Advanced Configuration

5-1

August 2003

Chapter 5

Advanced Configuration

This chapter describes how to configure the advanced features of your ME103 802.11b ProSafe

Wireless Access Point. These features can be found under the Advanced heading in the main

menu.

Configuring Advanced Security 802.1x Options

For an overview of 802.1x, see

“Understanding 802.1x Port Based Network Access Control” on

page B-9

. The ME103 802.11b ProSafe Wireless Access Point supports these 802.1x options:

•

Key Exchange

. Key exchange (PEAP, EAP-TLS, EAP-TTLS) provides strong security

through mutual authentication and automatic key exchange between the two endpoints.

Periodic updates are performed using public-key cryptography through a certificate server and

a Remote Authentication Dial-In User Service (RADIUS) server.

The ME103 configuration procedures for these options are presented below.

Basic Requirements for 802.1x

802.1x requires these parts:

1.

Authenticator: ME103

2.

Authentication Server - a RADIUS server.

Microsoft Internet Authentication Server (IAS) provides RADIUS functionality. Other

vendors also support RADIUS for 802.1x.

3.

Supplicant - Windows 2000 with the 802.1x client patch applied (SP4 802.1x client) or

Windows XP.

4.

Optionally, the Key Exchange options (PEAP, EAP-TLS, and EAP-TTLS) can take advantage

of a Certificate Authority (CA) such as Windows 2000 server provides. To use

certificate-based authentication, both the RADIUS server and the client need to have a

certificate from a certificate server such as Windows 2000 or a public service such as Verisign.

Reference Manual for the ME103 802.11b ProSafe Wireless Access Point

5-2

Advanced Configuration

August 2003

With the above basic requirements, 802.1x security can be implemented with the ME103. Refer to

“Understanding 802.1x Port Based Network Access Control” on page B-9

for a description of

basic 802.1x functionality.

How to Configure the 802.1x Key Exchange Option

Follow this procedure to configure the ME103 for 802.1x Key Exchange security. The sample

configuration worksheet below is filled in with the parameters used in this procedure. To configure

your ME103, print and fill out the blank worksheet found at the end of this section and record your

network configuration. A blank worksheet is provided below.

1.

Configure the RADIUS server to use the 802.1x settings in the worksheet above.

a.

Add the ME103 to the RADIUS server using either its IP address or the NetBIOS name.

b.

Set the shared key. Both the ME103 and the RADIUS entries should use the same shared

key so that the RADIUS server allows the ME103 to log in to the RADIUS server.

2.

Configure the ME103 802.1x Key Exchange parameters.

a.

Log in to the ME103 using the NetBIOS name printed on the bottom of the unit, or at its

default address of

or at whatever IP address the unit is currently

configured with. Use the default user name of

admin

and password of

password

. Click

the Security Settings link in the main menu Advanced section to display the Advanced

Security Settings menu.

Key Exchange Configuration Worksheet

802.1x Key Exchange Security Settings

WEP Encryption Key Length:

128/64-bit

Note:

Be sure your wireless adapter has the WEP 128/64-bit

encryption feature enabled.

RADIUS Port:

1812

RADIUS Shared Key:

r>T(h4&3@#kB

Network

LAN IP Network Address

Subnet Mask

Gateway IP (LAN IP Address)

ME103

192.168.0.2

255.255.255.0

192.168.0.1

Reference Manual for the ME103 802.11b ProSafe Wireless Access Point

Advanced Configuration

5-3

August 2003

Note:

Perform this procedure from a LAN connected computer rather than over a wireless

link. This procedure will change the ME103’s data encryption settings, so all wireless

connections will be disconnected when you apply the settings.

b.

Fill in the settings from the worksheet as illustrated above.

Data Encryption (WEP) features are not functional in this mode. Key Exchange mode

automatically supplies the encryption keys and changes the keys regularly at short

intervals.

c.

Click Apply.

3.

Configure the PCs on network to use the 802.1x and WEP settings you just applied to the

ME103.

Note:

At this time, only Windows XP includes built-in support for 802.1x. Windows 2000 can

support 802.1x with the appropriate SP4 patch. There are also third party client software

packages which will provide 802.1x support for a variety of Windows, Macintosh, Unix, and

Linux clients. The information below is an example of one of many possible scenarios you

may encounter when deploying 802.1x. NETGEAR does not provide support for Windows or

third party software.

a.

Using a computer connected via the Ethernet LAN, obtain and install a certificate.

Note:

In this example, you must perform this operation from a wired connection to the

Windows 2000 certificate server. A wireless connection through the ME103 will not be

available until after the certificate is already recorded by the client Windows operating

system.

Note:

The idle timeout on the ME103 is 10 minutes. If there is no traffic for 10 minutes,

the 802.1x supplicant (wireless client) will be automatically disconnected.

Reference Manual for the ME103 802.11b ProSafe Wireless Access Point

5-4

Advanced Configuration

August 2003

Figure 5-1:

Request a certificate

Note:

The procedure for obtaining certificates differs between a CA like Verisign and a

CA such as a Windows 2000 certificate server. Organizations operate Windows 2000

certificate servers to provide certificates for its members. For example, an administrator of

a Windows 2000 certificate server might provide a certificate to you via e-mail rather than

connecting directly as shown in this example.

–

Obtain the certificate which includes the public key from a Certificate Authority (CA).

–

Install this certificate in the Windows Root Certificate Store.

–

After installing the certificate on the Windows client, switch from the wired Ethernet

connection to the wireless adapter.

b.

Verify that the “Use Windows to configure my wireless network settings” check box is

selected in the Windows XP Network Connections wireless adapter properties dialog box

Wireless Networks tab page.

Figure 5-2:

Windows XP wireless adapter configuration utility

Reference Manual for the ME103 802.11b ProSafe Wireless Access Point

Advanced Configuration

5-5

August 2003

c.

Select the wireless network to which you will connect (NETGEAR in the screen above),

and click the Configure button to display the Wireless network properties dialog box

shown below.

Figure 5-3:

Configure a Windows XP wireless adapter association

d.

Select only the “Data encryption (WEP enabled)” check box.

e.

Click the Authentication tab to display the screen below.

Figure 5-4:

Configure a Windows XP wireless adapter for EAP-TLS

f.

Configure the wireless adapter to enable 802.1x authentication by selecting the “Enable

IEEE 802.1x authentication for this network” check box.

g.

Click OK to apply the settings to your wireless adapter.

h.

The first time you establish the EAP-TLS wireless session from a client workstation,

Windows will prompt you to verify that the certificate it found is the correct one.

4.

View the ME103 log and check the connection

To check the connection, you can initiate a request from a wireless device to the network.

Use the ME103 Activity Log to monitor the initiation of the 802.1x wireless session.

Note:

During the authentication processes, there is a session timeout. If either the

authenticator or the client does not respond with the proper data to the other side in 30

seconds, the authentication fails. If this happens, you should physically remove the

wireless adapter from your computer, and re-insert it to start the authentication again. In

addition, if the ME103 is rebooted, you should physically remove the wireless adapter

from your computer and re-insert it to start the authentication again.