![D-Link DWL-2200AP [158/192] Obtaining a tls eap certificate for a client](/img/pdf.png)
D-Link DWL-2200AP [158/192] Obtaining a tls eap certificate for a client
![D-Link DWL-2200AP [158/192] Obtaining a tls eap certificate for a client](/views2/1044822/page158/bg9e.png)
158
Appendix A: Configuring Security Settings on Wireless Clients
Obtaining a TLS-EAP Certificate for a Client
If you want to use IEEE 802.1x mode with EAP-TLS certificates for authentication and
authorization of clients, you must have an external RADIUS server and a Public Key
Authority Infrastructure (PKI), including a Certificate Authority (CA), server configured on
your network. It is beyond the scope of this document to describe these configuration of
the RADIUS server, PKI, and CA server. Consult the documentation for those products.
Some good starting points available on the Web for the Microsoft Windows PKI software
are: “How to Install/Uninstall a Public Key Certificate Authority for Windows 2000” at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;231881 and How to Configure
a Certificate Server at http://support.microsoft.com/default.aspx?scid=kb;en-
us;318710#3.
Wireless clients configured to use either “WPA with RADIUS” or” IEEE 802.1x”
security modes with an external RADIUS server that supports TLS-EAP certificates
must obtain a TLS certificate from the RADIUS server.
This is an initial onetime step that must be completed on each client that uses either
of these modes with certificates. In this procedure, we use the Microsoft Certificate
Server as an example.
To obtain a certificate for a client, follow these steps.
1. Go to the following URL in a Web browser:
https://IPAddressOfServer/certsrv/
Where IPAddressOfServer is the IP address of your external RADIUS server, or of the
Certificate Authority (CA), depending on the configuration of your infrastructure.
2. Click “Yes” to proceed to the secure Web page for the server.
Содержание
- Contents 2
- Contents of package 3
- Package contents 3
- System requirements for configuration 3
- Connections 4
- Overview of the d link dwl 2210ap 5
- Features and benefits 6
- Ieee standards support and wi fi compliance 6
- Wireless features 6
- Clustering and auto management 7
- Features and benefits continued 7
- Out of the box guest interface 7
- Security features 7
- Clustering and auto management continued 8
- Features and benefits continued 8
- Maintainability 8
- Networking 8
- What s next 8
- D link dwl 2210ap 9
- Default settings and supported administrator client platforms 9
- Prelaunch checklist 9
- Default settings 10
- Option default settings related information 10
- Default settings continued 11
- Option default settings related information 11
- Default settings continued 12
- Option default settings related information 12
- The d link dwl 2210ap is not designed to function as a gateway to the internet to connect your wireless lan wlan to other lan s or to the internet you need a gateway device 12
- What the access point does not provide 12
- Administrator s computer 13
- Configuration and administration of the d link dwl 2210ap is accomplished with the kickstart utility which you run from the cd and through a web based user interface the dwl 2210ap must be installed into a dhcp enabled network in order to use the kickstart utility for configuration the following table describes the minimum requirements for the administrator s computer 13
- Required software or component description 13
- Administrator s computer continued 14
- Required software or component description 14
- In order to connect to the access point wireless clients need the following software and hardware 15
- Multiple client operating systems are supported clients can be laptops or desktops personal digital assistants pdas or any other hand held portable or stationary device equipped with a wi fi adapter and supporting drivers 15
- Required software or component description 15
- The d link dwl 2210ap provides wireless access to any client with a properly configured wi fi client adapter for the 802 1b and 802 1g modes in which the access point is running 15
- Wireless client computers 15
- Required software or component description 16
- Wireless client computers continued 16
- Dynamic ip addressing 17
- How does the access point obtain an ip address at startup 17
- Understanding dynamic and static ip addressing on the d link dwl 2210ap 17
- Configuring the ip address of the dwl 2210ap in a network with no dhcp server 18
- Recovering an ip address 18
- Static ip addressing 18
- Understanding dynamic and static ip addressing 18
- Access point hardware and ports 19
- Quick steps for the setup and launch of your wireless network 19
- Step 1 unpack the access point 19
- Step 1 unpack the access point continued 20
- Step 2 connect the access point to network and power 20
- What s inside the box 20
- Step 2 connect the access point continued 21
- Step 3 run kickstart wizard on the cd rom to find access points on a dhcp network 22
- Step 3 run kickstart wizard continued 23
- Enter the username and password and click ok 24
- Go to the access point administration web pages by taking the link provided on the kickstart page 24
- Step 3 run kickstart wizard continued 24
- Step 4a log on to the administration web pages when using kickstart in a dhcp network 24
- When you follow the link from kickstart to the d link dwl 2210ap administration web pages you are prompted for a user name and password 24
- Step 4b log on to the administration web pages without kickstart in a non dhcp network 25
- Viewing basic settings for access points 25
- Step 5 configure basic settings 26
- Make sure the access point is connected to the lan 27
- Secure and fine tune the access point using advanced features 27
- Test lan connectivity with wireless clients 27
- What s next 27
- Configuring basic settings 28
- Navigating to basic settings 29
- Field description 30
- Review describe the access point 30
- Field description 31
- Provide administrator password and wireless network name 31
- Field description 32
- Set configuration policy for new access points 32
- Summary of settings 33
- Update basic settings 33
- All the cluster settings tabs on the administration web pages include visual indicator icons showing current network activity 34
- Basic settings for a standalone access point 34
- For more information see standalone mode and adding an access point to a cluster in this manual 34
- Icon description 34
- The basic settings tab for a standalone access point indicates only that the current mode is standalone and provides a button for adding the access point to a cluster group if you click on any of the cluster tabs on the administration pages for an access point in standalone mode you will be redirected to the basic settings page because cluster settings do not apply to standalone aps 34
- Your network at a glance understanding indicator icons 34
- Managing access points and clusters 35
- How many aps can a cluster support 36
- Navigating to access points management 36
- Understanding clustering 36
- What is a cluster 36
- What kinds of aps can cluster together 37
- Which settings are shared as part of the cluster configuration and which are not 37
- Cluster mode 38
- Standalone mode 38
- Auto synch of cluster configuration 39
- Cluster formation 39
- Cluster size and membership 39
- Intra cluster security 39
- Field description 40
- From this tab you can view location descriptions ip addresses enable activate or disable deactivate clustered access points and remove access points from the cluster you can also modify the location description for an access point 40
- Note that auto synchronization always occurs during configuration updates that affect the cluster but the processing time is usually negligible the auto synch progress bar is displayed only for longer than usual wait times 40
- Standalone access points those which are not members of the cluster are not shown on this page 40
- The access points tab provides information about all access points in the cluster 40
- The ip address links provide a way to navigate to configuration settings and data on an access point 40
- The progress bar indicates that the system is busy performing an auto synch of the updated configuration to all aps in the cluster the administration web pages are not editable during the auto synch 40
- Understanding access point settings 40
- Adding an access point to a cluster 41
- Modifying the location description 41
- Removing an access point from the cluster 41
- Navigating to an ap by using its ip address in a url 42
- Navigating to configuration information for a specific ap and managing standalone aps 42
- Managing user accounts 43
- Adding a user 44
- Fields description 44
- Navigating to user management for clustered access points 44
- Viewing user accounts 44
- Editing a user account 45
- Enabling and disabling user accounts 45
- Fields description 45
- Disabling a user account 46
- Enabling a user account 46
- Removing a user account 46
- Navigating to session monitoring 47
- Session monitoring 47
- A session in this context is the period of time in which a user on a client device station with a unique mac address maintains a connection with the wireless network the session begins when the client logs on to the network and the session ends when the client either logs off intentionally or loses the connection for some other reason 48
- Details about the session information shown is described below 48
- Field description 48
- The sessions page shows information on client stations associated with access points in the cluster each client is identified by user name and user mac address along with the ap location to which it is currently connected 48
- To view a particular statistic for client sessions select an item from the display drop down list and click go you can view information on idle time data rate signal utilization and so on all of which are described in detail in the table below 48
- Understanding session monitoring information 48
- Field description 49
- Refreshing session information 49
- Sorting session information 49
- To order sort the information shown in the tables by a particular indicator click on the column label by which you want to order things for example if you want to see the table rows ordered by utilization rate click on the utilization column label the entries will be sorted by utilization rate 49
- To view information on all access points select the show all access points radio button at the top of the page 49
- To view session information on a particular access point select the show only this access point radio button and choose the access point name from the drop down menu 49
- Viewing session information for access points 49
- You can force an update of the information displayed on the session monitoring page by clicking the refresh button 49
- You can view session information for all access points on the network at the same time or set the display to show session information for a specified access point chosen from the drop down menu at the top of the screen 49
- Setting the ethernet wired interface 50
- Navigating to ethernet 51
- Configuring an internal lan and a guest network 52
- Enabling or disabling guest access 52
- Setting the dns name 52
- Enabling guest access will enable the vlan settings where you must provide a vlan id see also configuring guest interface ethernet settings in this manual 53
- Field description 53
- If you enable guest access two virtual lans vlan s will be used one for the internal network and one for the guest network to use vlans the lan port on the access point must be connected to a tagged port on a vlan capable switch and then you must define two different virtual lans on this administration page for more information see setting up guest access in this manual 53
- Using vlans for the guest network 53
- Configuring internal interface ethernet settings 54
- Field description 54
- To configure ethernet wired settings for the internal lan fill in the fields as described below 54
- Configuring guest interface ethernet settings 55
- Field description 55
- To apply your changes click update 55
- To configure ethernet settings for the guest interface fill in the fields as described below 55
- Updating settings 55
- Setting the wireless interface 56
- Navigating to wireless settings 57
- Configuring the radio interface 58
- Field description 58
- The radio interface allows you to set the radio channel and 802 1 mode as described below 58
- Configuring internal lan wireless settings 59
- Field description 59
- The internal settings describe the mac address read only and network name also known as the ssid for the internal wireless lan wlan as described below 59
- Configuring guest network wireless settings 60
- Field description 60
- The guest settings describe the mac address read only and wireless network name ssid for the guest network as described below configuring an access point with two different network names ssids allows you to leverage the guest interface feature on the d link dwl 2210ap for more information see setting up guest access in this manual 60
- To apply your changes click update 60
- Updating settings 60
- Enabling the network time protocol server 61
- Navigating to time protocol settings 62
- Enabling or disabling a network time protocol ntp server 63
- Field description 63
- To apply your changes click update 63
- To configure your access point to use a network time protocol ntp server first enable the use of ntp and then select the ntp server you want to use to shut down ntp service on the network disable ntp on the access point 63
- Updating settings 63
- Configuring security 64
- Understanding security issues on wireless networks 64
- Comparison of security modes for key management authentication and encryption algorithms 65
- How do i know which security mode to use 65
- For information on how to configure static wep security mode see static wep under configuring security settings in this manual 67
- Ieee 802 x is the standard for passing the extensible authentication protocol eap over an 802 1 wireless network using a protocol called eap encapsulation over lans eapol this is a newer more secure standard than static wep 67
- Key management encryption algorithm user authentication 67
- Recommendations 67
- See also 67
- Static wep was designed to provide the security equivalent of sending unencrypted data through an ethernet connection however it has major flaws and it does not provide even this intended level of security 67
- Therefore static wep is not recommended as a secure mode the only time to use static wep is when interoperability issues make it the only option available to you and you are not concerned with the potential of exposing the data on your network 67
- When to use ieee 802 x 67
- Does prohibiting the broadcast ssid enhance security 71
- Broadcast ssid and security mode 72
- Configuring security settings 72
- Navigating to security settings 72
- Field description 73
- Guest network 73
- Plain text means any data transferred to and from the d link dwl 2210ap is not encrypted 73
- Plain text mode can be useful during initial network configuration or for problem solving but it is not recommended for regular use on the internal network because it is not secure 73
- Plain text mode is the only mode in which you can run the guest network which is by definition an easily accessible unsecure lan always virtually or physically separated from any sensitive information on the internal lan for example the guest network might simply provide internet and printer access for day visitors 73
- Plaintext 73
- There are no further options for plaintext mode 73
- Static wep 74
- Field description 75
- Field description 76
- Ieee 802 x 79
- Field description 80
- If you selected ieee 802 x security mode provide the following 80
- Wpa with radius 81
- Field description 82
- Field description 83
- Field description 84
- Wi fi protected access wpa with pre shared key psk is a wi fi alliance subset of ieee 802 1i which includes temporal key integrity protocol tkip advanced encryption algorithm aes and counter mode cbc mac protocol ccmp mechanisms psk employs a pre shared key this is used for an initial check of credentials only if you selected wpa psk security mode provide the following 84
- Wpa psk 84
- Configuring radio settings 85
- Understanding radio settings 85
- Updating settings 85
- Navigating to radio settings 86
- Configuring radio settings 87
- Field description 87
- Field description 88
- Field description 89
- To apply your changes click update 89
- Updating settings 89
- Controlling access by mac address filtering 90
- Navigating to mac filtering settings 91
- Updating settings 92
- Using mac filtering 92
- Identifying the imbalance overworked or under utilized access points 93
- Load balancing 93
- Understanding load balancing 93
- Load balancing and qos 94
- Navigating to load balancing settings 94
- Specifying limits for utilization and client associations 94
- Configuring load balancing 95
- Field description 95
- To configure load balancing enable load balancing and set limits and behavior to be triggered by a specified utilization rate of the access point 95
- Configuring queues for quality of service qos 96
- Field description 96
- Quality of service qos provides you with the ability to specify parameters on multiple queues for increased throughput and better performance of differentiated wireless traffic like voice over ip voip video and streaming media as well as traditional ip data over the d link dwl 2210ap 96
- To apply your changes click update settings 96
- Updating settings 96
- 1e and wme standards support 97
- Qos and load balancing 97
- Understanding qos 97
- Qos queues and parameters to coordinate traffic flow 98
- Configuring qos queues 102
- Navigating to qos settings 102
- Field description 103
- Field description 104
- To apply your changes click update settings 104
- Updating settings 104
- Configuring the wireless distribution system wds 105
- Understanding the wireless distribution system 105
- Using wds to bridge distant wired lans 106
- Using wds to extend the network beyond the wired coverage area 106
- Backup links and unwanted loops in wds bridges 107
- Security considerations related to wds bridges 107
- Navigating to wds settings 108
- Configuring wds settings 109
- Field description 110
- Example of configuring a wds link 111
- Field description 111
- When using wds be sure to configure wds settings on both access points on the wds link for example to create a wds link between a pair of access points myap1 and myap2 do the following 111
- Updating settings 112
- Configuring the guest interface 113
- Setting up guest access 113
- Understanding the guest interface 113
- Configuring internal and guest vlans 114
- Configuring the welcome screen captive portal 115
- Using the guest network as a client 115
- Deployment example 116
- Maintenance and monitoring 117
- Ethernet wired settings 118
- Interfaces 118
- Event log 119
- Wireless settings 119
- Statistics 120
- Field description 121
- This page provides some basic information about the current access point and a real time display of the transmit and receive statistics for this access point as described in the following table all transmit and receive statistics shown are totals since the access point was last started if the ap is rebooted these figures indicate transmit receive totals since the reboot 121
- Associated wireless clients 122
- Link integrity monitoring 122
- What is the difference between an association and a session 122
- Rebooting the access point 123
- Resetting the configuration 124
- Upgrading the firmware 125
- Click ok to confirm the upgrade and start the process 126
- Click update to apply the new firmware image 126
- Update 126
- Upgrade tab and also on the basic settings tab if the upgrade was successful the updated version name or number will be indicated 126
- Upon clicking update for the firmware upgrade a popup confirmation window is displayed that describes the upgrade process 126
- Verifying the firmware upgrade 126
- Neighbors 127
- Field description 128
- Field description 129
- Appendix a configuring security settings on wireless clients 130
- Network infrastructure and choosing between built in or external authentication server 131
- Accessing the microsoft windows wireless client security settings 132
- Make sure the wireless client software is up to date 132
- Configuring a client to access an unsecure network plain text mode 134
- Configuring static wep security on a client 135
- Association tab 136
- Then configure wep security on each client as follows 136
- Connecting to the wireless network with a static wep client 137
- Configuring ieee 802 x security on a client 138
- Ieee 802 x client using eap peap 138
- Association tab 140
- Authentication tab 140
- Click configure to bring up the eap mschap v2 properties dialog 140
- Click ok on all dialogs starting with the eap mschap v2 properties dialog to close and save your changes 140
- Click properties to bring up the protected eap properties dialog and configure the following settings 140
- Configure the following settings on the association tab on the network properties dialog 140
- Configure this setting on the authentication tab 140
- Ieee 802 x peap clients should now be able to associate with the access point client users will be prompted for a user name and password to authenticate with the network 140
- Logging on to the wireless network with an ieee 802 x peap client 140
- On this dialog disable click to uncheck the option to automatically use my windows login name etc 140
- Protected eap properties dialog 140
- Ieee 802 x client using eap tls certificate 141
- If you configured the d link dwl 2210ap to use ieee 802 x security mode with an external radius server 142
- Then configure ieee 802 x security with certificate authentication on each client as follows 142
- Association tab 143
- Authentication tab 143
- Configure the following settings on the association tab on the network properties dialog 143
- Configure these settings on the authentication tab 143
- Configuring wpa with radius security on a client 145
- Wpa with radius client using eap peap 145
- Association tab 148
- Authentication tab 148
- Click configure to bring up the eap mschap v2 properties dialog 148
- Click ok on all dialogs starting with the eap mschap v2 properties dialog to close and save your changes 148
- Click properties to bring up the protected eap properties dialog and configure the following settings 148
- Configure the following settings on the association and authentication tabs on the network properties dialog 148
- Configure this setting on the authentication tab 148
- Logging on to the wireless network with a wpa peap client 148
- On this dialog disable click to uncheck the option to automatically use my windows login name etc so that upon login you will be prompted for user name and password 148
- Protected eap properties dialog 148
- Wpa with radius peap clients should now be able to associate with the access point client users will be prompted for a user name and password to authenticate with the network 148
- Wpa with radius client using eap tls certificate 149
- Association tab 151
- Authentication tab 151
- Click ok on all dialogs to close and save your changes 151
- Click properties to bring up the smart card or other certificate properties dialog and enable the validate server certificate option 151
- Configure the following settings on the association tab on the network properties dialog 151
- Configure these settings on the authentication tab 151
- Logging on to the wireless network with a wpa client using a certificate 151
- Smart card or other certificate properties dialog 151
- To complete the client configuration you must now obtain a certificate from the radius server and install it on this client for information on how to do this see obtaining a tls eap certificate for a client in this manual 151
- Wpa clients should now be able to connect to the access point using their tls certificates the certificate you installed is used when you connect so you will not be prompted for login information the certificate is automatically sent to the radius server for authentication and authorization 151
- Configuring wpa psk security on a client 152
- Association tab 153
- Authentication tab 153
- Click ok on the wireless network properties dialog to close it and save your changes 153
- Connecting to the wireless network with a wpa psk client 153
- Wpa psk clients should now be able to associate and authenticate with the access point as a client you will not be prompted for a key the tkip or aes key you configured on the client security settings is automatically used when you connect 153
- Configuring an external radius server to recognize the d link dwl 2210ap 154
- Click yes to proceed to the secure web page for the server 158
- Go to the following url in a web browser 158
- Https ipaddressofserver certsrv 158
- Obtaining a tls eap certificate for a client 158
- This is an initial onetime step that must be completed on each client that uses either of these modes with certificates in this procedure we use the microsoft certificate server as an example 158
- To obtain a certificate for a client follow these steps 158
- Where ipaddressofserver is the ip address of your external radius server or of the certificate authority ca depending on the configuration of your infrastructure 158
- Wireless clients configured to use either wpa with radius or ieee 802 x security modes with an external radius server that supports tls eap certificates must obtain a tls certificate from the radius server 158
- Click request a certificate to get the login prompt for the radius server 159
- Click user certificate on the next page displayed 159
- Provide a valid user name and password to access the radius server 159
- The welcome screen for the certificate server is displayed in the browser 159
- Appendix b troubleshooting 162
- Cluster recovery 162
- Reboot or reset access point 162
- Stop clustering and reset each access point in the cluster 162
- Table 1 163
- Table 2 164
- Glossary 166
- Access point 167
- Ad hoc mode 168
- Basic rate set 168
- Beacon 168
- Bridge 168
- Broadcast 169
- Broadcast address 169
- Channel 169
- Csma ca 170
- Dynamic ip address 171
- Ethernet 171
- Gateway 172
- Infrastructure mode 173
- Intrusion detection 173
- Ip address 173
- Jitter 174
- Latency 174
- Lease time 175
- Mdi and mdi x 175
- Mschap v2 175
- Multicast 176
- Network address 176
- Packet 177
- Packet loss 177
- Port forwarding 177
- Public key 178
- Radius 178
- Router 179
- Rts threshold 179
- Shared key 179
- Tcp ip 181
- Unicast 181
- Wireless networking framework 183
- Technical specifications 184
- Technical specifications continued 185
- Technical specifications continued 186
- Technical specifications continued 187
- Tech support for customers within canada 188
- Tech support for customers within the united states 188
- Technical support 188
- Tttttechni echni echni echni echnical support cal support cal support cal support cal support 188
- Warranty 189
- By d link corporation d link systems inc all rights reserved 191
- Copyright statement no part of this publication or documentation accompanying this product may be reproduced in any form or by any means or used to make any derivative such as translation transformation or adaptation without permission from d link corporation d link systems inc as stipulated by the united states copyright act of 1976 contents are subject to change without prior notice copyrigh 191
- For detailed warranty outside the united states please contact corresponding local d link office 191
- Registration 192
Похожие устройства
- Viewsonic VPC190 Инструкция по эксплуатации
- LG LH-D6230 Инструкция по эксплуатации
- D-Link DWL-2210AP Инструкция по эксплуатации
- Viewsonic VNB101 Инструкция по эксплуатации
- Texet T-347 Инструкция по эксплуатации
- D-Link DWL-3260AP Инструкция по эксплуатации
- Viewsonic VNB106 Инструкция по эксплуатации
- Hyundai H-TV2506PF Инструкция по эксплуатации
- D-Link DWL-8200AP Инструкция по эксплуатации
- Viewsonic VNB107 Инструкция по эксплуатации
- Tefal 1390 Инструкция по эксплуатации
- Speed-Link SL-4922-SBK Black Инструкция по эксплуатации
- D-Link DWL-8500AP Инструкция по эксплуатации
- Viewsonic ViewBook 109 Инструкция по эксплуатации
- Samsung RT41E Инструкция по эксплуатации
- D-Link DWL-8600AP Инструкция по эксплуатации
- LG KD250KZ Инструкция по эксплуатации
- D-Link DWL-G550 Инструкция по эксплуатации
- Speed-Link SL-4923-SBR Инструкция по эксплуатации
- Texet T-338 Инструкция по эксплуатации