks, and select Properties

    3. Select the Wireless Networks tab

  2. Select User Windows to configure my wireless network settings to enable the wireless configuration service.

  3. Configure the wireless network connection

    1. Click on the Add... button.

    2. In the Association tab

      • Network name (SSID) = Fabeltjesland

      • Configure the key mechanism

        • Network Authentication = WPA

        • Data encryption = AES

    3. In the Authentication tab

      • EAP type = Smart Card or other Certificate (TLS)

      • Enter the properties for EAP

        • Click Properties

        • Configure client certificate

          • Use a certificate on this computer, and use simple certificate selection

        • Configure server certificate validation

          • Check validate server certificate

          • Uncheck connect to these servers

          • In the list of trusted root certification authorities mark your own CA.

7.5.3. Authenticate using username/password (EAP-PEAP)

  1. Bring up the Wireless Network Connection Properties dialog.

  2. Select User Windows to configure my wireless network settings to enable the wireless configuration service.

  3. Configure the wireless network connection

    1. Click on the Add... button.

    2. In the Association tab

    3. In the Authentication tab

      • EAP type = Protected EAP (PEAP)

      • Enter the properties for EAP

        • Click Properties

        • Configure server certificate validation

          • Check validate server certificate

          • Uncheck connect to these servers

          • In the list of trusted root certification authorities mark your own CA.

        • Configure Authentication Method

          • Secured password (EAP-MSCHAP v2)

          • Mark Enable Fast Reconnect. When the session expires, it automatically re-authenticates. This is also useful when roaming among different access points.