User's Manual
To configure a one-time password:
1. Authentication Protocol: Select GTC (Generic Token Card).
2. User Credentials: Select Prompt each time I connect.
3. On connection prompt for: Select one of the following:
Name Description
Static Password
On connection, enter the user credentials.
One-time password (OTP)
Obtain the password from a hardware token device.
PIN (Soft Token)
Obtain the password from a soft token program.
5. Click OK.
6. Select the profile on the Wireless Networks list.
7. Click Connect. When prompted, enter the user name, domain and one-time password (OTP).
8. Click OK. You are asked to verify your log in information.
NOTE: The Prompt each time I connect option is unavailable if an Administrator has cleared
the Cache Credentials setting in the the Administrator Tool. Refer to
Administrator Settings for
more information.
MS-CHAP-V2. This parameter specifies the authentication protocol operating over the PEAP tunnel.
1. User Credentials: Select one of the following options:
Use Windows logon, Prompt each time I connect,
or Use the following.
2. Click Next to open the PEAP Server settings.
TLS: Transport Layer Security authentication is a two-way authentication method that exclusively uses digital
certificates to verify the identity of a client and a server.
1. Obtain and install a client certificate, refer to
Set up the Client for TLS authentication or consult your
system administrator.
2. Select one of the following to obtain a certificate: Use my smart card, Use the certificate issued to this
computer, or Use a user certificate on this computer.
3. Click Next to open the PEAP Server settings.
Step 2 of 2: PEAP Server
1. Select one of the following credential retrieval methods: Validate Server Certificate or Specify Server or
Certificate Name.
2. Click OK. The profile is added to the Profiles list.
3. Click the new profile at the end of the Profiles list. Use the up and down arrows to change the priority of
the new profile.
4. Click Connect to connect to the selected wireless network.
If you did not select Use Windows logon on the Security Settings page and also did not
configure user credentials, no credentials are saved for this profile. Please enter your credentials
to authenticate to the network.
5. Click OK to close Intel PROSet/Wireless.
PEAP-TLS Certificate Auto Enrollment
In the Application Settings, select Intel(R) PROSet/Wireless TLS Certificate Rejected Warning, if you
want a warning issued when a PEAP-TLS certificate is rejected. When a certificate has an invalid field expiration
date, you are notified that you must take one of the following actions: A potential authentication problem
for profile <profile name has been detected. The expiration date in the associated certificate may
be invalid. Choose one of the following options:
Control
Description
Continue with current parameters. Continue with the current certificate.
Update certificate manually. The Select Certificate page opens for you to choose
another certificate.
Update certificate automatically based on the
certificates in the local store.
This option is enabled only when the local store holds one
or more certificates for which the "issued to" and "issued
by" fields match the current certificate and for which the
"expiration date" has not expired. If you choose this
option, the application selects the first valid certificate.
Log off to obtain certificate during logon process
(this does not update the profile and only applies
to certificates configured for auto enrollment).
Logs off the user, who must obtain a proper certificate
during the next logon process. The profile must be
updated to select the new certificate.
Auto enrollment You are notified to: Please wait while the system is
trying to obtain the certificate automatically. Click
Cancel to end the certificate retrieval.
Do not show this message again. A user is able to avoid this step in subsequent sessions.
The choice selected is remembered for future sessions.
Set up a Client with LEAP Network Authentication
Cisco LEAP (Light Extensible Authentication Protocol) is an 802.1X authentication type that supports strong
mutual authentication between the client and a RADIUS server. The LEAP profiles settings include LEAP, CKIP
with Rogue AP detection integration. To set up a client with LEAP Authentication:
1. Click Profiles on the Intel PROSet/Wireless main window.
2. On the Profile page, click Add. The Create Wireless Profile General Settings opens.
3. Profile Name: Enter a descriptive profile name.
4. Wireless Network Name (SSID): Enter the network identifier.
5. Operating Mode: Click Network (Infrastructure).
6. Click Next to access the Security Settings.
7. Select Enterprise Security.
8. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
9. Data Encryption: Select one of the following:
❍ TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
❍ AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data
encryption method whenever strong data protection is important.
AES-CCMP is recommended.
10. Enable 802.1x: Selected.
11. Authentication Type: Select LEAP to be used with this connection.
12. Click Cisco Options.
13. Click
Enable Cisco Compatible Extensions to enable Cisco Compatible Extensions (CCX) security (Allow
Fast Roaming (CCKM), Enable Radio Management Support, Enable Mixed Cells Mode.).
14. Click Enable Radio Management Support. Use Radio Management to detect rogue access points.
15. Click OK to return to the Security Settings.
LEAP User:
1. Select one of the following authentication methods:
❍ Select one of the following authentication methods: Use Windows logon user name and password,
Prompt for the user name and password, or Use the following user name and password.
2. Click OK to save the setting and close the page.
Cisco Compatible Extensions Options
Cisco Options: Use to enable or disable Radio Management and Mixed Cells Mode or Allow Fast Roaming
(CCKM).
NOTE: Cisco Compatible Extensions are automatically enabled for CKIP, LEAP or EAP-FAST
profiles. To override this behavior, select or clear options on this page.
● Allow Fast Roaming (CCKM): Select to enable the client wireless adapter for fast-secure roaming.
When a wireless LAN is configured for fast reconnection, an
EAP-FAST, EAP-TLS, PEAP-GTC, PEAP-
MSCHAPv2 or LEAP-enabled client device can roam from one access point to another without involving
the main server. Use Cisco Centralized Key Management (CCKM), an access point configured to provide
Wireless Domain Services (WDS), to take the place of the RADIUS server and authenticate the client
without perceptible delay in voice or other time-sensitive applications.
Enable Cisco Compatible Options: Select to enable Cisco Compatible Extensions for this wireless connection
profile.
● Enable Radio Management Support: Select to have your wireless adapter provide radio management
to the Cisco infrastructure. If the Cisco Radio Management utility is used on the infrastructure, it
configures radio parameters, detects interference and rogue access points. Default setting is selected.
● Enable Mixed Cells Mode: Select to allow the wireless adapter to communicate with mixed cells. A
mixed cell is a wireless network in which there are both devices that use WEP and devices that do not.
Refer to
Mixed Cells Mode for more information. The default setting is cleared.
Set up a Client with EAP-FAST Network Authentication
In Cisco Compatible Extensions, Version 3 (CCXv3), Cisco added support for EAP-FAST (Extensible
Authentication Protocol-Flexible Authentication via Secure Tunneling), which uses protected access credentials
(PACs) to establish an authenticated tunnel between a client and a server.
Cisco Compatible Extensions, Version 4 (CCXv4) improves the provisioning methods for enhanced security and
provides innovations for enhanced security, mobility, quality of service, and network management.
Cisco Compatible Extensions, Version 3 (CCXv3)
To set up a client with EAP-FAST authentication with Cisco Compatible Extensions, version 3 (CCXv3):
1. Click Profiles on the Intel PROSet/Wireless main window.
2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
3. Wireless Network Name (SSID): Enter the network identifier.
4. Profile Name: Enter a descriptive profile name.
5. Operating Mode: Click Network (Infrastructure).
6. Click Next to open the Security Settings.
7. Select Enterprise Security.
8. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
9. Data Encryption: Select one of the following:
❍ TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
❍ AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data
encryption method whenever strong data protection is important.
AES-CCMP is recommended.
10. Enable 802.1x: Selected.
11. Authentication Type: Select EAP-FAST to be used with this connection.
NOTE: If CCXv4 Application Setting was not installed through an Administrator Package, only EAP-
FAST User Settings are available for configuration. Refer to EAP-FAST User Settings.
Step 1 of 2: EAP-FAST Provisioning
1. Click Disable EAP-FAST Enhancements (CCXv4) to allow provisioning inside a server-
unauthenticated TLS tunnel (Unauthenticated-TLS-Server Provisioning Mode).
2. Click Select server to view any unauthenticated PACs that have already been provisioned and reside on
this computer.
NOTE: If the provisioned PAC is valid, Intel(R) PROSet/Wireless does not prompt the user for
acceptance of the PAC. If the PAC is invalid, Intel PROSet/Wireless fails the provisioning
automatically. A status message is displayed in the Wireless Event Viewer that an administrator
can review on the user's computer.
To import a PAC:
● Click Select server to open the Protected Access Credentials (PAC) list.
● Click Import to import a PAC that resides on this computer or a server.
● Select the PAC and click Open.
● Enter the PAC password (optional).
● Click OK to close this page. The selected PAC is added to PAC list.
3. Click Next to select the credential retrieval method or click OK to save the EAP-FAST settings and return
to the Profiles list. The PAC is used for this wireless profile.
Step 2 of 2: EAP-FAST Additional Information
To perform client authentication in the established tunnel, a client sends a user name and password to
authenticate and establish client authorization policy.
1. Click User Credentials to select one of the following credentials retrieval method:
Use Windows logon,
Prompt each time I connect , or Use the following.
2. Click OK to save the settings and close the page. Server verification is not required.
Cisco Compatible Extensions, Version 4 (CCXv4)
To set up a client with EAP-FAST authentication with Cisco Compatible Extensions, version 4 (CCXv4):
1. Click Profiles on the Intel PROSet/Wireless main window.
2. On the Profile page, click Add to open the Create Wireless Profile Wizard's General Settings.
3. Wireless Network Name (SSID): Enter the network identifier.
4. Profile Name: Enter a descriptive profile name.
5. Operating Mode: Click Network (Infrastructure).
6. Click Next to open the Security Settings.
7. Select Enterprise Security.
8. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
9. Data Encryption: Select one of the following:
❍ TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
❍ AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data
encryption method whenever strong data protection is important.
AES-CCMP is recommended.
10. Data Encryption: Select AES-CCMP.
11. Enable 802.1x: Selected.
12. Authentication Type: Select EAP-FAST to be used with this connection.
Step 1 of 3: EAP-FAST Provisioning
With CCXv4, EAP-FAST supports two modes for provisioning:
● Server-Authenticated Mode: Provisioning inside a server authenticated TLS tunnel.
● Server-Unauthenticated Mode: Provisioning inside an unauthenticated TLS tunnel.
NOTE: Server-Authenticated Mode provides significant security advantages over Server-
Unauthenticated Mode even when EAP-MSCHAPv2 is being used as an inner method. This mode
protects the EAP-MSCHAPv2 exchanges from potential Man-in-the-Middle attacks by verifying the
server’s authenticity before exchanging MSCHAPv2. Therefore, Server-Authenticated Mode is
preferred whenever it is possible. EAP-FAST peer must use Server-Authenticated Mode whenever a
certificate or public key is available to authenticate the server and ensure the best security
practices.
Provisioning of Protected Access Credentials (PAC):
EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST authenticators are
identified by an authority identity (A-ID). The local authenticator sends its A-ID to an authenticating client, and
the client checks its database for a matching A-ID. If the client does not recognize the A-ID, it requests a new
PAC.
NOTE: If the provisioned Protected Access Credential (PAC) is valid, Intel(R) PROSet/Wireless
does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel PROSet/Wireless
fails the provisioning automatically. A status message is displayed in the
Wireless Event Viewer
that an administrator can review on the user's computer.
1. Verify that Disable EAP-FAST Enhancements (CCXv4) is not selected. Allow unauthenticated
provisioning and Allow authenticated provisioning are selected by default. Once a PAC is selected
from the Default Server, you can deselect any of these provisioning methods.
2. Default Server: None is selected as the default. Click Select Server to select a PAC from the default
PAC authority server or select a server from the Server group list. The EAP-FAST Default Server (PAC
Authority) selection page opens.
NOTE: Server groups are only listed if you have installed an
Administrator Package that contains
EAP-FAST Authority ID (A-ID) Group settings.
PAC distribution can also be completed manually (out-of-band). Manual provisioning enables you to create a
PAC for a user on an ACS server and then import it into a user's computer. A PAC file can be protected with a
password, which the user needs to enter during a PAC import.
To import a PAC:
1. Click Import to import a PAC from the PAC server.
2. Click Open.
3. Enter the PAC password. (Optional)
4. Click OK closes this page. The selected PAC is used for this wireless profile.
EAP-FAST CCXv4 enables support for the provisioning of other credentials beyond the PAC currently
provisioned for tunnel establishment. The credential types supported include trusted CA certificate, machine
credentials for machine authentication, and temporary user credentials used to bypass user authentication.
Use a certificate (TLS Authentication)
1. Click Use a certificate (TLS Authentication)
2. Click Identity Protection when the tunnel is protected.
3. Select one of the following:
❍ Use a user certificate on this computer. Click Select to choose the user certificate. Click OK.
Proceed to Step 4.
❍ Use the certificate issued to this computer. Proceed to Step 5.
❍ Use my smart card. Select if the certificate resides on a smart card. Proceed to Step 5.
4. User Name: Enter the user name assigned to the user certificate.
5. Click Next.
Step 2 of 3: EAP-FAST Additional Information
If you selected Use a certificate (TLS Authentication) and Use a user certificate on this computer, click
Next (no roaming identity is required) and proceed to
Step 3 to configure EAP-FAST Server certificate settings.
If you do not need to configure EAP-FAST server settings, click OK to save your settings and return to the
Profiles page.
If you selected to use a smart card, add the roaming identity, if required. Click OK to save your settings and
return to the Profiles page.
If you did not select Use a certificate (TLS Authentication), click Next to select an Authentication Protocol.
CCXv4 permits additional credentials or TLS cipher suites to establish the tunnel.
Authentication Protocol: Select either
GTC, or MS-CHAP-V2 (Default).
Generic Token Card (GTC)
GTC may be used with Server-Authenticated Mode . This enable peers using other user databases as
Lightweight Directory Access Protocol (LDAP) and one-time password (OTP) technology to be provisioned in-
band. However, the replacement may only be achieved when used with the TLS cipher suites that ensure
server authentication.
To configure a one-time password:
1. Authentication Protocol: Select GTC (Generic Token Card).
2. User Credentials: Select Prompt each time I connect.
3. On connection prompt for: Select one of the following:
Name Description
Static Password
On connection, enter the user credentials.
One-time password (OTP)
Obtain the password from a hardware token device.
PIN (Soft Token)
Obtain the password from a soft token program.
1. Click OK.
2. Select the profile on the Wireless Networks list.
3. Click Connect. When prompted, enter the user name, domain and one-time password (OTP).
4. Click OK.
MS-CHAP-V2. This parameter specifies the authentication protocol operating over the PEAP tunnel.
1. Select the user credentials:
Use Windows logon, Prompt each time I connect, or Use the following.
2. Roaming Identity: A Roaming Identity may be populated in this field or you can use %domain%\%
username% as the default format for entering a roaming identity.
When 802.1x Microsoft IAS RADIUS is used as an authentication server, the server authenticates
the device using the Roaming Identity from Intel PROSet/Wireless software, and ignores the
Authentication Protocol MS-CHAP-V2 user name. Microsoft IAS RADIUS accepts only a valid
user name (dotNet user) for the Roaming Identity. For all other authentication servers, the
Roaming Identity is optional. Therefore, it is recommended to use the desired realm (for example,
anonymous@myrealm) for the Roaming Identity rather than a true identity.
Step 3 of 3: EAP-FAST Server
Authenticated-TLS-Server Provisioning Mode is supported using a trusted CA certificate, a self-signed server
certificate, or server public keys and GTC as the inner EAP method.
1. Select one of the following credential retrieval methods:
Validate Server Certificate or Specify Server or
Certificate Name.
2. Click OK to close the security settings.
EAP-FAST User Settings
NOTE: If an Administrator Package was installed on a user's computer that did not apply the Cisco
Compatible Extensions, Version 4 Application Setting, only EAP-FAST User settings are available
for configuration.
To set up a client with EAP-FAST authentication:
1. Click Profiles on the Intel PROSet/Wireless main window.
2. On the Profile page, click Add to open the Create Wireless Profile General Settings.
3. Wireless Network Name (SSID): Enter the network identifier.
4. Profile Name: Enter a descriptive profile name.
5. Operating Mode: Click Network (Infrastructure).
6. Click Next to open the Security Settings.
7. Click Enterprise Security.
8. Network Authentication: Select WPA-Enterprise or WPA2-Enterprise.
9. Data Encryption: Select one of the following:
❍ TKIP provides per-packet key mixing, a message integrity check and a rekeying mechanism.
❍ AES-CCMP (Advanced Encryption Standard - Counter CBC-MAC Protocol) is used as the data
encryption method whenever strong data protection is important.
AES-CCMP is recommended.
10. Enable 802.1x: Selected.
11. Authentication Type: Select EAP-FAST to be used with this connection.
12. Click
Cisco Options to select Allow Fast Roaming (CCKM) which enables the client wireless adapter for
fast secure roaming.
EAP-FAST User:
Select the credential retrieval method:
1. Select the user credentials: Use Windows logon, Prompt each time I connect, or Use the following.
2. Allow automatic provisioning of Protected Access Credentials (PAC):
EAP-FAST uses a PAC key to protect the user credentials that are exchanged. All EAP-FAST
authenticators are identified by an authority identity (A-ID). The local authenticator sends its A-ID
to an authenticating client, and the client checks its database for a matching A-ID. If the client
does not recognize the A-ID, it requests a new PAC.
Click PACs to view any PACs that have already been provisioned and reside on this computer. A
PAC must have already been obtained to clear Allow automatic provisioning on the Security
Settings.
NOTE: If the provisioned Protected Access Credential (PAC) is valid, Intel(R) PROSet/Wireless
does not prompt the user for acceptance of the PAC. If the PAC is invalid, Intel PROSet/Wireless
fails the provisioning automatically. A status message is displayed in the
Wireless Event Viewer
that an administrator can review on the user's computer.
PAC distribution can also be completed manually (out-of-band). Manual provisioning enables you
to create a PAC for a user on an ACS server and then import it into a user's computer. A PAC file
can be protected with a password, which the user needs to enter during a PAC import.
To import a PAC:
1. Click PACs to open the Protected Access Credentials (PAC) list.
2. Click Import to import a PAC that resides on this computer or a server.
3. Select the PAC and click Open.
4. Enter the PAC password (optional).
5. Click OK to close this page. The selected PAC is added to PAC list.
6. Click OK to save the EAP-FAST settings and return to the Profiles list. The PAC is used for this wireless
profile.
Back to Top
Back to Contents
Trademarks and Disclaimers