Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Windows XP (SP1 and Later) and Windows Server 2003
Windows XP (SP1 and later) and Windows Server 2003 include all the wireless support provided with Windows XP, with the following enhancements:
Additional support for Protected EAP (PEAP), with PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and PEAP-TLS authentication (for more information, see Chapter 5).
Improvements for the Smart Card Or Other Certificate dialog box for TLS authentication (for more information, see Chapter 5).
Additional support for smart cards for EAP-TLS-based wireless authentication.
Improved user interface for managing wireless networks.
NOTE Support for EAP-MD5-CHAP authentication (the MD5-Challenge EAP type) has been removed for wireless networks.
Changes to the Wireless Network Configuration User Interface
The changes to the wireless network configuration user interface include the following, which are described in the following sections:
Connect to Wireless Networks dialog box
Properties of a wireless network connection
Connect to Wireless Networks Dialog Box
The dialog box used to connect to an available wireless network has the following changes:
The title of the dialog box is the name of the wireless connection. For example, if the wireless connection is named Wireless, the dialog box is titled Wireless.
There is a new Confirm Network Key text box, in which you can retype the manually configured WEP key. The Confirm Network Key text box becomes available only after you type a key in Network Key.
There is a new Enable 802.1x Authentication For This Network check box.
Figure 3-7 shows the new dialog box to connect to an available network.
Figure 3-7. The new dialog box to connect to an available network.
Properties of a Wireless Network Connection
The most significant changes are for the configuration of the properties of a wireless connection, which include the following:
The Authentication tab has been removed.
From the properties of a wireless network on the Wireless Networks tab, there is now an Association tab and an Authentication tab. The Association tab contains the settings that define the properties of the wireless network and how to associate with it. The Association tab is essentially the same as the properties of a wireless network with Windows XP (prior to SP1), with some minor changes. The Authentication tab has been moved from the properties of the wireless network adapter to the properties of each wireless network.
Figure 3-8 shows the new properties for a wireless network connection.
Figure 3-8. The new properties for a wireless network connection.
Association Tab
The following are the changes to the settings of a wireless network on the new Association tab:
There is a new Confirm Network Key text box that provides a space to retype the manually configured WEP key.
The Key Format and Key Length text boxes have been removed. The key format and length are automatically determined from the typed key.
The Key Index (Advanced) field has been changed to allow encryption key index values only from 1 to 4. This change was done so that the Windows wireless client encryption key index values match the encryption key index values used by many wireless APs.
Figure 3-9 shows the new Association tab for a wireless network.
Figure 3-9. The new Association tab for a wireless network.
Authentication Tab
The new Authentication tab for a wireless network is functionally the same as the Authentication tab for a wireless network adapter. The only change is in the title of the first check box: Enable Network Access Control Using IEEE 802.1X has been changed to Enable IEEE 802.1x Authentication For This Network. The title change better reflects the change from 802.1X settings for all the wireless networks of the wireless network adapter (as in Windows XP prior to SP1) to 802.1X settings for each individual wireless network of a wireless network adapter.
Figure 3-10 shows the new Authentication tab for a wireless network.
Figure 3-10. The new Authentication tab for a wireless network.
Changes to WPA Wireless Security Update
To use the new Wi-Fi Protected Access (WPA) standard for wireless clients running Windows XP (SP1 and later) and Windows Server 2003 that are using a wireless network adapter that supports the WZC service, you must obtain and install the WPA Wireless Security Update in Windows XP a free download that is available from http://support.microsoft.com/?kbid=815485. It updates the wireless network configuration dialog boxes to support new WPA options. WPA is described in the Wi-Fi Protected Access section in Chapter 2.
Installing the WPA Wireless Security Update changes the Association tab, as Figure 3-11 shows.
The Wireless Network Key (WEP) section is now named Wireless Network Key, and the Data Encryption (WEP Enabled) and Network Authentication (Shared Mode) check boxes previously described are replaced with drop-down boxes.
Figure 3-11. The new Association tab for the WPA Wireless Security Update.
The Data Encryption (WEP Enabled) check box is replaced with a Data Encryption drop-down box that provides the following selections:
- Disabled
Encryption of 802.11 frames is disabled.
- WEP
802.11 WEP is used as the encryption algorithm.
- TKIP
Temporal Key Integrity Protocol (TKIP) is used as the encryption algorithm.
- AES
Advanced Encryption Standard (AES) is used as the encryption algorithm. This selection is available only if the wireless network adapter and its driver support the optional AES encryption algorithm.
NOTE If the wireless network adapter and its driver do not support WPA, you do not see the TKIP and AES options.
The Network Authentication (Shared Mode) check box is replaced with a Network Authentication drop-down box that provides the following selections:
- Open
The open system authentication method is used.
- Shared
The shared key authentication method is used, and the key is typed in Network Key and Confirm Network Key.
- WPA
WPA authentication is used with an EAP type configured on the Authentication tab.
- WPA-PSK
WPA authentication is used with a pre-shared key, and the key is typed in Network Key and Confirm Network Key.
NOTE If the wireless network adapter and its driver do not support WPA, you will not see the WPA and WPA-PSK options.