Description:

This document describes how to set up a certificate-based WLAN connection (802.1x) where the authentication between the WLAN client and LANCOM Access Point is performed using the Extensible Authentication Protocol (EAP) and the Protected Extensible Authentication Protocol (PEAP) method of authentification.

For EAP-based authentication, a RADIUS server is always required to act as an authentication server. Since all LANCOM access points and WLAN routers have an integrated RADIUS server, this document assumes that the RADIUS server in the LANCOM access point is used as the authentication server. Consequently, the access point is both the authenticator and the authentication server.

WPA/802.1x is often referred to as WPA Enterprise.


Requirements:
  • The latest LCOS firmware (download)
  • The latest LANtools (download)
  • Valid X.509 server certificate and root certificate of the CA.


Scenario:




Example certificates:

This configuration example uses an X.509 certificate for the RADIUS module of the access point (LANCOM_Router.p12). On the client, the root certificate of the CA (CA-LANCOM.cer) is required. Both certificates are valid for 10 years.

The password used in the sample certificate and in the root certificate of the CA is lancom.



LANCOM_Router.p12LANCOM_Router.p12 CA-LANCOM.cerCA-LANCOM.cer


Configuration steps for a LANCOM access point:

1) Open the LANCOM access point configuration in LANconfig and select Configuration -> Wireless LAN -> Physical WLAN settings.

2) Enable the WLAN interface on the Operation tab.

Information:
In this example all other settings for the physical WLAN interface are left on the default settings. However, you can change these to match your requirements.

3) Click on the OK button to accept your settings.



4) Switch to the menu Configuration -> Wireless LAN -> Logical WLAN settings -> WLAN network 1.

5) Enable logical WLAN network 1 and enter a unique name for the WLAN network in the Network name (SSID) field. This example uses the name EAP-PEAP-Test.

6) Click on the OK button to accept your settings.



7) Switch to the menu Configuration -> Wireless LAN -> 802.11i/WEP -> WPA or Private WEP settings...

8) Open the entry for Wireless network 1.

9) Set the value of field Method/Key 1 length to 802.11i(WPA)-802.1x.

10) The Key1/passphrase field must be left blank.

11) Click on the OK button to accept your settings.



12) Switch to the menu Configuration -> Wireless LAN -> 802.1x -> RADIUS server...

13) Click on the Default server button.

14) In the subsequent dialog enter into the Server IP address field the internal host address (127.0.0.1) of the LANCOM access point that acts as the RADIUS server. The Server port field must contain the authentication port of the internal RADIUS server (1812).

If you use the internal host address of the RADIUS server as the server IP address, no sender address may be used (see screenshot).


15) Click on the OK button to accept your settings.



16) Go to the following menu: Configuration-> RADIUS server.

17) Enter the value for the Authentication port of the internal RADIUS server (1812).



18) Click on the User table button and add one or more users to the list. In this example, a user with the User name lancom and the Password lancom is being created.

19) In Protocol restriction for authentication, select MSCHAPv2 and EAP.



20) Go to the EAP tab.

21) In the Default method selection box select the value PEAP.

22) In the selection box for PEAP default, set the value to MSCHAPv2.



23) Click on OK to accept the settings and to save them to the LANCOM access point.

24) In LANconfig, right-click on the LANCOM access point and select the option Configuration management -> Upload a certificate from file...



25) In the following dialog, select the certificate file for the LANCOM access point. This example uses the name LANCOM_Router.p12.

26) In the Certificate type box, select the setting EAP/TLS - container as a PKCS#12 file.

27) In the Password field, enter the certificate password. The password in this example is lancom.

28) Click on Open to load the certificate into the LANCOM access point.



29) This concludes the configuration of the LANCOM access point.
Information:

      You can view the certificate that you loaded into the LANCOM access point by starting a
Telnet or SSH session
      on the LANCOM access point and entering
show eap
      at the command prompt.





Configuration steps on the WLAN client:

Importing the client certificate into Windows:

1) Double click on the Root certificate of the CA. This example uses the CA-LANCOM.cer file.

2) Click on Install certificate.



3) Click on Next.



4) Leave the setting on Automatically select the certificate store, and click on Next.



5) Click on Finish to conclude the import of the certificate.



6) Confirm the subsequent security warning with Yes.



7) A message is displayed to indicate that the certificate has been successfully imported.




Setting up the WLAN connection in Windows:

1) Open the Manage Wireless Networks dialog and click on Add.



2) In the subsequent window select the Manually create a network profile option.



3) In the network name field, you have to enter the name EAP-PEAP-Test. The values for Security type and Encryption type must be set to WPA2-Enterprise and AES, respectively. To continue, click on Next.



4) You must click on Change connection settings in the subsequent window.



5) On the Security tab, the EAP type Microsoft: Protected EAP (PEAP) must be set. Now click on the Settings button.



6) Check the Validate server certificate option and then select the relevant Trusted Root Certification Authority for the certificate from the list in the box below. In our example this is CA-LANCOM. For the Authentication method select Secure password (EAP-MSCHAPv2).



7) Now click on the Configure button.



8) Disable the option Automatically use own Windows logon name and password.



9) Click on the Advanced settings button.

10) Enable the Specify authentication mode and choose User or computer authentication.



11) Click on the OK button to accept your settings.

12) In the network list, click on Connect.

13) In the following dialog, the user data created in step 18 of the LANCOM configuration have to be entered. In this example the user name lancom and the password lancom must be used.



14) Click on the OK button. The WLAN connection is established now. This concludes the configuration process.