Back to Contents Page
Setting up Data Encryption and AuthenticationSecurity and Encryption:
PRO/Wireless LAN Mini PCI Adapter User's Guide
Security and Encryption
Encryption Overview
How to Enable WEP Encryption
System Administrator Tasks
Setting up the Client for WEP and MD5 authentication
Setting up the Client for WPA-PSK using WEP or TKIP
authentication
Setting up the Client for WPA using TKIP encryption and TLS
authentication
Setting up the Client for WPA using TKIP encryption and TTLS or
PEAP authentication
Setting up the Client for
CCX using CKIP encryption and LEAP authentication
Wired Equivalent Privacy (WEP) encryption and shared authentication
helps provide protection
for your data on the network. WEP uses an encryption key to encrypt data before transmitting
it. Only computers using the same encryption key can access the network or decrypt
the encrypted data transmitted by other computers. Authentication provides an additional
validation process from the adapter to the access point. The WEP
encryption algorithm is vulnerable to passive and active network attacks. Open
and Shared Key authentication
802.11 support two types of network authentication methods; Open System and Shared Key. Supported authentication schemes are Open and Shared-Key authentication:
When Data Encryption (WEP, CKIP or TKIP) is enabled, a network key is used for encryption. A network key can be provided for you automatically (for example, it might be provided on your wireless network adapter, or you can enter it yourself and specify the key the key length (64-bits or 128-bit), key format (ASCII characters or hexadecimal digits), and key index (the location where a specific key is stored). The longer the key length, the more secure the key. Every time the length of a key is increased by one bit, the number of possible keys double.
Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.
802.1x uses two types of encryption keys, static and dynamic. Static encryption keys are changed manually and are more vulnerable. MD5 authentication only uses static encryption keys. Dynamic encryption keys are renewed automatically on a periodic basis. This makes the encryption key(s) more secure. To enable dynamic encryption keys, you must use 802.1x authentication methods, such as TLS, TTLS, PEAP or LEAP.
Security in the WLAN can be supplemented by enabling data encryption using WEP (Wireless Encryption Protocol). You can choose a 64 or 128 bit level encryption. Also, the data can then be encrypted with a key. Another parameter called the key index is provides the option to create multiple keys for that profile. However, only one key can be used at a time. You can also choose to password protect the profile to ensure privacy.
The pass phrase is used to generate a WEP key automatically. You have the option of either using a pass phrase or entering a WEP key manually. Using 64-bit encryption, the pass phrase is 5 characters long and you can choose to enter any arbitrary and easy to remember phrase like Acme1 or enter 10 Hexadecimal numbers for the WEP key corresponding to the network the user wants to connect to. For 128-bit encryption, the pass phrase is 13 characters long or you can enter a 26 hexadecimal numbers for the WEP key to get connected to the appropriate network.
Note: You must use the same encryption type, key index number, and WEP key as other devices on your wireless network. Also, if 802.1x authentication is being used, WEP encryption must be disabled.
The following example describes how to edit an existing profile and apply WEP encryption.
To enable WEP encryption:
- Use pass phrase: Click Use Pass Phrase to enable. Enter a text phrase, up to five (using 64-bit) or 13 (using 128-bit) alphanumeric characters ((0-9, a-z or A-Z), in the pass phrase field.
- Use hex Key: Click Use hex Key to enable. Enter up to ten (using 64-bit) alphanumeric characters, 0-9, A-F, or twenty-six (using 128-bit) alphanumeric characters, 0-9, A-F in the hex key field
- Pass phrase: Click Use Pass Phrase to enable it. Enter a text phrase, up to five (using 64-bit) or 13 (using 128-bit) alphanumeric characters (0-9, a-z or A-Z), in the pass phrase field.
![]() |
NOTE: You must use the same encryption type, index number, and WEP key as other devices on your wireless network. |
![]() |
NOTE: The following information is intended for system administrators. |
If you do not have any certificates for EAP-TLS, or EAP-TTLS you must get a client certificate to allow authentication. Typically you need to consult with your system network administrator for instructions on how to obtain a certificate on your network. Certificates can be managed from “Internet Settings”, accessed from either Internet Explorer or the Windows Control Panel applet. Use the “Content” page of “Internet Settings”.
Windows XP and 2000: When obtaining a client certificate, do not enable strong private key protection. If you enable strong private key protection for a certificate, you will need to enter an access password for the certificate each time this certificate is used. You must disable strong private key protection for the certificate if you are configuring the service for TLS/TTLS authentication. Otherwise the 802.1x service will fail authentication because there is no logged in user to whom it can display the prompt dialog.
Notes about Smart Cards
After installing a Smart Card, the certificate is automatically installed on your computer and can be select from the person certificate store and root certificate store.
Step 1: Getting a certificate
To allow TLS authentication, you need a valid client (user) certificate in the local repository for the logged-in user’s account. You also need a trusted CA certificate in the root store.
The following information provides two methods for getting a certificate;
from a corporate certification authority implemented on a Windows 2000 Server
using Internet Explorer’s certificate import wizard to import a certificate from a file
Note: If this is the first certificate you have obtained, the CA will first ask you if it should install a trusted CA certificate in the root store. The dialog will not say this is a trusted CA certificate, but the name on the certificate shown will be that of the host of the CA. Click yes, you need this certificate for both TLS and TTLS.
The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.
Step 2: Specifying the certificate used by Intel(R) PROSet
Obtain and install a client certificate, refer to Step 1 or consult your system administrator.
From the General page, click the Networks tab.
Click the Add button.
Enter the profile and network (SSID) name.
Select Infrastructure for the operating mode.
Click Next.
Select Open for the Network Authentication. You can also select any other available authentication mode.
Select WEP as the Data Encryption. You can also select any other available encryption type.
Click the 802.1x Enabled checkbox.
Set the authentication type to TLS to be used with this connection.
Click the Configure button to open the settings dialog.
Enter your user name in the User Name field.
Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.
Click the “allow intermediate certificates” checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.
Enter the Server name.
If you know the server name enter this name.
Select the appropriate option to match the server name exactly or specify the domain name.
Under the "Client certificate” option click the Select button to open a list of installed certificates.
Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.
Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
Click Close.
Click the Finish button to save the security settings for the profile.
To add WEP and MD5 authentication to a new profile:
Note: Before starting, obtain a username and password on the RADIUS server from your system administrator.
Use Wi-Fi Protected Access - Pre Shared Key (WPA-PSK) mode if there is no authentication server being used. This mode does not use any 802.1x authentication protocol, It can be used with the data encryption types: WEP or TKIP. WPA-PSK requires configuration of a pre-shared key (PSK). You must enter a pass phrase or 64 hex characters for a Pre-Shared Key of length 256-bits. The data encryption key is derived from the PSK.
To configure a profile using WPA-PSK:
From the General page, click the Networks tab.
Click the Add button.
Enter the profile and network (SSID) name.
Select Infrastructure for the operating mode.
Click Next.
Select WPA-PSK for the Network Authentication. You can also select authentication mode.
Select WEP as the Data Encryption.
Select either of the following:
Use pass phrase: Click Use Pass Phrase to enable. Enter a text phrase, up to five (using 64-bit) or 13 (using 128-bit) alphanumeric characters ((0-9, a-z or A-Z), in the pass phrase field.
Use hex Key: Click Use hex Key to enable. Enter up to ten (using 64-bit) alphanumeric characters, 0-9, A-F, or twenty-six (using 128-bit) alphanumeric characters, 0-9, A-F in the hex key field.
Click the 802.1x Enabled checkbox.
Set the authentication type to TLS to be used with this connection.
Click the Finish button to save the security settings for the profile.
Setting up the Client for WPA using TKIP encryption and TLS authentication
Wi-Fi Protected Access (WPA) mode can be used with TLS, TTLS, or PEAP. This 802.1x authentication protocol using data encryption options; WEP or TKIP. Wi-Fi Protected Access (WPA) mode binds with 802.1x authentication. The data encryption key is received from the 802.1x key exchange. To improve data encryption, Wi-Fi Protected Access utilizes its Temporal Key Integrity Protocol (TKIP). TKIP provides important data encryption enhancements including a re-keying method.
Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.
From the General page, click the Networks tab.
Click the Add button.
Enter the profile and network (SSID) name.
Select Infrastructure for the operating mode.
Click Next.
Select WPA for the Network Authentication.
Select TKIP as the Data Encryption.
Set the authentication type to TLS to be used with this connection.
Click the Configure button to open the settings dialog.
Enter your user name in the User Name field.
Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.
Click the “allow intermediate certificates” checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.
Enter the Server name.
If you know the server name enter this name.
Select the appropriate option to match the server name exactly or specify the domain name.
Use Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.
Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.
Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
Click Close.
Click the Finish button to save the security settings for the profile.
Using TTLS authentication: These settings define the protocol and the credentials used to authenticate a user. In TTLS, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server. The client can use another authentication protocol, typically password-based protocols, such as MD5 Challenge over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.
Using PEAP authentication: PEAP settings are required for the authentication of the client to the authentication server. In PEAP, the client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and server. The client can use another EAP mechanism, such as Microsoft Challenge Authentication Protocol (MSCHAP) Version 2, over this encrypted channel to enable server validation. The challenge and response packets are sent over a non-exposed TLS encrypted channel.
The following example describes how to use WPA with TKIP encryption using TTLS or PEAP authentication.
Obtain and install a client certificate, refer to Setting up the Client for TLS authentication or consult your system administrator.
From the General page, click the Networks tab.
Click the Add button.
Enter the profile and network (SSID) name.
Select Infrastructure for the operating mode.
Click Next.
Select WPA for the Network Authentication.
Select TKIP as the Data Encryption.
Set the authentication type to TTLS or PEAP to be used with this connection.
Click the Configure button to open the settings dialog.
Enter the roaming identity name in the Roaming Identity field. This optional feature is the 802.1X identity supplied to the authenticator. It is recommended that this field not contain a true identity, but instead the desired realm (e.g. anonymous@myrealm).
Select the "Certificate Issuer" from the list. Select Any Trusted CA as the default.
Click the “allow intermediate certificates” checkbox to allow a number of unspecified certificates to be in the server certificate chain between the server certificate and the specified CA. If unchecked, then the specified CA must have directly issued the server certificate.
Enter the Server name.
If you know the server name enter this name.
Select the appropriate option to match the server name exactly or specify the domain name.
Authentication Protocol:
PEAP: Select MS-CHAP-V2. This parameter specifies the authentication protocol operating over the PEAP tunnel. The protocols are: MS-CHAP-V2 (Default), GTC, and TLS.
TTLS: Select PAP. This parameter specifies the authentication protocol operating over the TTLS tunnel. The protocols are: PAP (Default), CHAP, MD5, MS-CHAP and MS-CHAP-V2.
Enter the user name. This username must match the user name that is set in the authentication server by the IT administrator prior to client's authentication. The user name is case-sensitive. This name specifies the identity supplied to the authenticator by the authentication protocol operating over the TLS tunnel. This user’s identity is securely transmitted to the server only after an encrypted channel has been verified and established.
Enter the user password. Specifies the user password. This password must match the password that is set in the authentication server.
Re-enter the user password. If confirmed, displays the same password characters entered in the Password field.
Use Client Certificate: This option selects a client certificate from the Personal certificate store of the Windows logged-in user. This certificate will be used for client authentication. Click the Select button to open a list of installed certificates.
Note about Certificates: The specified identity should match the field "Issued to" in the certificate and should be registered on the authentication server (i.e., RADIUS server) that is used by the authenticator. Your certificate must be "valid" with respect to the authentication server. This requirement depends on the authentication server and generally means that the authentication server must know the issuer of your certificate as a Certificate Authority. You should be logged in using the same username you used when the certificate was installed.
Select the certificate from the list and click OK. The client certificate information displays under "Client Certificate".
Click Close.
Click the Finish button to save the security settings for the profile.
Please read all restrictions and disclaimers.