Description:This document describes how to set up a certificate-based WLAN connection (802.1x) where the authentication between the WLAN client and LANCOM Access Point is performed using the
Extensible
Authentication
Protocol (
EAP) and the
Protected
Extensible
Authentication
Protocol
(PEAP) method of authentification.
For EAP-based authentication, a
RADIUS server is always required to act as an authentication server. Since all
LANCOM access points and
WLAN routers have an
integrated RADIUS server, this document assumes that the RADIUS server in the LANCOM access point is used as the authentication server. Consequently, the access point is both the authenticator and the authentication server.
WPA/802.1x is often referred to as
WPA Enterprise.
Requirements:- The latest LCOS firmware (download)
- The latest LANtools (download)
- Valid X.509 server certificate and root certificate of the CA.
Scenario:Example certificates:This configuration example uses an X.509 certificate for the RADIUS module of the access point (
LANCOM_Router.p12). On the client, the
root certificate of the CA (
CA-LANCOM.cer) is required. Both certificates are
valid for 10 years.
The
password used in the
sample certificate and in the
root certificate of the CA is
lancom.
LANCOM_Router.p12 CA-LANCOM.cerConfiguration steps for a LANCOM access point:1) Open the LANCOM access point configuration in
LANconfig and select
Configuration -> Wireless LAN -> Physical WLAN settings.
2)
Enable the
WLAN interface on the
Operation tab.
Information:In this
example all other settings for the physical WLAN interface are left on the
default settings. However, you can change these to match your requirements.
3) Click on the
OK button to accept your settings.
4) Switch to the menu
Configuration -> Wireless LAN -> Logical WLAN settings -> WLAN network 1.
5) Enable
logical WLAN network 1 and enter a unique name for the WLAN network in the
Network name (SSID) field. This example uses the name
EAP-PEAP-Test.
6) Click on the
OK button to accept your settings.
7) Switch to the menu
Configuration -> Wireless LAN -> 802.11i/WEP -> WPA or Private WEP settings...8) Open the entry for
Wireless network 1.
9) Set the value of field
Method/Key 1 length to
802.11i(WPA)-802.1x.
10) The
Key1/passphrase field must
be left blank.
11) Click on the
OK button to accept your settings.
12) Switch to the menu
Configuration -> Wireless LAN -> 802.1x -> RADIUS server...13) Click on the
Default server button.
14) In the subsequent dialog enter into the
Server IP address field the internal host address (
127.0.0.1) of the LANCOM access point that acts as the RADIUS server. The
Server port field must contain the authentication port of the internal RADIUS server (
1812).
15) Click on the
OK button to accept your settings.
16) Go to the following menu:
Configuration-> RADIUS server.17) Enter the value for the
Authentication port of the internal RADIUS server (
1812).
18) Click on the
User table button and add one or more users to the list. In this example, a user with the
User name lancom and the
Password lancom is being created.
19) In
Protocol restriction for authentication, select
MSCHAPv2 and
EAP.
20) Go to the
EAP tab.
21) In the
Default method selection box select the value
PEAP.
22) In the selection box for
PEAP default, set the value to
MSCHAPv2.
23) Click on
OK to accept the settings and to save them to the LANCOM access point.
24) In
LANconfig, right-click on the LANCOM access point and select the option
Configuration management -> Upload a certificate from file...25) In the following dialog, select the certificate file for the LANCOM access point. This example uses the name
LANCOM_Router.p12.
26) In the
Certificate type box, select the setting
EAP/TLS - container as a PKCS#12 file.
27) In the
Password field, enter the
certificate password. The password in this example is
lancom.
28) Click on
Open to load the certificate into the LANCOM access point.
29) This concludes the configuration of the LANCOM access point.
Information:You can view the certificate that you loaded into the LANCOM access point by starting a
Telnet or SSH session on the LANCOM access point and entering
show eapConfiguration steps on the WLAN client:Importing the client certificate into Windows:1) Double click on the
Root certificate of the CA. This example uses the
CA-LANCOM.cer file.
2) Click on
Install certificate.
3) Click on
Next.
4) Leave the setting on
Automatically select the certificate store, and click on
Next.
5) Click on
Finish to conclude the import of the certificate.
6) Confirm the subsequent security warning with
Yes.
7) A message is displayed to indicate that the certificate has been successfully imported.
Setting up the WLAN connection in Windows:1) Open the Manage Wireless Networks dialog and click on
Add.
2) In the subsequent window select the
Manually create a network profile option.
3) In the
network name field, you have to enter the name
EAP-PEAP-Test. The values for
Security type and
Encryption type must be set to
WPA2-Enterprise and
AES, respectively. To continue, click on
Next.
4) You must click on
Change connection settings in the subsequent window.
5) On the
Security tab, the EAP type
Microsoft: Protected EAP (PEAP) must be set. Now click on the
Settings button.
6)
Check the
Validate server certificate option and then select the relevant
Trusted Root Certification Authority for the certificate from the list in the box below. In our example this is
CA-LANCOM. For the
Authentication method select
Secure password (EAP-MSCHAPv2).
7) Now click on the
Configure button.
8)
Disable the option
Automatically use own Windows logon name and password.
9) Click on the
Advanced settings button.
10)
Enable the
Specify authentication mode and choose
User or computer authentication.
11) Click on the
OK button to accept your settings.
12) In the network list, click on
Connect.
13) In the following dialog, the
user data created in
step 18 of the LANCOM configuration have to be entered. In this example the
user name lancom and the
password lancom must be used.
14) Click on the
OK button. The WLAN connection is established now. This concludes the configuration process.