Chapter Contents

Windows Vista Client Configuration

This chapter describes how to manually configure a Windows Vista machine to access a WPA Enterprise-secured wireless network. If you administer an Active Directory domain, you can also use Active Directory Group Policy to automatically configure the computers in your domain.

Automatic Discovery

Windows Vista includes the ability to identify wireless networks using WPA Enterprise and to prompt users for authentication credentials to connect to them.

To begin, open the Start menu and select "Connect To." Find your wireless network in the list of nearby networks (it should be identified as a "Security-enabled network"):

If you have never connected to this wireless network before or set up the network connection using manual configuration (see below), Windows Vista will recognize that the network requires a username and password for access, and you will be prompted with the "Additional log on information" dialog:

Click "Enter/select additional log on information" to enter your username and password:

One new feature in Windows Vista is its ability to allow for user acceptance of unrecognized server certificates. In Windows XP, each wireless network had to be pre-configured to accept the server certificate. Windows Vista will automatically prompt you to to validate any certificate it has not seen before:

If you are willing to accept the server's certificate, click OK, and you will be connected to your network. In the future, you will not be prompted to verify the server certificate.

If you have trouble with automatic configuration, follow the instructions below to manually configure the connection to your wireless network.

Manual Configuration

If you have trouble using automatic discovery, you may be able to manually configure Windows Vista to connect to your network.

Selecting Start Menu->Control Panel->View network status and tasks (under "Network and Internet") will bring up the Network and Sharing Center. From the Tasks pane, select "Manage Wireless Networks."

If your network already appears in the list, double-click its list entry to configure it; otherwise, click the "Add" button to create an entry for your network.

If you are creating a new entry, the "Manually connect to a wireless network" dialog appears. Otherwise, to configure your existing network entry, skip down to the Wireless Network Properties section.

From the "Manually connect to a wireless network," select the "Manually create a network profile" option.

You'll need the following information:

• Network Name This is the SSID of the your wireless network. Enter it exactly as it appears on your network. SSIDs are case sensitive.
• Security Type This will be either WPA-Enterprise or WPA2-Enterprise. WPA-Enterprise is more compatible, but if all of your network devices support it, you may select WPA2-Enterprise. In any event, this value needs to be selected to match the configuration of the other devices on your network.
• Encryption Type For WPA-Enterprise, this is usually TKIP; for WPA2-Enterprise, AES.
• Security Key/Passphrase This option is not used with Enterprise security.
• Start This Connection Automatically With this option selected, Windows Vista will automatically connect to the network when in range.
• Connect Even if the Network is Not Broadcasting If your access points are configured to not broadcast their SSIDs (i.e., you have a "private" wireless network), you will need to select this option. Otherwise, leave it unselected.

After filling in the required information, click "Next." You should see the "Successfully Added" dialog. Click the "Change connection settings" option.

Wireless Network Properties

The Wireless Network Properties dialog allows you to configure the details of your network connection.

The Security page contains the options most important to your Elektron connection.

Some of the options were initially configured when you created the network. The available options are:

• Security Type This will be either WPA-Enterprise or WPA2-Enterprise. WPA-Enterprise is more compatible, but if all of your network devices support it, you may select WPA2-Enterprise. In any event, this value needs to be selected to match the configuration of the other devices on your network.
• Encryption Type For WPA-Enterprise, this is usually TKIP; for WPA2-Enterprise, AES.
• Authentication Method Select "Protected EAP (PEAP)."
• Cache User Information With this option, Windows Vista will store the username and password so that the user will not be prompted to enter them at each login. Enable or disable this feature based on your own network security policy.

Before clicking "OK" on the Security page, click the PEAP Settings button to configure authentication options.

The options for PEAP are:

• Validate Server Certificate Determines if Windows Vista will attempt to verify the identity of your Elektron server. You will need to add the certificate authority that signed your Elektron server certificate. If you are having trouble with your wireless connection, begin your troubleshooting by disabling this option. In our experience, most Windows Vista connection issues are caused by server certificate configuration problems. We do, however, recommend that for normal operation you leave this option enabled.
• Authentication Method Select "Secured Password (EAP-MSCHAPv2)"
• Enable Fast Reconnect This option allows a user to re-authenticate using TLS session resumption, lightening the load on your server.
• Enable Quarantine Checks Disable this option.
• Disconnect if the server does not present cryptobinding TLV Disable this option. Elektron communicates with Vista clients using PEAP version 0, which does not include cryptobinding TLVs.