Setting Up Enterprise Wireless Security

Home > Setting Up Wireless Security > Setting Up Enterprise Wireless Security

Setting Up Wireless Security for Large Enterprises

Overview

Enterprise security is different from home user security in that an authentication server is used, and encryption keys are dynamically changed, making it more difficult for unauthorized users to access and read data on the network.

To make your wireless connection more secure, apply the strongest security settings supported by the AP or wireless router to which you are connected. For large enterprise networks, CCKM, 802.1X, WPA, and WPA2 are common security methods, and WAPI-CA is a possible alternative.

Supported Security Methods

The following table shows the enterprise security methods supported by the Mediatek Utility.

Security Protocol	Encryption Method	Comments
WPA (Wi-Fi Protected Access) WPA2 (Wi-Fi Protected Access 2)	TKIP(MFP)* (Temporal Key Integrity Protocol (Management Frame Protection)) AES(MFP)* (Advanced Encryption Standard (Management Frame Protection)) AES (Advanced Encryption Standard) TKIP (Temporal Key Integrity Protocol)	WPA and WPA2 are designed for large enterprises. They both require an authentication server. WPA2 is a faster, more recent standard than WPA. AES is a stronger, more recent standard than TKIP. MFP (management frame protection) offers more security than no MFP.
CCKM (Cisco Centralized Key Management) (not supported by Windows XP)	WEP (Wireless Encrypted Privacy) AES TKIP	CCKM allows roaming between APs with WDS (wireless domain services) enabled and access to the same RADIUS server.
802.1X	WEP	802.1X is designed for large enterprises and requires an authentication server. WEP is an older standard and is easily decrypted.

* Management frame protection (MFP) available for WPA2 only.

Note: The Utility also supports WAPI-CA authentication with SMS4 encryption, but at the time of writing, it is a new Chinese standard and has yet to be made an ISO standard.

Supported Authentication and Tunnel Methods

Enterprise security typically comprises an authentication method to ensure clients have authorization to access the network, and a tunnel method to encrypt data transmitted on the network. The following table describes the authentication and tunnel methods supported by the Mediatek Utility.

Authentication Method	Tunnel Authentication Method	Comments
TLS/Smart Card	n/a	Mutual authentication of client and server using client and server-side certificates make TLS (Transport Layer Security) very secure but also complex. Widely implemented.
PEAP	EAP-TLS/Smart Card EAP-MS-CHAP v2 Generic Token Card	PEAP (Protect Extensible Authentication Protocol) uses server-side certificates for less complex support requirements than TLS, while still providing strong security. All PEAP methods described, and particularly PEAP-EAP-MS-CHAP v2 (commonly known as PEAP) are widely implemented.
TTLS	MS-CHAP v2 MS-CHAP CHAP PAP EAP-MD5	TTLS (Tunneled Transport Layer Security) provides mutual authentication of client and server through an encrypted channel using server-side certificates. It has less complex support requirements than TLS, while still providing strong security. Often used in combination with a traditional network server without EAP capability. Less widely implemented. Note: PAP and MD5 are not secure methods. MS-CHAP v2 is more secure than other authentication methods listed.
FAST	TLS/Smart Card Generic Token Card EAP-MS-CHAP v2	FAST (Flexible Authentication via Secure Tunneling) uses PAC (Protected Access Credential) instead of certificates for mutual authentication of client and server. PACs, like certificates, can be manually installed or distributed by the server. Suitable for large enterprises as investment in Cisco infrastructure is required.
MD5-Challenge	n/a	No server authentication. MD5 is easily decrypted. Not widely implemented.
LEAP	n/a	LEAP (Light Extensible Authentication Protocol) provides mutual authentication of server and client and offers dynamic WEP key based encryption. However, it requires strong passwords for strong security. Suitable for large enterprises as investment in Cisco infrastructure is required.
WAI	WPI	Part of the WAPI-CA protocol, as yet unagreed upon level of security and not widely implemented outside China.

Instructions

Follow these instructions to set up WPA/WPA2, 802.1X, or WAPI-CA wireless security on the Mediatek Adapter.

Click the Profile Settings button to display the Profile List screen.
To configure a wireless security profile, click the Add button to add a new profile, or click the Edit button to edit an existing profile.
In the screen that appears, enter the following settings.
- For 'Profile Name', type a name for the profile, or leave at its default value.
- In the SSID field type the name of the network to which you are connecting, or select an existing network name from the drop-down list provided.
- For 'Network Type', select whether your network is an infrastructure or ad hoc network. If uncertain, leave at its default setting (Infrastructure).
- - Select 'Infrastructure - Connect to AP' if you are connecting to a typical wireless network maintained by an AP or wireless router.
  - Alternatively, select 'Ad Hoc - Connect to other computers' if you are connecting to a distributed network with no AP or router.
In the Profile Settings screen, click the right arrow to save your settings. For instructions on setting up a security method, click on the corresponding link.
- WAPI-CA
- CCKM, 802.1X, WPA or WPA2
- Setting Up WAPI-CA
  1. To set up WAPI-CA security, for Authentication select WAPI-CA, and for Encryption select SMS4. Click the right arrow to save your settings.
  2. WAPI-CA requires user, issuer and authentication server unit (ASU) certificates. To install these certificates on your system, click the certificate installation button and follow the steps in the next screen. If these certificates are already installed on your system, skip the certificate installation procedure and go to the final step in these instructions on WAPI certificate installation.
  3. To install WAPI certificates, first, in the certificate installation screen, in the 'User Certificate' field, click on the folder icon to browse to and select a WAPI user certificate. Then, in the 'Issuer Certificate' field, click on the folder icon to browse to and select a WAPI issuer certificate. Next, click the first install button to verify the user and issuer certificate, and install the authentication server unit (ASU) certificate.
  4. The ASU certificate and its details appear in the screen.
    - If the authentication server on your network is installed on your network's AP, you have completed certificate installation. Close this screen and go to the final step in this set of instructions.
    - If the authentication server on your network is external to your network's AP, click the second install button to install the ASU.
  5. Click the 'Browse' button to browse to and select a ASU, and click 'Install'. The ASU appears in the list in this window. Click OK to close this screen.
  6. The ASU appears in the certificate list. Close this window to complete the certificate installation procedure.
  7. Select 'Auto' to let the Utility automatically detect a valid certificate for your connection, or select 'Manual' and from the drop-down list, select the name of the certificate to be used in your connection. Click the right arrow to complete setting up WAPI-CA security.
  Setting Up CCKM, 802.1X, WPA or WPA2
  1. In the Profile Settings security screen, select an authentication and encryption method.
    - To set up WPA or WPA2 authentication, for Authentication select WPA or WPA2, and for Encryption select TKIP or AES. If WPA2 is selected, TKIP and AES are available with the added security of management frame protection (TKIP(MFP), AES(MFP)). Click the right arrow to save your settings.
    - To set up CCKM authentication, for Authentication select CCKM, and for Encryption select WEP, TKIP, or AES. Click the right arrow to save your settings.
    - To set up 802.1X authentication, for Authentication select 802.1X, and for Encryption select WEP. Click the right arrow to save your settings.
  2. Select the EAP method (Extensible Authentication Protocol) supported by your network from the list below and follow the instructions given.
    - PEAP
    - TLS/Smart Card
    - TTLS (Windows XP only)
    - EAP-FAST
    - MD5-Challenge (Windows XP, 802.1X only)
    - LEAP
    PEAP
    1. If you select PEAP, for Tunnel Authentication select either EAP-MSCHAP v2, EAP-TLS/Smart Card, or Generic Token Card.
      - If you select EAP-MSCHAP v2, in the Tunnel ID field type the name assigned to the user, and in the Tunnel Password field, type the password associated with the user name.
      - If you select EAP-TLS/Smart Card, in the Tunnel ID field, select Authentication ID or Machine ID depending on whether user credentials are provided by a smart card or by the computer from which they are accessing the network. If Authentication ID is selected, in the adjacent field, type your user name.
      - If you select Generic Token Card, in Tunnel Password/Mode, you can select Static Password or Soft Token and for Vista/Windows 7 users, Windows Logon or Prompt User, depending on the method used to supply user credentials.
        
        If you select the Static Password option, then in the Tunnel ID field, type your user name, and in the Tunnel Password field, type the password associated with your user name.
        
        If you select Soft Token, your user credentials are supplied by software.
        
        If you select Windows Logon, your user credentials are based on those of your Windows user account.
        
        If you select Prompt User, when connecting to a network, a popup window appears, asking for your user name and password.
      Click the right arrow to save your settings.
    2. If you have selected PEAP > EAP-MSCHAP v2 or PEAP > Generic Token Card, then optionally select Use Server Certification, and from the drop-down box, select the certificate authority. Click the right arrow to save your settings.
    3. If you have selected PEAP > EAP-TLS/Smart Card, from the drop-down list, select the client certificate on your computer to be used by this security method, or for Vista and Windows 7 users, select "Use my smart card" to set up smart card-based user authentication. Click the right arrow to save your settings.
    4. You have completed setup of PEAP authentication.
    TLS/Smart Card
    1. If you select TLS/Smart Card, select Authentication ID or Machine ID depending on whether user credentials are provided by a smart card or by the computer from which they are accessing the network. If Authentication ID is selected, in the adjacent field, type your user name. Click the right arrow to save your settings.
    2. From the drop-down list, select the client certificate on your computer to be used by this security method, or for Vista and Windows 7 users, select "Use my smart card" to set up smart card-based user authentication. Click the right arrow to save your settings.
    3. Optionally select Use Server Certification, and from the drop-down box, select the certificate authority. Click the right arrow to save your settings.
    4. You have completed setup of TLS/Smart Card authentication.
    TTLS
    1. For Windows XP users only. To apply TTLS, select a Tunnel Authentication method from the drop-down list. Options include CHAP, MS-CHAP, MS-CHAP v2, PAP, and EAP-MD5. For Tunnel ID, select Authentication ID or Machine ID depending on whether user credentials are provided by the user or by the computer from which they are accessing the network. If Authentication ID is selected, in the adjacent field, type your user name. For either Authentication ID or Machine ID, in the Tunnel Password field, type a password. Click the right arrow to save your settings.
    2. From the drop-down list, optionally select the client certificate on your computer to be used by this security method, and click the right arrow to save your settings.
    3. Next, optionally select 'Use Server Certification'. From the drop-down box, select the certificate authority. Click the right arrow to save your settings.
    4. You have completed setup of TTLS authentication.
    EAP-FAST
    1. If you are applying EAP-FAST authentication using Vista or Windows 7, click the right arrow to finish setting up EAP-FAST.
    2. Otherwise, for Windows XP users only, select a Tunnel Authentication method from the drop-down list. Options include EAP-MS-CHAP v2, EAP-TLS/Smart Card, and Generic Token Card.
      - If you select EAP-MSCHAP v2, for 'Tunnel ID', select Authentication ID or Machine ID depending on whether user credentials are provided by users or by the computer from which they are accessing the network. If Authentication ID is selected, in the adjacent field, type your user name. If either Authentication ID or Machine ID are selected, for Tunnel Password, type the associated password.
      - If you select EAP-TLS/Smart Card, for 'Tunnel ID', select Authentication ID or Machine ID depending on whether user credentials are provided by a smart card or by the computer from which they are accessing the network. If Authentication ID is selected, in the adjacent field, type your user name.
      - If you select Generic Token Card, for 'Tunnel ID', field requirements depend on the tunnel mode and identification method selected.
        
        If 'Static Password' is selected for Tunnel Mode, and either Authentication ID or Machine ID are selected, type a password. For Authentication ID a user name is also required in the adjacent field.
        
        If 'Soft Token' is selected for Tunnel Mode, no further settings are required.
      - Click the right arrow to save your settings.
    3. For Windows XP users only, select 'Allow unauthenticated provision mode' to allow the allocation of PAC (protected authentication credentials) from the authentication server without authentication by users. Select 'Use protected authentication credential' to manually import a PAC. Click the right arrow to save your settings.
    4. For Windows XP users only, if you selected EAP-TLS/Smart Card as the tunnel authentication method, from the drop-down list select a security certificate on your computer. Click the right arrow to save your settings.
    5. For Windows XP, Vista and Windows 7, the Utility supports automatic login using your EAP-FAST settings on Windows startup. Select 'Use Pre-logon Connection' to enable this function. Click the right arrow to save your settings.
    6. You have completed setup of EAP-FAST authentication.
    MD5-Challenge
    1. MD5-Challenge is available in Windows XP only. To apply MD5-Challenge, you need to have selected 802.1X as the security method. Type the Tunnel ID and Tunnel Password, and click the right arrow to save your settings.
    2. In the screen that appears select a Key and Key Format setting supported by the wireless router or AP to which you are connecting.
      - If you select 'Hex(10 or 26 hex digits)', in the WEP Key field type a security key 10 or 26 characters long made up of digits '0'-'9' and letters 'A'-'F'.
      - If you select 'ASCII(5 or 13 ASCII characters)' in the WEP Key field, type a security key 5 or 13 characters long made up of digits '0'-'9' and letters 'a'-'z' and 'A'-'Z'.
    3. Click the right arrow to save your settings and finish setting up MD5-Challenge authentication.
    LEAP
    1. For Windows XP users, to apply LEAP, in the Tunnel ID field, select Authentication ID or Machine ID depending on whether user credentials are provided by users or by the computer from which they are accessing the network. If Authentication ID is selected, in the adjacent field, type the user name. For both Authentication ID and Machine ID, type a password for the user.
    2. For Windows Vista and 7 users, for Tunnel Mode, you can select Static Password, Windows Logon or Prompt User, depending on the method used to supply user credentials.
      - If you select the Static Password option, then in the Tunnel ID field, type your user name, and in the Tunnel Password field, type the password associated with your user name.
      - If you select Windows Logon, your user credentials are based on those of your Windows user account.
      - If you select Prompt User, when connecting to a network, a popup window appears, asking for your user name and password.
    3. Click the right arrow to save your settings.
    4. The Utility supports automatic login using your LEAP settings on Windows startup. Select 'Use Pre-logon Connection' to enable this function. Click the right arrow to save your settings.
    5. You have completed setup of LEAP authentication.
After you have set up security settings, a profile configured with your security settings appears in the Profile screen. To edit settings, click the Edit button , or to delete settings, click the delete button .