Page 51 / 118 Scroll up to view Page 46 - 50
Advanced Configuration
5-1
August 2003
Chapter 5
Advanced Configuration
This chapter describes how to configure the advanced features of your ME103 802.11b ProSafe
Wireless Access Point. These features can be found under the Advanced heading in the main
menu.
Configuring Advanced Security 802.1x Options
For an overview of 802.1x, see
“Understanding 802.1x Port Based Network Access Control” on
page B-9
. The ME103 802.11b ProSafe Wireless Access Point supports these 802.1x options:
Key Exchange
. Key exchange (PEAP, EAP-TLS, EAP-TTLS) provides strong security
through mutual authentication and automatic key exchange between the two endpoints.
Periodic updates are performed using public-key cryptography through a certificate server and
a Remote Authentication Dial-In User Service (RADIUS) server.
The ME103 configuration procedures for these options are presented below.
Basic Requirements for 802.1x
802.1x requires these parts:
1.
Authenticator: ME103
2.
Authentication Server - a RADIUS server.
Microsoft Internet Authentication Server (IAS) provides RADIUS functionality. Other
vendors also support RADIUS for 802.1x.
3.
Supplicant - Windows 2000 with the 802.1x client patch applied (SP4 802.1x client) or
Windows XP.
4.
Optionally, the Key Exchange options (PEAP, EAP-TLS, and EAP-TTLS) can take advantage
of a Certificate Authority (CA) such as Windows 2000 server provides. To use
certificate-based authentication, both the RADIUS server and the client need to have a
certificate from a certificate server such as Windows 2000 or a public service such as Verisign.
Page 52 / 118
Reference Manual for the ME103 802.11b ProSafe Wireless Access Point
5-2
Advanced Configuration
August 2003
With the above basic requirements, 802.1x security can be implemented with the ME103. Refer to
“Understanding 802.1x Port Based Network Access Control” on page B-9
for a description of
basic 802.1x functionality.
How to Configure the 802.1x Key Exchange Option
Follow this procedure to configure the ME103 for 802.1x Key Exchange security. The sample
configuration worksheet below is filled in with the parameters used in this procedure. To configure
your ME103, print and fill out the blank worksheet found at the end of this section and record your
network configuration. A blank worksheet is provided below.
1.
Configure the RADIUS server to use the 802.1x settings in the worksheet above.
a.
Add the ME103 to the RADIUS server using either its IP address or the NetBIOS name.
b.
Set the shared key. Both the ME103 and the RADIUS entries should use the same shared
key so that the RADIUS server allows the ME103 to log in to the RADIUS server.
2.
Configure the ME103 802.1x Key Exchange parameters.
a.
Log in to the ME103 using the NetBIOS name printed on the bottom of the unit, or at its
default address of
or at whatever IP address the unit is currently
configured with. Use the default user name of
admin
and password of
password
. Click
the Security Settings link in the main menu Advanced section to display the Advanced
Security Settings menu.
Key Exchange Configuration Worksheet
802.1x Key Exchange Security Settings
WEP Encryption Key Length:
128/64-bit
Note:
Be sure your wireless adapter has the WEP 128/64-bit
encryption feature enabled.
RADIUS Port:
1812
RADIUS Shared Key:
r>T(h4&3@#kB
Network
LAN IP Network Address
Subnet Mask
Gateway IP (LAN IP Address)
ME103
192.168.0.2
255.255.255.0
192.168.0.1
Page 53 / 118
Reference Manual for the ME103 802.11b ProSafe Wireless Access Point
Advanced Configuration
5-3
August 2003
Note:
Perform this procedure from a LAN connected computer rather than over a wireless
link. This procedure will change the ME103’s data encryption settings, so all wireless
connections will be disconnected when you apply the settings.
b.
Fill in the settings from the worksheet as illustrated above.
Data Encryption (WEP) features are not functional in this mode. Key Exchange mode
automatically supplies the encryption keys and changes the keys regularly at short
intervals.
c.
Click Apply.
3.
Configure the PCs on network to use the 802.1x and WEP settings you just applied to the
ME103.
Note:
At this time, only Windows XP includes built-in support for 802.1x. Windows 2000 can
support 802.1x with the appropriate SP4 patch. There are also third party client software
packages which will provide 802.1x support for a variety of Windows, Macintosh, Unix, and
Linux clients. The information below is an example of one of many possible scenarios you
may encounter when deploying 802.1x. NETGEAR does not provide support for Windows or
third party software.
a.
Using a computer connected via the Ethernet LAN, obtain and install a certificate.
Note:
In this example, you must perform this operation from a wired connection to the
Windows 2000 certificate server. A wireless connection through the ME103 will not be
available until after the certificate is already recorded by the client Windows operating
system.
Note:
The idle timeout on the ME103 is 10 minutes. If there is no traffic for 10 minutes,
the 802.1x supplicant (wireless client) will be automatically disconnected.
Page 54 / 118
Reference Manual for the ME103 802.11b ProSafe Wireless Access Point
5-4
Advanced Configuration
August 2003
Figure 5-1:
Request a certificate
Note:
The procedure for obtaining certificates differs between a CA like Verisign and a
CA such as a Windows 2000 certificate server. Organizations operate Windows 2000
certificate servers to provide certificates for its members. For example, an administrator of
a Windows 2000 certificate server might provide a certificate to you via e-mail rather than
connecting directly as shown in this example.
Obtain the certificate which includes the public key from a Certificate Authority (CA).
Install this certificate in the Windows Root Certificate Store.
After installing the certificate on the Windows client, switch from the wired Ethernet
connection to the wireless adapter.
b.
Verify that the “Use Windows to configure my wireless network settings” check box is
selected in the Windows XP Network Connections wireless adapter properties dialog box
Wireless Networks tab page.
Figure 5-2:
Windows XP wireless adapter configuration utility
Page 55 / 118
Reference Manual for the ME103 802.11b ProSafe Wireless Access Point
Advanced Configuration
5-5
August 2003
c.
Select the wireless network to which you will connect (NETGEAR in the screen above),
and click the Configure button to display the Wireless network properties dialog box
shown below.
Figure 5-3:
Configure a Windows XP wireless adapter association
d.
Select only the “Data encryption (WEP enabled)” check box.
e.
Click the Authentication tab to display the screen below.
Figure 5-4:
Configure a Windows XP wireless adapter for EAP-TLS
f.
Configure the wireless adapter to enable 802.1x authentication by selecting the “Enable
IEEE 802.1x authentication for this network” check box.
g.
Click OK to apply the settings to your wireless adapter.
h.
The first time you establish the EAP-TLS wireless session from a client workstation,
Windows will prompt you to verify that the certificate it found is the correct one.
4.
View the ME103 log and check the connection
To check the connection, you can initiate a request from a wireless device to the network.
Use the ME103 Activity Log to monitor the initiation of the 802.1x wireless session.
Note:
During the authentication processes, there is a session timeout. If either the
authenticator or the client does not respond with the proper data to the other side in 30
seconds, the authentication fails. If this happens, you should physically remove the
wireless adapter from your computer, and re-insert it to start the authentication again. In
addition, if the ME103 is rebooted, you should physically remove the wireless adapter
from your computer and re-insert it to start the authentication again.

Rate

4.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top