Back to Contents

Enterprise Security


The Security Settings window is shown when creating or editing a profile. At the Security Settings page, you can enter the required security settings for the selected WiFi network. See Personal Security to set basic WEP or WPA security in a non-enterprise environment (home, small business). See Enterprise Security Settings to set up 802.1X security authentication options.


Enterprise Security Settings

Name Setting

Enterprise Security

Select to open the Enterprise Security settings. The security settings that are available are dependent on the Operating Mode selected: Device to Device (ad hoc) or Network (Infrastructure).

Network Authentication

If you configure a profile for Device to Device (ad hoc) networking, the default setting is Open authentication.

If you configure a profile for an infrastructure network, select:

NOTE: WPA-Enterprise and WPA2-Enterprise are interoperable.

Data Encryption

Click to open the following data encryption types:

  • None: No encryption.
  • WEP: WEP encryption provides two levels of security that use a 64-bit key (sometimes referred to as 40-bit) or a 128-bit key (also known as 104-bit). If you use encryption, all wireless devices on your wireless network must use the same encryption keys.
  • CKIP: Cisco Key Integrity Protocol is a Cisco proprietary security protocol for encryption in 802.11 media. CKIP uses Key Permutation (KP) and Message Sequence Number to improve 802.11 security in infrastructure mode.
  • TKIP: Provides per-packet key mixing, a message integrity check and a rekeying mechanism.
  • AES-CCMP: (Advanced Encryption Standard - Counter CBC-MAC Protocol) Used as the data encryption method whenever strong data protection is important.

Enable 802.1X (Authentication Type)

Click to open the following 802.1X authentication types:

  • TLS
  • TTLS
  • PEAP
  • LEAP
  • EAP-FAST
  • EAP-SIM: If in administrator mode, this only available for Pre-logon/Common profiles, not Persistent.
  • EAP-AKA: If in administrator mode, this only available for Pre-logo/Common profiles, not Persistent.

Certain Authentication Types require that you obtain and install a client certificate. See Set up a Client with TLS authentication or consult your administrator.

Authentication Protocols

Authentication Protocols apply only when Network Authentication is set to WPA-Enterprise or WPA2-Enterprise and Authentication Type is set to TTLS or PEAP.

Cisco Options

Click to view the Cisco Compatible Extensions Options.

NOTE: Cisco Compatible Extensions are automatically enabled for CKIP and LEAP profiles.

Advanced

Click to access the Advanced Settings and configure the following options listed.

  • Auto Connect: Select to automatically or manually connect to a profile.
  • Auto Import: Allows a network administrator to move this profile to other computers. (Visible on user profiles only.)
  • Band Selection: Select the band to use for this connection profile.
  • Mandatory Access Point: Select to associate the WiFi adapter with a specific access point.
  • Password Protection: Select to password protect a profile.
  • Application Auto Launch: Specify a program to be started when a wireless connection is made.
  • Maintain Connection: Select to remain connected to a user profile after log off. (Visible on user profiles only.)
  • User Name Format: Select the user name format for the authentication server. (Visible on administrator profiles only.)
  • PLC Domain Check: Select to verify the domain server's presence before the user login process is finished. (Visible on administrator profiles only.)

User Credentials

A profile configured for TTLS, PEAP, or EAP-FAST authentication requires one of the following log on authentication methods:

  • Use Windows logon: The 802.1X credentials match your Windows user name and password. Before connection, you are prompted for your Windows logon credentials.

NOTE: For LEAP profiles, this option is listed as Use Windows logon user name and password.

  • Prompt each time I connect: Prompt for your user name and password every time you log onto the wireless network.

NOTE: For LEAP profiles, this option is listed as Prompt for the user name and password.

  • Use the following: Use your saved credentials to log onto the network.
    • User Name: This user name must match the user name that is set in the authentication server by the administrator prior to client authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This identity is securely transmitted to the server only after an encrypted channel has been established.
    • Domain: Name of the domain on the authentication server. The server name identifies a domain or one of its sub-domains (for example, zeelans.com, where the server is blueberry.zeelans.com).
    • Password: Specifies the user password. The password characters appear as asterisks. This password must match the password that is set in the authentication server.
    • Confirm Password: Reenter the user password.
    • Roaming Identity: A Roaming Identity may be populated in this field or you can use %domain%\%username% as the default format for entering a roaming identity. When 802.1X Microsoft IAS RADIUS is used as an authentication server, the server authenticates the device using the Roaming Identity from Intel® PROSet/Wireless WiFi Software, and ignores the Authentication Protocol MS-CHAP-V2 user name. Microsoft IAS RADIUS accepts only a valid user name (dotNet user) for the Roaming Identity. For all other authentication servers, the Roaming Identity is optional. Therefore, it is recommended to use the desired realm (for example, anonymous@myrealm) for the Roaming Identity rather than a true identity.

NOTE: Contact your administrator to obtain the domain name.

NOTE: For LEAP profiles, this option is listed as Use the following user name and password.

Server Options

Select one of the following credential retrieval methods:

  • Validate Server Certificate: Select to verify the server certificate.

Certificate Issuer: The server certificate received during TLS message exchange must be issued by this certificate authority (CA). Trusted intermediate certificate authorities and root authorities whose certificates exist in the system store are available for selection. If Any Trusted CA is selected, any CA in the list is acceptable. Click Any Trusted CA as the default or select a certificate issuer from the list.

  • Specify Server or Certificate Name: Enter the server name.

The server name or domain to which the server belongs, depends on which of the following options has been selected.

  • Server name must match the specified entry exactly: When selected, the server name must match exactly the server name found on the certificate. The server name should include the complete domain name (for example, Servername.Domain name). The server name can include all characters, including special characters.
  • Domain name must end with the specified entry: When selected, the server name identifies a domain, and the certificate must have a server name that belongs to this domain or to one of its subdomains (for example, zeelans.com, where the server is blueberry.zeelans.com).

NOTE: These parameters should be obtained from the administrator.

Certificate Options To obtain a certificate for TLS authentication, select one of the following:
  • Use my smart card: Select if the certificate resides on a smart card.
  • Use the certificate issued to this computer: Selects a certificate that resides in the machine store.
  • Use a user certificate on this computer: Click Select to choose a certificate that resides on this computer.

NOTE: The Intel® PROSet/Wireless WiFi Connection Utility supports machine certificates. However, they are not displayed in the certificate listings.

Notes about Certificates: The specified identity should match the Issued to identity in the certificate and should be registered on the authentication server (for example, RADIUS server) that is used by the authenticator. Your certificate must be valid with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. Use the same user name you used to log in when the certificate was installed.

Back

View the prior page in the Profile Wizard.

Next

View the next page in the Profile Wizard. If more security information is required then the next step of the Security Settings is displayed.

OK

Closes the Profile Wizard and saves the profile.

Cancel

Closes the Profile Wizard and cancels any changes made.

Help?

Provides the help information for the current page.


Back to Top

Back to Contents

Trademarks and Disclaimers