User's Guide
11 Creation And Use Of Encryption Keys 31
7signal Ltd, Panuntie 6, FI-00620 HELSINKI, FINLAND, +358 40 777 7611, info@7signal.com, www.7signal.com
7signal Sapphire Carat Carat User Guide Release 3.0
11.5 Multiple Certificates Per Eye
There is no limitation to number of certificates per Eye or per Wireless Network. If there is only
one certificate bound to Wireless Network, that certificate shall be used every time this
particular SSID is associated with. On top of that, each Eye unit may be bound with a special
certificate (right-click on Eye in the topology).
The rationale is to support environments where the actual certificate dictates both access to
the access point in general and also the access level to the network services beyond the access
point.
11.5.1 Microsoft PKI Infrastructure
One commonplace certificate-based environment is implemented by Microsoft. Typically any
appliance shall have their own account (“machine-account”). It would very challenging to
make the linux-based Eye to serve Windows infrastructure with the proper certificate. An
applicable option is to create one user-account to be used by all Eye units.
When a user-account is in place, the authentication may be defined as follows:
1. Select “Dynamic WEP with EAP key” to get the dialog above
2. Select WPA key type, either 1 or 2, according the local environment
3. EAP method must be set to “EAP_MSCHAP_V2”
4. Fill in the account user name to the field “Identity”
5. Enter and confirm the account password.
6. Enter Windows infrastructure CA certificate.
7. One may enter the same certificate as “Client Certificate” as well.
The Eye is now properly authenticated in Windows PKI environment.