802.1X Authentication Configuration Supplement

---

This Help topic provides supplemental instructions for users who are configuring their network for 802.1X authentication. It is recommended that you begin by following the instructions in the Policy Manager Authentication Configuration Guide. Then, read this configuration supplement for specific information related to configuring 802.1X end users. For more detailed information regarding client setup, consult the documentation for your particular client(s).

Instructions on:

• EAP MD5-Challenge End User (Supplicant) Setup
  • Windows XP and Windows 2000 End User (Supplicant) Setup
    • How to Speed up MD5 Prompt on XP Client
  • Linux SecureSupplicant Setup
• EAP-TLS Certificate Setup
  • Windows 2000 AS Certificate Server Configuration
  • Windows XP Client Certificate Setup
• 802.11 Wireless Setup
  • RoamAbout R2 802.1X Configuration

EAP MD5-Challenge End User (Supplicant) Setup

Windows XP and Windows 2000 End User (Supplicant) Setup

Use the following instructions to set up a Windows XP or Windows 2000 end user for 802.1X authentication:

1. On the end user's machine, open Network Connections (Start menu > Settings > Network Connections).
2. Right click on the connection and select Properties.
3. In the General tab, verify that the Show icon in notification area when connected option is selected.
4. In the Authentication tab, select the Enable network access control using IEEE 802.1X check box. Then, select MD5-Challenge as EAP type.
   
   

   	NOTE:	Depending on your network's needs, you can select "Authenticate as computer when computer information is available" and/or "Authenticate as guest when user or computer information is unavailable".

The authentication process is as follows:

1. Press Ctrl-Alt-Delete and log on to the end user's machine.
2. Allow a couple of minutes (or less) to initialize and establish the EAP authentication between the local machine and the 802.1X-enabled device.
3. After establishing the EAP authentication, notice that a bubble (balloon) appears in the notification area.
4. Click on the bubble to open the network logon window.
5. Provide the end user's username and password, and the domain, if appropriate.
   
   

   	NOTES:	If a user logs in incorrectly twice, the Windows XP client will not let them retry the login again. To be able to retry the login, the user can toggle link on the port, or log out and log back in. After launching the network logon window by clicking the bubble, the user might get another bubble in the notification area before logging in. In this case, the user must close the logon window opened previously and click the second bubble which appeared in the notification area to re-launch the network logon window.

How to Speed up MD5 Prompt on XP Client

By default, the MD5 prompt can take up to two minutes to appear after you log into the machine or plug into an 802.1X enabled device. It is possible to speed up this process by making the following changes to the XP client and the 802.1X-enabled device.

Modify the XP client's Registry:

1. Run regedit.exe from the Run box.
2. Navigate to HEY_LocalMachine\Software\Microsoft\EAPOL\Parameters\General\Global.
3. Right click on Global and select New and the DWORD value.
4. Name it SupplicantMode.
5. After it is created, double-click it and set its value to a 3.
6. You must reboot the PC before the new registry value takes effect.

On the 802.1X-enabled device, use Policy Manager to change the Authentication Request Period on the supplicant port to a shorter interval:

1. Launch Policy Manager.
2. In the left panel, select the Network Elements tab.
3. Open the Devices folder and select the 802.1X-enabled device on which the port is located.
4. Select the port in the left panel.
5. In the right panel, select the Authentication Configuration tab.
6. In the Login Settings area, set the Authentication Request Period to a short interval, for example, 5 seconds.
7. Click Apply.

Linux SecureSupplicant Setup

You can download the OpenSource 802.1X client from http://www.open1x.org at no cost, or you can purchase the Meetinghouse 802.1X supplicant called AEGIS Client from http://www.mtghouse.com. Refer to the instructions included in the download to install and set up your Linux SecureSupplicant.

EAP-TLS Certificate Setup

Windows 2000 AS Certificate Server Configuration

Use the following instructions to set up Windows 2000 Advanced Server (AS) for Certificate Authentication (CA). These instructions are only an example; refer to Microsoft documentation to install on a production network.

1. Install Windows 2000 Advanced Server with Active Directory, DNS service, and IAS.
2. If you did not install Internet Information Services (IIS) with the Windows 2000 AS installation, do so now.
   1. Select the Start menu > Settings > Control Panel, and click on Add/Remove Programs.
   2. On the left panel, select Add/Remove Windows Components.
   3. When the Windows Components window opens, select Internet Information Services (IIS), and Next. This will install the IIS service. You can now install the Certificate Services.
3. Launch the Windows Components Wizard by opening Add/Remove Programs in Control Panel and clicking on Add/Remove Windows Components.
4. When the Wizard opens, select Certificate Services from the component list. The installer will warn you that once the CA software is installed, you can't change the name of the server or move it out of an Active Directory Domain.
5. The Certification Authority Type Selection screen will appear, giving you a choice of the different CA types. Select Enterprise root CA. Do not select Advanced Options.
6. On the CA Identifying Information screen, enter a unique name for the CA Name, then fill out the rest of the form with whatever applies to your setup environment.
7. The next screen prompts you for the location of the Data Storage files. Select the defaults.
8. If you are running IIS WWW service, the installer will tell you that it must stop the service to complete the installation.
9. When the wizard finishes, you'll be prompted to restart your server. After rebooting, the CA service will start automatically.

Windows XP Client Certificate Setup

Install a certificate on a Windows XP client:

1. Connect the client PC to the Domain on which the CA resides.
2. Open your browser and go to http://<CA server>/certsrv. This brings up the Certificate Services page for the CA server.
3. Select Request a Certificate.
4. Select User Certificate.
5. Select Submit. This prompts the client to request a certificate from the CA.
6. When the "Certificate Issued" response is presented, select "Install this Certificate". This results in "Certificate Installed".

View the installed certificate on the client:

1. Select the Start menu > Run.
2. Type mmc.
3. When the Console starts, select File > Add/Remove Snap-in.
4. From the Standalone tab, select Add.
5. Select Certificates, then Add.
6. The Certificates Snap-in window prompts for what type of account the certificate will manage.
7. Select My user account, then Finish.
8. Close the Add Standalone Snap-in window.
9. On the Add/Remove Snap-in window, click OK .
10. In the Console, expand Certificates, expand Personal, and select Certificates.
11. You will see your certificate(s) in the right pane .
12. Double-click on the certificate to view the certificate properties.
13. Upon initial authentication (within a few minutes of attempting), the client will be prompted to accept certificate as valid from server.

802.11 Wireless Setup

RoamAbout R2 802.1X Configuration

Use the following instructions to set up and configure 802.1X authentication for the RoamAbout R2.

RoamAbout R2 firmware and boot images should be upgraded to the latest versions, which are available at https://extranet.extremenetworks.com/downloads/Pages/RoamAbout4102.aspx.

System requirements:

• RoamAbout R2 with RoamAbout card
• PC with Windows XP or Windows 2000 installed
• A null modem cable to connect the console port on the PC to the console port of the RoamAbout R2. (See http://www.lammertbies.nl/comm/cable/RS-232.html#null.)
• AP Manager installed on the PC
• A RADIUS Server with 802.1X support (Steel-Belted RADIUS Administrator Service Provider Edition) or Windows 2000 IAS

Configure the RoamAbout R2:

1. Connect a null modem cable from the PC to the RoamAbout R2.
2. Using a terminal emulator like Microsoft® HyperTerminal, log in to the RoamAbout R2.
3. Select Network Configuration, assign an IP mask and gateway, and save the configuration.
4. On the PC, launch AP Manager.
5. In AP Manager, select the Add button to add a new AP.
6. Upgrade the RoamAbout boot image to the latest version. To download the boot image:
   1. In the AP Manager Main menu select Reload. The Reload window opens.
   2. In the Options area, select the Use This Computer option.
   3. In the Firmware Image area, select the Operational BootROM option.
   4. Enter the path to the boot image or use the Browse button to navigate to the boot image.
   5. Click Reload Now.
7. Upgrade the RoamAbout firmware image to the latest version. To download the firmware image:
   1. In the Main menu select Reload.
   2. In the Options area, select the Use This Computer option.
   3. In the Firmware Image area, select the Operational Firmware option.
   4. Enter the path to the firmware image or use the Browse button to navigate to the firmware image.
   5. Click Reload Now.
8. When the images have finished downloading, at the prompt, reboot the RoamAbout R2 device.
9. In the AP Manager Main menu, select Wireless Parameters.
10. In the Wireless Parameters window, enter the Wireless Network Name.
11. Use Policy Manager to configure the RoamAbout R2 as a RADIUS client, following the instructions in the Authentication Configuration Guide.
12. On the RoamAbout R2, you must enable 802.1X on each port by setting the port's Authentication Behavior to Active.
    1. In Policy Manager, select the Network Elements tab in the left panel.
    2. Expand the RoamAbout R2 device to see its ports.
    3. Select a port in the left panel.
    4. In the right panel, select the Authentication Configuration tab.
    5. In the Port Mode area, set the port's Authentication Behavior to Active.
    6. Click Apply.

Set up the Windows XP Client:

Requirements:

• A PC that meets windows XP requirements.
• A wireless interface card on the XP PC.

1. Select Start menu > Settings > Network Connections and then right-click on wireless adapter icon.
2. From the drop-down menu select Properties.
3. Select the Authentication tab, and check Enable network access control using the IEEE 802.1X.
4. Set EAP type to MD5 Challenge.

Set up the Funk RADIUS Server:

Requirements:

• RADIUS Server with 802.1X support (Steel-Belted RADIUS Administrator Service Provider Edition)

1. Install application.
2. Go to the eap.ini file in in the RADIUS Services folder, and uncomment the EAP-Type = MD5-Challenge for the native, domain, and domain user groups.
3. Go to the RADIUS.ini file and set the LogLevel = 2 and the TraceLevel = 2. This sets logfile verbose level.
4. Start RADIUS Server Service.

---

Related Information

For information on related concepts:

• Authentication

For information on related tasks:

• Authentication Configuration Guide