Using EAP-FAST Security
To use EAP security In the Atheros Client Utility, access the Security
tab in the Profile Management window.
- On the Security tab, choose the WPA/WPA2 radio
button.
OR: On the Security tab, choose the 802.1x radio button.
- Choose EAP-FAST from the drop-down menu.
Enabling EAP-FAST
security:
To use EAP-FAST security, the machine must
already support EAP-FAST. Check with the IT
manager.
- Click the Security tab from the Profile Editor window.
- Click Configure. The Define EAP-FAST window appears.
- Choose an EAP-FAST authentication method from the EAP-FAST Authentication Method drop-down list.
- Click Configure.
- If you chose GTC Token/Password from the EAP-FAST Authentication Method drop-down list and clicked Configure, the Define PEAP (EAP-GTC) Configuration window appears.To know more about this option refer Using PEAP (EAP-GTC) security.
- If you chose MSCHAPv2 Username and Password from the EAP-FAST Authentication Method drop-down list and clicked Configure, the Configure Username and Password window appears. To know more about this option refer Using PEAP- MSCHAP V2 security.
-
If you chose TLS Client Certificate from the EAP-FAST Authentication Method drop-down list and clicked Configure, the Define Certificate window appears. When configuring EAP-TLS for EAP-FAST, you can check the Authenticate Server Identity check box to force the system to authenticate the identity of the server as an added level of security. This option is available only when configuring EAP-FAST. To know more about this option refer Using EAP- TLS security.
- If you want to force the client adapter to disassociate after you log off so that another user cannot gain access to the wireless network using your credentials, check the No Network Connection Unless User is Logged In check box. The default setting is checked.
- Perform one of the following:
-
If you want to enable automatic PAC provisioning, make sure the Allow Automatic PAC Provisioning for this Profile check box is checked. A protected access credentials (PAC) file is obtained automatically as needed (for instance, when a PAC expires, when the client adapter accesses a different server, when the EAP-FAST username cannot be matched to a previously provisioned PAC, etc.). This is the default setting.
-
If you want to enable manual PAC provisioning, uncheck the Allow Automatic PAC Provisioning for this Profile check box. This option requires you to choose a PAC authority or manually import a PAC file.
- From the Select one or more PAC Authority to use with this Profile list, highlight the PAC authorities associated with the network defined by the profile's SSID. The list contains the names of all the authentication servers from which you have previously provisioned a PAC.
- Click Manage. The Select EAP-FAST PAC window appears.
This window lets you group PAC authorities to facilitate authentication while roaming. For example, if there are three PAC authorities at a certain site covering different areas of the site, you can create a group containing these authorities and select one of them in the PAC list. In this way, if you're roaming around the site, the other authorities in the group will allow you access to the network.
A group consists of one or more authorities. Each authority may have one or more PAC files. A PAC authority can belong to only one group.
- To create a new group, click New Group. A group consists of one or more authority servers that the user trusts. To rename the group, right-click the group and choose Rename. You can also rename the group by clicking it and typing the new name.
When you create a new group, you can either import a PAC file into it using the Import button or you can move a PAC from another group to the new group.
- To import a PAC, click Import. The PAC Import window appears. Do the following:
- Click Browse and select a PAC file to import. The default location is C:/Program Files/Atheros.
- Click the PAC file (*.pac) so that it appears in the File name box at the bottom of the window.
- Click Open.
- If the Enter Password window appears, enter the PAC file password, which can be obtained from your system administrator, and click OK.
Note: PAC file passwords are optional. The PAC authority determines whether to issue PAC files that require user-supplied passwords. Nevertheless, all PAC files (even those without passwords) are encrypted and protected. PAC file passwords are different from EAP-FAST passwords and need to be entered only once, at the time a PAC is imported.
- If you try to import a PAC file with the same PAC ID as a previously imported PAC file, you are asked to update the existing PAC. If you click Yes, the existing PAC is replaced by the new one from the imported file.
- If the PAC file was imported successfully, the following message appears: "EAP-FAST PAC file was imported and is ready for use." Click OK to return to the PAC Import window.
- Click one of these PAC store options to determine where the imported PAC file will be stored and by whom it will be accessible:
Global - PACs that are stored in the global PAC store can be accessed and used by any user at any logon stage. Global PACs are available before or during logon or after the user is logged off if the profile is not configured with the No Network Connection Unless User is Logged In option.
Private - PACS that are stored in the private store can be accessed and used only by the user who provisioned them or the system administrator. They are not accessible until the user is logged onto the local system. This is the default option.
- Click Import. The PAC file appears under the selected group.
- To delete a group, select the group and click Delete. You can also delete the group by right-clicking the group and choosing Delete.
- To close the Select EAP-FAST PAC window, click Close.
- To automatically use PACs belonging to the same PAC authority group, check the Use Any PAC Belonging to the Same Group check box.
- Check the Use Machine PAC for Domain Logon check box if you want the client to attempt to log into a domain using machine authentication with user credentials rather than user authentication. Doing so enables your computer to connect to the network prior to user logon. The default setting is unchecked.
- Click OK when done configuring EAP-FAST.