User's Manual

ManualsBrandsIntel Mobile Communications ManualsElectronicsIntel Wireless WiFi Link 4965AGN

Back to Contents

Set Up Profile Security

Use Intel(R) PROSet/Wireless Software

Personal Security

Personal Security Settings

Set up Data Encryption and Authentication

● Set up a Client with Open Authentication and No Data Encryption (None)

● Set up a Client with WEP 64-bit or WEP 128-bit Data Encryption

● Set up a Client with WPA-Personal (TKIP) or WPA2-Personal (TKIP) Security Settings

● Set up a Client with WPA-Personal (AES-CCMP) or WPA2-Personal (AES-CCMP) Security Settings

Enterprise Security

Enterprise Security Settings

● Configure Profiles for Infrastructure Networks

Network Authentication

● Set up a Client with Shared Network Authentication

● Set up a Client with WPA-Personal or WPA2 Personal Network Authentication

● Set up a Client with WPA-Enterprise or WPA2-Enterprise Network Authentication

802.1x Authentication Types

● Set up a Client with WEP Data Encryption and EAP-SIM Network Authentication

● Set up a Client with TLS Network Authentication

● Set up a Client with TTLS Network Authentication

● Set up a Client with PEAP Network Authentication

● Set up a Client with LEAP Network Authentication

● Set up a Client with EAP-FAST Network Authentication

Use Intel(R) PROSet/Wireless Software

The following sections describe how to use Intel(R) PROSet/Wireless to set up the required security settings for

your wireless adapter. Refer to Personal Security.

It also provides information about how to configure advanced security settings for your wireless adapter. This

requires information from a systems administrator (corporate environment) or advanced security settings on

your access point (for home users). Refer to Enterprise Security.

For general information about security settings, refer to Security Overview.

Personal Security

Use Personal Security if you are a home or small business user who can use a variety of simple security

procedures to protect your wireless connection. Select from the list of security settings that do not require

extensive infrastructure setup for your wireless network. A RADIUS or AAA server is not required.

● Review the Set up Data Encryption and Authentication information to learn about the different security

types.

● To add or change the required security settings, click Security Settings for information to set security for

the selected wireless network.

● See Profile Management for a description of when to use the Create Wireless Profile manager.

● See Security Overview for more information about the different security options for wireless networks.

● If you want to verify the security settings, select a wireless network in the Wireless Networks list. Click

Network Properties to review the operating mode, authentication level and data encryption.

● See Enterprise Security to set 802.1x authentication security.

Personal Security Settings

Personal Security Settings Description

Name Setting

Personal Security

Select to open the Personal Security settings. The security settings that are

available are dependent on the Operating Mode selected in the

Create Wireless

Profile Security Settings.

Device to Device (ad hoc): In device to device mode, also called ad hoc mode,

wireless computers send information directly to other wireless computers. You can

use ad hoc mode to network multiple computers in a home or small office, or to set

up a temporary wireless network for a meeting.

NOTE: Device to Device (ad hoc) networks are identified with a

notebook image (

) in the Wireless Networks and Profiles list and

Network

Network (Infrastructure): An Network (Infrastructure) network consists of one

or more access points and one or more computers with wireless adapters installed.

At least one access point should also have a wired connection. For home users, this

is usually a broadband or cable network

NOTE: Network (Infrastructure) networks are identified with an access

point image (

) in the Wireless Networks and Profiles list.

Security Settings

If you configure a profile for a Device to Device (ad hoc) network, select one of the

following data encryption settings:

● None: No authentication required.

● WEP-64 bit or WEP-128 bit: A network key or password is used for encryption.

If you configure an profile for an Infrastructure network, select:

● None: No authentication required.

● WEP-64 bit or WEP-128 bit: A network key or password is used for encryption.

● WPA-Personal (TKIP) or WPA2-Personal (TKIP): WPA-Personal utilizes the

Temporal Key Integrity Protocol (TKIP) for data encryption.

● WPA-Personal (AES-CCMP) or WPA2-Personal (AES-CCMP): WPA-Personal

utilizes a new method for privacy protection of wireless transmissions

specified in the IEEE 802.11i standard, AES-CCMP.

Advanced

Select to access the Advanced Settings to configure the following options:

● Auto Connect: Select to automatically or manually connect to a profile.

● Auto Import: Network administrator can export a profile on another

computer.

● Password Protection: Select to password protect a profile.

● Mandatory Access Point: Select to associate the wireless adapter with a

specific access point.

● Start Application: Specify a program to be started when a wireless connection

is made.

Back

View the prior page in the Create Wireless Profile manager.

Closes the Create Wireless Profile manager and saves the profile.

Cancel

Closes the Create Wireless Profile manager and cancels any changes made.

Help?

Provides the help information for the current page.

Set up Data Encryption and Authentication

In a home wireless network, you can use a variety of simple security procedures to protect your wireless

connection. These include:

● Enable Wi-Fi Protected Access (WPA)

● Change your password

● Change the network name (SSID)

Wi-Fi Protected Access (WPA) encryption provides protection for your data on the network. WPA uses an

encryption key called a Pre-Shared Key (PSK) to encrypt data before transmission. Enter the same password in

all of the computers and access points in your home or small business network. Only devices that use the same

encryption key can access the network or decrypt the encrypted data transmitted by other computers. The

password automatically initiates the Temporal Key Integrity Protocol (TKIP) for the data encryption process.

Network Keys

WEP encryption provides two levels of security:

● 64-bit key (sometimes referred to as 40-bit)

● 128-bit key (also known as 104-bit)

For improved security, use a 128-bit key. If you use encryption, all wireless devices on your wireless network

must use the same encryption keys.

You can create the key yourself and specify the key length (64- or 128-bit) and key index (the location that a

specific key is stored). The greater the key length, the more secure the key.

Key Length: 64-bit

Pass phrase (64-bit): Enter five (5) alphanumeric characters, 0-9, a-z or A-Z.

Hex key (64-bit): Enter 10 hexadecimal characters, 0-9, A-F.

Key Length: 128-bit

Pass phrase (128-bit): Enter 13 alphanumeric characters, 0-9, a-z or A-Z.

Hex key (128-bit): Enter 26 hexadecimal characters, 0-9, A-F.

With 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and

4). When an access point or a wireless station transmits an encrypted message that uses a key stored in a

specific key index, the transmitted message indicates the key index that was used to encrypt the message

body. The receiving access point or wireless station can then retrieve the key that is stored at the key index

and use it to decode the encrypted message body.

Set up a Client with Open Authentication and No Data Encryption

(None)

In device to device mode, also called ad hoc mode, wireless computers send information directly to other

wireless computers. You can use ad hoc mode to network multiple computers in a home or small office, or to

set up a temporary wireless network for a meeting.

On the Intel(R) PROSet/Wireless main window, select one of the following methods to connect to a device to

device network:

● Double-click an ad hoc network in the Wireless Networks list.

● Select a network in the Wireless Networks list. Click Connect. The Intel PROSet/Wireless software

automatically detects the security settings for the wireless adapter.

● Create a device to device (ad hoc) network profile as described below.

To create a profile for a wireless network connection with no encryption:

1. Click Profiles on the Intel PROSet/Wireless main window.

2. On the Profile page, click Add to open the Create Wireless Profile General Settings.

3. Profile Name: Enter a descriptive profile name.

4. Wireless Network Name (SSID): Enter the network identifier.

5. Operating Mode: Click Device to Device (ad hoc).

6. Click Next.

7. Click Personal Security to open the Security Settings.

Data Encryption:The default setting is None, which indicates that there is no security on this wireless

network.

8. Click OK. The profile is added to the Profiles list and connects to the wireless network.

Set up a Client with WEP 64-bit or WEP 128-bit Data Encryption

When WEP data encryption is enabled, a network key or password is used for encryption.

You must enter the key and specify the length (64- or 128-bit) and key index (the location that a specific key

is stored). The more complex the key (mixed letters and numbers), the more secure the key.

To add a network key to a device to device network connection:

1. On the Intel PROSet/Wireless main window, double-click a Device to Device (ad hoc) network in the

Wireless Networks list or select the network and click Connect. When connected, a profile is added to

the Profiles list.

2. Click Profiles to access the Profiles list. Select the network that you connected to in Step 1.

3. Click Properties to open the Wireless Profile Properties' General Settings. The Profile name and Wireless

Network Name (SSID) display. Device to Device (ad hoc) should be selected as the Operating Mode.

4. Click Next to access the Security Settings.

5. Click Personal Security.

6. Security Settings: The default setting is None, which indicates that there is no security on this wireless

network.

To add a password or network key:

1. Security Settings: Select either WEP 64-bit or WEP 128-bit to configure WEP data encryption with a

64- or 128-bit key.

When WEP encryption is enabled on a device, the WEP key is used to verify access to the network.

If the wireless device does not have the correct WEP key, even though authentication is

successful, the device is unable to transmit data.

2. Password: Enter the Wireless Security Password (Encryption Key).

Name Description

Password

Enter the Wireless Security Password (Pass phrase) or Encryption Key

(WEP key).

Pass phrase (64-bit )

Enter five (5) alphanumeric characters, 0-9, a-z or A-Z.

WEP key (64-bit)

Enter 10 hexadecimal characters, 0-9, A-F.

Pass phrase (128-bit)

Enter 13 alphanumeric characters, 0-9, a-z or A-Z.

WEP key (128-bit)

Enter 26 hexadecimal characters, 0-9, A-F.

2. To add more than one password:

❍ Select the Key Index number: 1, 2, 3, or 4.

❍ Enter the Wireless Security Password.

❍ Select another Key Index number.

❍ Enter another Wireless Security Password.

3. Click OK to return to the Profiles list.

Set up a Client with WPA-Personal (TKIP) or WPA2-Personal (TKIP)

Security Settings

WPA Personal Mode requires manual configuration of a pre-shared key (PSK) on the access point and clients.

This PSK authenticates a user's password or identifying code, on both the client station and the access point.

An authentication server is not needed. WPA Personal Mode is targeted to home and small business

environments.

WPA2 is the second generation of WPA security that provides enterprise and consumer wireless users with a

high level of assurance that only authorized users can access their wireless networks. WPA2 provides a

stronger encryption mechanism through Advanced Encryption Standard (AES), which is a requirement for some

corporate and government users.

To configure a profile with WPA-Personal network authentication and TKIP data encryption:

1. On the Intel PROSet/Wireless main window, double-click an Infrastructure network in the Wireless

Networks list or select the network and click Connect.

2. Click Profiles to access the Profiles list.

3. Click Properties to open the Wireless Profile Properties' General Settings. The Profile name and Wireless

Network Name (SSID) display. Network (Infrastructure) should be selected as the Operating Mode.

4. Click Next to access the Security Settings.

5. Security Settings: Select WPA-Personal (TKIP) to provide security to a small business network or

home environment. A password, called a pre-shared key (PSK), is used. The longer the password, the

stronger the security of the wireless network.

If your wireless access point or router supports WPA2-Personal then you should enable it on the

access point and provide a long, strong password. The longer the password, the stronger the

security of the wireless network. The same password entered in the access point needs to be used

on this computer and all other wireless devices that access the wireless network.

NOTE: WPA-Personal and WPA2-Personal are not interoperable.

6. Wireless Security Password (Encryption Key): Enter a text phrase with eight to 63 characters.

Verify that the network key matches the password in the wireless access point.

7. Click OK to return to the Profiles list.

Set up a Client with WPA-Personal (AES-CCMP) or WPA2-Personal (AES-CCMP)

Security Settings

Wi-Fi Protected Access (WPA) is a security enhancement that strongly increases the level of data protection

and access control to a wireless network. WPA enforces 802.1x authentication and key-exchange and only

works with dynamic encryption keys. For a home user or small business, WPA-Personal utilizes either Advanced

Encryption Standard - Counter CBC-MAC Protocol (AES-CCMP) or Temporal Key Integrity Protocol (TKIP).

To configure a profile with WPA2-Personal network authentication and AES-CCMP data encryption:

1. On the Profile page, select a profile.

2. Click Properties to open the Wireless Profile Properties' General Settings. The Profile name and Wireless

Network Name (SSID) display. Network (Infrastructure) should be selected as the Operating Mode.

3. Click Next. The Security Settings page opens.

4. Security Settings: Select WPA-Personal (AES-CCMP) to provide this level of security in the small

network or home environment. It uses a password also called a pre-shared key (PSK). The longer the

password, the stronger the security of the wireless network.

AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is the new method for

privacy protection of wireless transmissions specified in the IEEE 802.11i standard. AES-CCMP

provides a stronger encryption method than TKIP. Choose AES-CCMP as the data encryption

method whenever strong data protection is important.

If your Wireless access point or router supports WPA2-Personal then you should enable it on the

access point and provide a long, strong password. The same password entered into access point

needs to be used on this computer and all other wireless devices that access the wireless network.

NOTE: WPA-Personal and WPA2-Personal are not interoperable.

Some security solutions may not be supported by your computer's operating system. You may

require additional software or hardware as well as wireless LAN infrastructure support. Contact

your computer manufacturer for details.

Set Password:

1. Wireless Security Password (Encryption Key). Enter a text phrase (length is between eight and 63

characters). Verify that the network key used matches the wireless access point key.

2. Click OK to return to the Profiles list.

Back to Contents

Enterprise Security

From the Security Settings page you can enter the required security settings for the selected wireless network.

Use Enterprise Security if your network environment requires 802.1x authentication.

● 802.1x authentication methods, include passwords, certificates and smart cards.

● 802.1x authentication types are: EAP-SIM, LEAP, TLS, TTLS, PEAP, EAP-FAST.

● See Profile Management for a description of when the Create Wireless Profile manager is launched.

● See Security Overview for more information on the different security options for wireless networks.

● See Personal Security to set basic WEP or WPA security in a non-enterprise environment (home, small

business).

Enterprise Security Settings

Enterprise Security Settings Description

Name Setting

Enterprise Security

Select to open the Enterprise Security settings. The security

settings that are available are dependent on the Operating Mode

selected:

Device to Device (ad hoc) or Network (Infrastructure).

Network Authentication

If you configure a Device to Device (ad hoc) profile, the default is

Open authentication.

If you configure an Infrastructure profile, select:

● Open authentication: Any wireless station can request

authentication.

● Shared authentication: Uses an encryption key known only

to the receiver and sender of data.

● WPA-Personal or WPA2 Personal: Uses a password also called

a pre-shared key (PSK).

● WPA-Enterprise or WPA2-Enterprise: Use on enterprise

networks with an 802.1x RADIUS server.

Data Encryption

Click to open the following data encryption types:

● None: No encryption.

● WEP

● CKIP

● TKIP

● AES-CCMP

Enable 802.1x (Authentication Type)

Click to open the following 802.11x authentication types:

● EAP-SIM

● TLS

● TTLS

● PEAP

● LEAP

● EAP-FAST

Cisco Options

Click to view the Cisco Compatible Extensions.

NOTE: Cisco Compatible Extensions are automatically enabled for

CKIP and LEAP profiles.

Advanced button

Select to access the

Advanced Settings to configure the following

options:

● Auto Connect: Select to automatically or manually connect to

a profile.

● Auto Import: Network administrator can export a profile on

another computer.

● Mandatory Access Point: Select to associate the wireless

adapter with a specific access point.

● Password Protection: Select to password protect a profile.

● Start Application: Specify a program to be started when a

wireless connection is made.

● Maintain Connection: Select to maintain the wireless

connection with a user profile after log off.

User Credentials

A profile configured for TTLS, PEAP, or EAP-FAST authentication

requires one of the following log on authentication methods:

Use Windows logon: The 802.1x credentials match your Windows

user name and password. Before connection, you are prompted for

your Windows logon credentials.

NOTE: This option is unavailable if Pre-logon/Common Connect is

not selected during installation of the Intel PROSet/Wireless

software. Refer to

Install or Uninstall the Single Sign On Feature.

NOTE: For Leap profiles, this option is listed as Use Windows

logon user name and password.

Prompt each time I connect: Prompt for your user name and

password every time you log onto the wireless network.

NOTE: For Leap profiles, this option is listed as Prompt for the

user name and password.

Use the following: Use your saved credentials to log onto the

network.

● User Name: This user name must match the user name that

is set in the authentication server by the administrator prior

to client authentication. The user name is case-sensitive.

This name specifies the identity supplied to the authenticator

by the authentication protocol operating over the TLS tunnel.

This identity is securely transmitted to the server only after

an encrypted channel has been established.

● Domain: Name of the domain on the authentication server.

The server name identifies a domain or one of its sub-

domains (for example, zeelans.com, where the server is

blueberry.zeelans.com).

● Password: Specifies the user password. The password

characters appear as asterisks. This password must match

the password that is set in the authentication server.

● Confirm Password: Reenter the user password.

NOTE: Contact your administrator to obtain the domain name.

NOTE: For Leap profiles, this option is listed as Use the following

user name and password.

Server Options

Select one of the following credential retrieval methods:

Validate Server Certificate: Select to verify the server

certificate.

Certificate Issuer: The server certificate received during TLS

message exchange must be issued by this certificate authority

(CA). Trusted intermediate certificate authorities and root

authorities whose certificates exist in the system store are

available for selection. If Any Trusted CA is selected, any CA in

the list is acceptable. Click Any Trusted CA as the default or select

a certificate issuer from the list.

Specify Server or Certificate Name: Enter the server name.

The server name or domain to which the server belongs, depends

on which of the two options below has been selected.

● Server name must match the specified entry exactly:

When selected, the server name must match exactly the

server name found on the certificate. The server name

should include the complete domain name (for example,

Servername.Domain name).

● Domain name must end with the specified entry: When

selected, the server name identifies a domain, and the

certificate must have a server name that belongs to this

domain or to one of its subdomains (for example, zeelans.

com, where the server is blueberry.zeelans.com).

NOTE: These parameters should be obtained from the

administrator.

Certificate Options

To obtain a certificate for TLS authentication, select one of the

following:

Use my smart card: Select if the certificate resides on a smart

card.

Use the certificate issued to this computer: Selects a

certificate that resides in the machine store.

Use a user certificate on this computer: Click Select to choose

a certificate that resides on this computer.

NOTE: Intel PROSet/Wireless supports machine certificates.

However, they are not displayed in the certificate listings.

Notes about Certificates: The specified identity should match the

Issued to identity in the certificate and should be registered on

the authentication server (for example, RADIUS server) that is

used by the authenticator. Your certificate must be valid with

respect to the authentication server. This requirement depends on

the authentication server and generally means that the

authentication server must know the issuer of your certificate as a

Certificate Authority. Use the same user name you used to log in

when the certificate was installed.

Back

View the prior page in the Create Wireless Profile manager.

View the next page in the Create Wireless Profile manager. If more

security information is required then the next Step of the Security

page is displayed.

Closes the Create Wireless Profile manager and saves the profile.

Cancel

Closes the Create Wireless Profile manager and cancels any

changes made.

Help?

Provides the help information for the current page.

Enterprise Security

Configure Profiles for Infrastructure Networks

An infrastructure network consists of one or more access points and one or more computers with wireless

adapters installed. Each access point must have a wired connection to a wireless network.

Set up a Client with WPA-Enterprise or WPA2-Enterprise Network Authentication

WPA2-Enterprise requires an authentication server.

● WPA-Enterprise: A wireless security method that provides strong data protection for multiple users and

large managed networks. It uses the 802.1X authentication framework with TKIP encryption and

prevents unauthorized network access by verifying network users through an authentication server.

● WPA2-Enterprise: The follow-on wireless security method to WPA that provides stronger data

protection for multiple users and large managed networks. It prevents unauthorized network access by

verifying network users through an authentication server.

NOTE: WPA-Enterprise and WPA2-Enterprise are not interoperable.

To add a profile that uses WPA-Enterprise or WPA2-Enterprise authentication:

1. Obtain a user name and password on the RADIUS server from your administrator.

2. Certain Authentication Types require that obtain and install a client certificate. Refer to

Setting up the

Client for TLS authentication or consult your administrator.

3. Click Profiles on the Intel PROSet/Wireless main window.

4. On the Profile page, click Add to open the Create Wireless Profile General Settings.

5. Profile Name: Enter a descriptive profile name.

6. Wireless Network Name (SSID): Enter the network identifier.

7. Operating Mode: Click Network (Infrastructure).

8. Click Next.

9. Select Enterprise Security.

10. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.

11. Data Encryption: Select one of the following:

❍ TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.

❍ AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data

encryption method whenever strong data protection is important.

AES-CCMP is recommended.

12. Enable 802.1x: Selected.

13. Authentication Type: Select one of the following:

EAP-SIM, LEAP, TLS, TTLS, PEAP, EAP-FAST.

Set up a Client with WEP Data Encryption and EAP-SIM Network Authentication

EAP-SIM uses a dynamic session-based WEP key, which is derived from the client adapter and RADIUS server,

to encrypt data. EAP-SIM requires you to enter a user verification code, or Personal Identification Number

(PIN), for communication with the Subscriber Identity Module (SIM) card. A SIM card is a special smart card

that is used by Global System for Mobile Communications (GSM) based digital cellular networks. To add a

profile with EAP-SIM authentication:

1. On the Profile page, click Add to open the Create Wireless Profile General Settings.

2. Profile Name: Enter a profile name.

3. Wireless Network Name (SSID): Enter the network identifier.

4. Operating Mode: Click Network (Infrastructure).

5. Click Next to access the Security Settings.

6. Select Enterprise Security.

7. Network Authentication: Select Open (Recommended).

8. Data Encryption: Select WEP.

9. Click Enable 802.1x.

10. Authentication type: Select EAP-SIM.

EAP-SIM authentication can be used with:

● Network Authentication types: Open, Shared, WPA-Enterprise and WPA2-Enterprise

● Data Encryption types: None, WEP, TKIP, AES-CCMP and CKIP

EAP-SIM User (optional)

1. Specify user name (identity): Click to specify the user name.

❍ User Name: Enter the user name assigned to the SIM card.

2. Click OK.

Set up a Client with TLS Network Authentication

These settings define the protocol and the credentials used to authenticate a user. Transport Layer Security

(TLS) authentication is a two-way authentication method that exclusively uses digital certificates to verify the

identity of a client and a server.

To add a profile with TLS authentication:

1. Click Profiles on the Intel PROSet/Wireless main window.

2. On the Profile page, click Add to open the Create Wireless Profile General Settings.

3. Profile Name: Enter a descriptive profile name.

4. Wireless Network Name (SSID): Type the network identifier.

5. Operating Mode: Click Network (Infrastructure).

6. Click Next to access the Security Settings.

7. Select Enterprise Security.

8. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.

9. Data Encryption: Select AES-CCMP (Recommended).

10. Enable 802.1x: Selected.

11. Authentication Type: Select TLS to be used with this connection.

Step 1 of 2: TLS User

1. Obtain and install a client certificate, refer to

Set up the Client for TLS authentication or consult your

system administrator.

2. Select one of the following to obtain a certificate: Use my smart card, Use the certificate issued to this

computer, or Use a user certificate on this computer.

3. Click Next to open the TLS Server settings.

Step 2 of 2: TLS Server

Select one of the following:

1. Select one of the following credential retrieval methods:

Validate Server Certificate or Specify Server or

Certificate Name.

2. Click OK. The profile is added to the Profiles list.

3. Click the new profile at the end of the Profiles list. Use the up and down arrows to change the priority of

the new profile.

4. Click Connect to connect to the selected wireless network.

5. Click OK to close Intel PROSet/Wireless.

Set up a Client with TTLS Network Authentication

TTLS authentication: These settings define the protocol and credentials used to authenticate a user. The

client uses EAP-TLS to validate the server and create a TLS-encrypted channel between the client and server.

The client can use another authentication protocol, typically password-based protocols (for example, MD5

Challenge over this encrypted channel to enable server validation). The challenge and response packets are

sent over a non-exposed TLS encrypted channel. The following example describes how to use WPA with AES-

CCMP encryption with TTLS authentication.

To set up a client with TTLS Network Authentication:

1. Click Profiles on the Intel PROSet/Wireless main window.

2. On the Profile page, click Add to open the Create Wireless Profile General Settings.

3. Profile Name: Enter a descriptive profile name.

4. Wireless Network Name (SSID): Enter the network identifier.

5. Operating Mode: Click Network (Infrastructure).

6. Click Next to access the Security Settings.

7. Select Enterprise Security.

8. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.

9. Data Encryption: Select one of the following:

❍ TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.

❍ AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data

encryption method whenever strong data protection is important.

AES-CCMP is recommended.

10. Enable 802.1x: Selected.

11. Authentication Type: Select TTLS to be used with this connection.

Step 1 of 2: TTLS User

1. Authentication Protocol: This parameter specifies the authentication protocol operating over the TTLS

tunnel. The protocols are:

PAP (Default), CHAP, MD5, MS-CHAP and MS-CHAP-V2. See Security Overview

for more information.

2. User Credentials: User Credentials: For PAP, CHAP, MD5, MS-CHAP, and MS-CHAP-V2 protocols,

select one of these authentication methods:

Use Windows logon, Prompt each time I connect, or Use the

following.

3. Roaming Identity: A Roaming Identity may be populated in this field or you can use %domain%\%

username% as the default format for entering a roaming identity.

When 802.1x Microsoft IAS RADIUS is used as an authentication server, the server authenticates

the device using the Roaming Identity from Intel PROSet/Wireless software, and ignores the

Authentication Protocol MS-CHAP-V2 user name. Microsoft IAS RADIUS accepts only a valid

user name (dotNet user) for the Roaming Identity. For all other authentication servers, the

Roaming Identity is optional. Therefore, it is recommended to use the desired realm (for example,

anonymous@myrealm) for the Roaming Identity rather than a true identity.

4. Click Next to access the TTLS Server settings.

Step 2 of 2: TTLS Server

1. Select one of the following credential retrieval methods:

Validate Server Certificate or Specify Server or

Certificate Name.

2. Click OK to save the setting and close the page.

Set up a Client with PEAP Network Authentication

PEAP authentication: PEAP settings are required for the authentication of the client to the authentication

server. The client uses EAP-TLS to validate the server and create a TLS-encrypted channel between client and

server. The client can use another EAP mechanism (for example, Microsoft Challenge Authentication Protocol

(MS-CHAP) Version 2), over this encrypted channel to enable server validation. The challenge and response

packets are sent over a non-exposed TLS encrypted channel. The following example describes how to use WPA

with AES-CCMP or TKIP encryption with PEAP authentication.

To set up a client with PEAP Authentication:

Obtain and install a client certificate. Refer to

Set up the Client for TLS authentication or consult your

administrator.

1. Click Profiles on the Intel PROSet/Wireless main window.

2. On the Profile page, click Add to open the Create Wireless Profile General Settings.

3. Profile Name: Enter a descriptive profile name.

4. Wireless Network Name (SSID): Enter the network identifier.

5. Operating Mode: Click Network (Infrastructure).

6. Click Next to access the Security Settings.

7. Select Enterprise Security.

8. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.

9. Data Encryption: Select one of the following:

❍ TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.

❍ AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data

encryption method whenever strong data protection is important.

AES-CCMP is recommended.

10. Enable 802.1x: Selected.

11. Authentication Type: Select PEAP to be used with this connection.

Step 1 of 2: PEAP User

PEAP relies on Transport Layer Security (TLS) to allow unencrypted authentication types (for example, EAP-

Generic Token Card (GTC) and One-Time Password (OTP) support).

1. Authentication Protocol: Select either

GTC, MS-CHAP-V2 (Default), or TLS. Refer to Authentication

Protocols.

2. User Credentials: User Credentials: Select one of the following: Use Windows logon, Prompt each

time I connect, or Use the following.