Configuring the WLAN client for use with Radius.

Continuing from part 1, it is now time to configure the wireless client on the computers to connect to the wireless network. Using Windows XP, this is best done by allowing Windows to do most of the work. Bring up the Network Connection Properties window (as seen on the right), and switch to the Wireless Networks tab. It should look something similar to what is shown here. Since I'm not broadcasting my SSID, it doesn't show up as in the "Available Networks" section, but rather the "Preferred network" section. If you are not broadcasting the SSID, you'll have to manually add the information by clicking on the "Add" button. Your SSID should definitely show up in the "preferred networks" section. Also, click the "Advanced" button and un-check the box that says "automatically connect to non-preferred networks". Having this enabled may disconnect you from your WLAN and connect you to your neighbors if suddenly his signal is stronger than yours.

Select your SSID, and click "Properties" or "configure", depending on where you selected your SSID. That will bring up another window which allows you to select Network Authentication mode and Data encryption algorithm. Since we set it up for WPA and AES earlier (see part 1), that's what we'll select here too. The key that is shown (grayed out) in the graphic to the right is the remains of the static AES key used prior to changing from shared key (WPA-PSK). Next, click the Authentication tab, to bring up the next set of options. There really isn't a whole lot here either, only the "EAP type" and a couple of check-boxes. Make sure that the "EAP type" is set to "Protected EAP (PEAP)" to match the provider we set up in part 1, and that the "Autheticate as computer when computer information is available" check-box is checked.

Then, hit the "Properties" button to bring up the "Protected EAP Properties window. Again, not a whole lot to do. Check that "Validate server certificate" is checked, and move on to "Authentication Method", which should be set to "Secured Password (EAP-MSCHAP v2). Pick it from the the dropdown box, and click the "configure" button to bring up the last window. In the last window, simply make sure that the box is checked so that your login credentials are passed along as for authentication. Click "OK" to get back to the "Protected EAP Properties" window, and make sure the "Enable Fast Reconnect" box is checked. Once this is done, click "OK" to close out of all the property windows, and you'll be all set. If you open the "Network Connections" windows, you'll notice that (assuming everything is working) it'll say "Authentication succeeded" below your wireless connection, rather than simply "enabled" as it would with regular shared key connections.

Congratulations, that's "all" there's to it. Enjoy your secure WLAN... And this is where I promised we'll look at EAP-TLS next. Unfortunately, that might not happen any time soon. My experimental wireless network has turned into "production", and I cannot easily take it down to experiment with other types of authentication. What I can promise though, is that by the end of January (2005), I'll have another article on better tuning your settings to simplify the management of your wireless users and implement a few more restrictions.