Back to Contents

Administrator Tool

Set Administrator Password
Administrator Tool Settings
Administrator Packages for Windows XP*
 Administrator Profiles

Application Settings
 Adapter Settings (Administrator)
EAP-FAST A-ID Groups
Administrator Tasks

NOTE: Throughout this Help, the terms "wireless" and "WiFi" are used interchangeably.

The Administrator Tool is used by the person who has administrator privileges on this computer. This tool is used to configure Pre-logon/Common profiles, and Persistent Connection profiles. The Administrator Tool can be used by an Information Technology department to configure user settings and to create custom install packages to export to other systems.

The Administrator Tool is located on the Tools menu. The Administrator Tool must be selected during a Custom installation of the Intel(R) PROSet/Wireless WiFi Connection Utility or the feature is not displayed.

Administrator Packages for Windows XP*

An Administrator Package is a self-extracting executable file that generally contains the WiFi connection utility, administrative profiles, and other settings. You can copy or send an administrative package to clients on your network. When the executable runs, the contents are installed and configured on the destination computer. If a profile is part of the package, the profile governs how the destination computer connects to a specific WiFi network.

NOTE: To create and export a package for a computer running on Microsoft Windows Vista*, you need to create the package on a computer running Windows Vista. You cannot create a package for Windows Vista on a computer running Microsoft Windows XP*.

Create a New Package

  1. Enter the Administrator Tool password.
  2. Open Administrator Package: Click Create a Windows XP package, or Open an existing package.
package choice
Name Description
Create a Windows XP package

Create a package that can be exported to a user's computer running Microsoft Windows XP* operating system. This package allows export of all 802.1X authentication EAP-type Pre-logon/Common and Persistent profiles.
Create a Windows Vista package

Not Available. To create and export a package for a computer running on Microsoft Windows Vista*, you need to create the package on a computer running Windows Vista. You cannot create a package for Windows Vista on a computer running Microsoft Windows XP*.

Open an existing package

Select to browse for and open an existing package.
  1. Click OK.
  2. Configure the following options to be included in the package:
Name Description
Profiles

Click Include Profiles in this package. Profiles can be shared with other users.
Application Settings

Click Include Application Settings in this package. Specify application settings to be enabled.

Adapter Settings

Click Include Adapter Settings in this package. Specify initial values for adapter settings used on this computer.

EAP-FAST A-ID Groups

Click Include A-ID Groups. Add A-ID Group to support multiple PACs from multiple A-IDs.
  1. Click Close.
  2. You are notified: The current package is changed. Would you like to save the changes?
  3. Click Yes. Save the executable file to a directory on the local disk drive.
  4. Click Save. The file is created. This may take several minutes.
  5. Click Finished to view the package contents.
  6. Click OK.

NOTE: You can also select Save Package on the File menu to save the package.

Edit a Package

  1. Access the Administrator Tool.
  2. On the Open Administrator Package page, click Open an existing package to edit an existing package.
  3. Click Browse. Locate the package's executable file.
  4. Click Open. Make your updates to the package settings.
  5. Click Close.
  6. You are notified: The current package is changed. Would you like to save the changes?
  7. Click Yes. Save the executable file to a directory on the local disk drive.

NOTE: You can also select Open Package on the File menu to edit an Administrator Package.

Administrator Profiles

Administrator Profiles are managed by the network administrator. These profiles can be exported to other computers.

These profiles are common or shared by all users on this computer. However, end users cannot modify these profiles. They can only be modified from the Administrator Tool, which is password protected.

However you can create Voice over IP (VoIP) profiles for export to a soft-phone application, and you can add pre-existing Common profiles and existing VoIP profiles, or VoIP profiles that you create to a package. There are two types of Administrator Profiles: Persistent and Pre-logon/Common.

Windows package

Persistent Profiles

Persistent profiles are applied at boot time or whenever no one is logged on the computer. After a user logs off, a Persistent profile maintains a wireless connection either until the computer is turned off or a different user logs on.

Persistent profile key points:

NOTE: The WiFi connection utility supports machine certificates. However, they are not displayed in the certificate listings.

To create a Persistent profile:

  1. Click Include Profiles in this package.
  2. Click Persistent.
  3. Click Add to open the General Settings.
  4. Profile Name: Enter a descriptive profile name.
  5. WiFi Network Name (SSID): Enter the name of your WiFi network.
  6. Operating Mode: Network (Infrastructure) is selected by default.
  7. Administrator Profile Type: Persistent: Active when no users are logged on is selected.
  8. Click Next.
  9. Click Enterprise Security to open the Security Settings. See TLS, TTLS, PEAP, LEAP, or EAP-FAST for 802.1X security configuration information.
  10. Click OK.

Pre-logon/Common

Pre-logon/Common profiles are applied prior to a user log on. If Single Sign On support is installed, the connection is made prior to the Windows log-on sequence (Pre-logon/Common).

If Single Sign On support is not installed, the profile is applied once the user session is active. Pre-logon/Common profiles always appear at the top of the Profiles list. Users can still prioritize profiles that they have created but they cannot reprioritize Pre-logon/Common profiles. Because these profiles appear at the top of the Profiles list, the WiFi connection utility automatically attempts to connect to the Administrator profiles first before any user-created profiles.

NOTE: Only administrators can create or export Pre-logon/Common profiles.

Pre-logon Connect key points are:

Pre-logon/Common Connection Status

Pre-logon/Common profiles support is installed during a Custom install of the WiFi connection utility. See Install or Uninstall the Single Sign On Feature for more information.

NOTE: If the Single Sign On or Pre-logon Connect features are not installed, an administrator is still able to create Pre-logon/Common profiles for export to a user's computer.

The following describes how the Pre-logon Connect feature functions from system power-up. The assumption is that a saved profile exists. This saved profile has valid security settings marked with "Use Windows Logon user name and password" that are applied at the time of Windows log on.

  1. After a system power-up, enter your Windows log on domain, user name, and password.
  2. Click OK. The Pre-logon/Common profile status page displays the progress of the network connection. After the WiFi adapter is connected to the network access point, the Status page closes and the Windows user logs on.
    • If the corresponding access point rejects your credentials during the Pre-logon/Common connection, you will be prompted for your user credentials.
    • Enter your credentials.
    • Click OK. The profile is applied and the Status page displays the progress of the connection status until you are logged onto Windows.
    • Click Cancel on the Credentials page to select another profile.

NOTE: A user certificate can only be accessed by a user that has been authenticated on the computer. Therefore, a user should log onto the computer once (using either a wired connection, alternate profile or local log in) before using a Pre-logon/Common profile that authenticates with a user certificate.

When you log off, any wireless connection is disconnected and a persistent profile (if one is available) is applied. Under certain circumstances, it is desirable to maintain the current connection (for example, if user-specific data needs to be uploaded to the server post-log off or when roaming profiles are used).

Create a profile that is marked as both Pre-logon/Common and persistent to achieve this functionality. If such a profile is active when the user logs off, the connection is maintained.

To create a Pre-logon/Common Profile:

  1. Click Include Profiles in this package.
  2. Click Pre-logon/Common.
  3. Click Add to open the General Settings.
  4. Profile Name: Enter a descriptive profile name.
  5. WiFi Network Name (SSID): Enter the network identifier.
  6. Operating Mode: Network (Infrastructure) is selected by default.
  7. Administrator Profile Type: Pre-logon/Common: Active when a user is logged on. This profile is shared by all users. This profile type is already selected.
  8. Click Next.
  9. Click Advanced to open and configure the Advanced Settings. See Advanced Settings.
  10. Click OK to close the Advanced Settings.
  11. Click Enterprise Security to open the Security Settings. See EAP-SIM, TLS, TTLS, PEAP, LEAP, or EAP-FAST for 802.1X security configuration information.
  12. Click OK to save the profile and add it to the Administrator profiles list.

NOTE: If a Persistent connection was already established, a Pre-logon/Common profile is ignored unless the profile is configured with both Pre-logon/Common and Persistent connection options.

Exclude Networks

Administrators can designate WiFi networks to be excluded from connection. Once a network is excluded, only an administrator can remove the network from the Exclude list. The excluded network is displayed in the Exclude List Management and is indicated by this icon:

To exclude a WiFi network:

  1. Click Include Profiles in this package.
  2. Click Exclude.
  3. Click Add to open the Exclude Network (SSID).
  4. Network Name: Enter the network name of the network that you want to exclude.
  5. Click OK to add the network name to the list.

exclude networks

To remove a WiFi network from exclusion:

  1. Select the network name in the Exclude list.
  2. Click Remove. The network is deleted from the list.

Voice over IP (VoIP) Connection

The WiFi connection utility supports VoIP third-party soft-phone applications. Third-party VoIP applications support voice codecs. Codecs generally provide a compression capability to save network bandwidth. The WiFi connection utility supports the following International Telecommunications Union (ITU) codec standards:

Codec

Algorithm

ITU G.711

PCM (Pulse Code Modulation)

ITU G.722

SBADPCM (Sub-Band Adaptive Differential Pulse Code Modulation)

ITU G.723

Multi-rate Coder

ITU G.726

ADPCM (Adaptive Differential Pulse Code Modulation)

ITU G.727

Variable-Rate ADPCM

ITU G.728

LD-CELP (Low-Delay Code Excited Linear Prediction)

ITU G.729

CS-ACELP (Conjugate Structure Algebraic-Code Excited Linear Prediction)

An administrator can export VoIP settings to configure various codec data rates and frame rates to improve voice quality in VoIP transmissions.

To configure VoIP settings:

NOTE: Ensure Voice over IP is not disabled in the Administrator Tool Application Settings. It is enabled by default.

  1. Click Include Profiles in this package.
  2. Click VoIP.
  3. Click Add to open the Create VoIP Profiles page.
  4. Select the Codec bandwidth, application usage, and frame rate. For Voice Data:

G711 has 10ms frame rate with 64kbps bit rate
G722 has 10ms frame rate with 64kbps bit rate
G723 has 30ms frame rate with either 5.3kbps or 6.4kbps bit rate
G726-32 has 10ms frame rate with 32kbps bit rate
G728 has 2.5ms frame rate with 16kbps bit rate
G729 has 10ms frame rate with 10kbps bit rate

Select parameters from the drop down menus.

Codec Usage Frame Rate
  • G711_64kbps
  • G722_64kbps
  • G722_56kbps
  • G722_48kbps
  • G722_1_32kbps
  • G722_1_24kbps
  • G722_1_16kbps
  • G726_16kbps
  • G726_24kbps
  • G726_32kbps
  • G726_40kbps
  • G728_16kbps
  • G729a_8kbps
  • G729e_11_8kbps
  • GIPS_iPCM_VARIABLE
  • G722_2_VARIABLE
  • Interactive Voice
  • Audio Conference
  • Voice Data
  • Video
  • Streaming Audio
  • 20
  • 30
  1. Click OK to return to the Profiles list.
  2. Click Close to save the profile settings to a package.

EAP-FAST A-ID Groups

NOTE: This feature is unavailable if CCXv4 is not selected in the Administrator Tool Application Settings

An Authority Identifier (A-ID) is the RADIUS server that provisions Protected Access Credential (PACs) A-ID groups. A-ID groups are shared by all users of the computer and allow EAP-FAST profiles to support multiple PACs from multiple A-IDs.

The A-ID groups can be pre-configured by the administrator and set up through an Administrator Package on a user's computer. When a WiFi network profile encounters a server with an A-ID within the same group of the A-ID specified in the wireless network profile, it uses this PAC without a prompt to the user.

To add an A-ID Group:

  1. Select Include A-ID Groups.
  2. Click Add.
  3. Enter a new A-ID group name.
  4. Click OK. The A-ID group is added to the A-ID Group list.

If the A-ID group is locked, then additional A-IDs cannot be added to the group.

To add an A-ID to an A-ID group:

  1. Select a group from the A-ID Groups list.
  2. Click Add in the A-IDs section.
  3. Select an A-ID.
  4. Click OK. The A-ID is added to the list.

Once an A-ID group has been selected, the A-IDs are extracted from the PACs on the A-ID group server. The list of A-IDs is automatically populated.

Administrator Tasks

How to Obtain a Client Certificate

If you do not have any certificates for EAP-TLS (TLS) or EAP-TTLS (TTLS) you must obtain a client certificate to allow authentication.

Certificates are managed from either Internet Explorer or the Microsoft Windows Control Panel.

Windows XP: When a client certificate is obtained, do not enable strong private key protection. If you enable strong private key protection for a certificate, you need to enter an access password for the certificate every time this certificate is used. You must disable strong private key protection for the certificate if you configure the service for TLS or TTLS authentication. Otherwise, the 802.1X service fails authentication because there is no logged in user to provide the required password.

Notes about Smart Cards

After a Smart Card is installed, the certificate is automatically installed on your computer and is chosen from the personal certificate store and root certificate store.

Set up a Client with TLS Network Authentication

Step 1: Obtain a certificate

To allow TLS authentication, you need a valid client certificate in the local repository for the logged-in user's account. You also need a trusted CA certificate in the root store.

The following information provides two methods for obtaining a certificate:

If you do not know how to obtain a user certificate from the CA, consult your administrator for the procedure.

To install the CA on the local machine:

  1. Obtain the CA and store it on your local drive.
  2. Click Import. The Certificate Import Wizard opens.
  3. Click Next.
  4. Click Browse to locate the certificate on your local drive.
  5. Click the exported certificate.
  6. Click Open.
  7. Click Next.
  8. Click Place all certificates in the following store.
  9. Click Browse to open the Select Certificate Store.
  10. Click Show physical stores.
  11. Click OK.
  12. From the list of stores, scroll up and expand Trusted Root Certificate Authorities.
  13. Click Local Computer.
  14. Click OK.
  15. Click Next.
  16. Click Finish to complete the process.
  17. Reboot after a certificate is installed.

Use Microsoft Management Console (MMC) to verify that the CA is installed in the machine store.

  1. In the Start menu, click Run.
  2. Enter MMC.
  3. Click OK to open The Microsoft Management Console.
  4. Click File.
  5. Click Add/Remove Snap-in.
  6. Click Add to open the Add Standalone Snap-in page.
  7. Click Certificates.
  8. Click Add.
  9. Click Computer account.
  10. Click Next.
  11. Click Finish.
  12. Click Close.
  13. Click OK.
  14. In the console, click Certificates (Local Computer).
  15. Click Trusted Root Certificate Authorities.
  16. Click Certificates.
  17. Verify that the CA you just installed is listed.
  18. Click File.
  19. Click Exit to close the console.

Obtain a certificate from a Microsoft Windows 2000* CA:

  1. Start Internet Explorer and browse to the Certificate Authority HTTP Service (use an URL, for example, http://yourdomainserver.yourdomain/certsrv with certsrv being the command that brings you to the certificate authority. You can also use the IP address of the server machine. For example, "192.0.2.12/certsrv."
  2. Logon to the CA with the name and password of the user account you created on the authentication server. The name and password do not have to be the same as the Windows log on name and password of the current user.
  3. On the Welcome page of the CA, select Request a certificate task and submit the form.
  4. Choose Request Type: Select Advanced request.
  5. Click Next.
  6. Advanced Certificate Requests: Select Submit a certificate request to this CA using a form.
  7. Click Submit.
  8. Advanced Certificate Request: Select User certificate template.
  9. Click Mark keys as exportable.
  10. Click Next. Use the provided defaults.
  11. Certificate Issued: Click Install this certificate.

NOTE: If this is the first certificate you have obtained, the CA first asks you if it should install a trusted CA certificate in the root store. This is not a trusted CA certificate. The name on the certificate is that of the host of the CA. Click Yes. You need this certificate for both TLS and TTLS.

  1. If your certificate was successfully installed, you see the message, "Your new certificate has been successfully installed."
  2. To verify the installation, click Internet Explorer > Tools > Internet Options > Content > Certificates. The new certificate should be installed in the Personal folder.

Import a Certificate from a File

  1. Open Internet Properties (right-click on the Internet Explorer icon on the desktop.
  2. Select Properties.
  3. Content: Click Certificates. The list of installed certificates appears.
  4. Click Import to open the Certificate Import Wizard.
  5. Select the file.
  6. Specify your access password for the file. Clear Enable strong private key protection.
  7. Certificate store: Click Automatically select certificate store based on the type of certificate (the certificate must be in the user accounts personal store to be accessible).
  8. Proceed to Completing the Certificate Import and click Finish.

To configure a profile with WPA authentication with WEP or TKIP encryption that uses TLS authentication:

NOTE: Obtain and install a client certificate, See Step 1 or consult your administrator.

Specify the certificate used by the WiFi connection utility.

  1. On the Profile page, click Add to open General Settings.
  2. Profile Name: Enter a profile name.
  3. WiFi Network Name (SSID): Enter the network identifier.
  4. Operating Mode: Network (Infrastructure) is selected by default.
  5. Click Next to open the Security Settings.
  6. Click Enterprise Security.
  7. Network Authentication: Select Open (Recommended).
  8. Data Encryption: Select WEP.
  9. Enable 802.1X: Selected.
  10. Authentication Type: Select TLS.

Step 1 of 2: TLS User

  1. Obtain and install a client certificate.
  2. Select one of the following to obtain a certificate:
Name Description
Static Password On connection, enter the user credentials.
One-time password (OTP) Obtain the password from a hardware token device.
PIN (Soft Token) Obtain the password from a soft token program.
  1. Click Next.

Step 2 of 2: TLS Server

  1. Select one of the following credential retrieval methods: Validate Server Certificate or Specify Server or Certificate Name.
  2. Click OK. The profile is added to the Profiles list.
  3. Click the new profile at the end of the Profiles list. Use the up and down arrows to change the priority of the new profile.
  4. Click Connect to connect to the selected WiFi network.
  5. Click OK to close the application.

Back to Top

Back to Contents