In Part 3 of our five-part series on setting up a WPA-Enterprise wireless network in a small business environment, Eric Geier explained how to install and configure an Elektron RADIUS server. In Part 4, he introduces readers to setting up the computers (wireless clients) on the network and configuring the wireless router and/or access points (APs).
Installing the server’s self-signed digital certificate on the wireless clients is first on the list, so the certificate can be distributed using the existing network, if desired. Then it’s time to set up the wireless router and/or APs with the WPA and RADIUS server settings. Finally, we’ll leave with an overview of the client configuration process. (In the final installment in this series, we’ll cover the step-by-step directions.)
Distributing the Digital Certificate to Clients
When using PEAP with WPA (which our Part 1 tutorial series covers), a digital certificate must be installed on the RADIUS server, which was discussed in Part 3 of this series. Additionally, each Windows computer intending to use the wireless connection should have the same digital certificate installed, if using a self-signed certificate. If a certificate was purchased from a certificate authority (CA), such as VeriSign, that Windows automatically recognizes, this isn’t necessary. In addition, installing the certificate on Mac OS X machines isn’t necessary, whether self-signed or not.
If using a self-signed certificate, it’s best to install it on all the Windows computers before flipping the switch to WPA. This way the certificate can be distributed using the network, in case there isn’t an accessible USB thumb drive or floppy disc laying around.
To get started, bring up the Elektron Settings program, and under the Server Options folder, click Server Certificate. Under the Export Certificate section (see Figure 1), there are many ways to get the certificate in an installable form. For simplicity, click the Text File button and choose a location to save it to, such as a shared folder that all the computers can access or a USB flash drive.
Now, from each Windows PC that will be using the wireless network, open the certificate file (.crt) by double-clicking it. On the dialog box that appears, click the Install Certificate button. If Notepad opens instead, close it, right-click the file and choose Install Certificate. On the Certificate Import Wizard that appears, click Next. Then select the Place all certificates in the following store option, click Browse, choose the Trusted Root Certification Authorities store, and click OK (see Figure 2). Then click Next to move to the next screen and click Finish from there.
The self-signed digital certificate is now loaded on Windows, so the computer can verify the identity of the RADIUS server before trusting it and proceeding to connect.
Setting Up the Wireless Router and/or APs
While connected to the wireless router or AP, or on the same network, log in to the Web-based configuration utility of the device by entering its IP address into a Web browser. Next, find the spot where the wireless security settings are located (see Figure 3 for an example), typically on a main or sub tab labeled Wireless Security.
Select WPA Enterprise or WPA2 Enterprise (sometimes just called WPA or WPA2) for the encryption method, depending upon which version is supported by the wireless adapters that will be using the network. Some wireless routers and APs support both WPA and WPA2 simultaneously, usually referred to as WPA-Mixed. Just stay away from WPA-Personal or WPA-Pre Shared Key (PSK), which is the type of WPA encryption that is vulnerable to cracking by eavesdroppers.
After selecting the WPA encryption method, more settings should appear, such as shown in Figure 3. For the algorithm or cipher type, select TKIP if using WPA, AES if using WPA2, or both (or Auto) if using WPA-mixed mode. For the RADIUS server IP address, enter the address of the server PC that was set up back in Part 2 of this tutorial series. If the port of the RADIUS server isn’t set to the default value (1812), change the port field. Last, but not least, enter the shared secret for the particular wireless router or AP. This was created when configuring the RADIUS server in Part 3 of this series. That is it for the wireless router or APs; they’re ready for clients.
Configuring the Clients
The last step is to enable WPA-Enterprise on all the wireless clients and configure them with the 802.1x/RADIUS server settings. In addition to computers, it is necessary to configure other wireless devices, such as Wi-Fi cameras, network attached storage devices, phones, and media players; anything wirelessly connecting to the WPA encrypted network. Some computers and devices may need an update in order to support WPA/WPA2 Enterprise, such as Service Pack 2 for Windows XP. Also remember to always keep the wireless clients and APs up-to-date with the latest drivers and firmware.
In most cases, the encryption and 802.1x settings for the WPA network have to be set on the computer or device before trying to connect. In other situations, such as when using WEP or WPA-PSK (Personal), you can bring up the available wireless network list and choose the network you want to connect to and when prompted enter the encryption key or passphrase. However, with Wi-Fi networks protected with WPA-Enterprise, the process is more involved. You must create (or edit) a profile or preferred network entry and select the appropriate settings before trying to connect.
In the fifth and final part of our series, we’ll cover exactly how to configure the computers.
Eric Geier is the Founder and President of Sky-Nets, Ltd., a Wi-Fi hotspot network. He is also the author of many networking and computing books, including Home Networking All-in-One Desk Reference For Dummies (Wiley 2008) and 100 Things You Need to Know about Microsoft® Windows Vista (Que 2007).