Chapter Contents

Windows XP Client Configuration
Elektron Certificate Installation
Wireless Network Configuration
Troubleshooting

This chapter describes how to manually configure a Windows XP machine to access a WPA Enterprise-secured wireless network. If you administer an Active Directory domain, you can also use Active Directory Group Policy to automatically configure the computers in your domain.

There are two functions that must be performed on the Windows XP machine in order to connect it to your wireless network: installing the Elektron certificate, and configuring the wireless network connection. If you are using a certificate that was issued by a third party certificate authority such as Verisign, you can skip the certificate installation step. However, you need to ensure that your certificate includes an appropriate "extended key usage" extension. Windows XP requires this extension to perform wireless authentication. Contact your certificate provider to determine if your certificate has such an extension.

If you are using the certificate that was created by Elektron when you first installed the server, the appropriate extended key usage extension is included.

Elektron Certificate Installation

Windows XP client configuration starts on your Elektron server. To begin, launch the Elektron Settings application, navigate to the Server Certificate pane and click the "Export Text File" button. Save your certificate (by default, called "Certificate.crt") to a USB thumbdrive or some other form of removable media that can be used to transport the file to your Windows XP client machine. Once you've exported the certificate, you can use it to configure any number of client machines.

On your Windows XP client machine, insert the USB thumbdrive (or other media) containing your certificate and find the certificate file. Double-clicking the file will open the Certificate Properties dialog (if it does not, make sure that the file suffix on the certificate file is ".crt" — Windows normally treats .crt files as digital certificates).

Certificate Properties

Click the "Install Certificate..." button to launch the Certificate Import Wizard. By default the Certificate Import Wizard will place the certificate in your personal certificate store. Instead, tell the Wizard to place the certificate in the "Trusted Root Certification Authorities" store. On the second page of the Wizard, select the "Place all certificates in the following store" option, click "Browse", and select "Trusted Root Certification Authorities".

Certificate Wizard

When you complete the wizard, it will display a warning "You are about to install a certificate form certificate authority (CA) claiming to represent:" followed by the "<Your Company> Elektron CA". Make a note of this name, you will need it when configuring your wireless network.

After completing the wizard, your Elektron certificate is installed and ready to use.

Wireless Network Configuration

To configure your wireless network, open the "View Available Wireless Networks" dialog (accessible from several places, including the Network Connections Control Panel applet and the wireless adapter's icon in the system tray). Click the "Change advanced settings" link. This brings up the Wireless Network Connection Properties dialog

Wireless Network Connection Properties

Click on the Wireless Networks tab. Find your wireless network in the list of Preferred Networks and double-click it to start configuring it. If your network is not in the list, click the "Add..." button to add it.

Wireless Networks Tab

The Wireless Network Properties dialog is where you will tell Windows XP how to connect to your network. On the Association tab, you'll need to configure:

  • Network Name This is the SSID of the your wireless network. Enter it exactly as it appears on your network. SSIDs are case sensitive.
  • Network Authentication This will be either WPA.
  • Data Encryption This is usually TKIP; if your equipment supports it, you may choose AES.
  • This is a computer-to-computer network Leave this option unchecked.

Wireless Networks Tab

With the Authentication tab options configured, switch over to the Authentication tab. There you will find these options:

  • EAP Type Set this to "Protected EAP (PEAP)"
  • Authenticate as computer when computer information is available If the Windows XP machine is a member of an Active Directory domain, Elektron is configured to authenticate users against the Active Directory, and the Elektron "Enable machine authentication" option set, you can enable this option to allow the Windows XP machine to automatically connect to the network. If not, disable this option.
  • Authenticate as guest when user or computer information is unavailable Disable this option.

Wireless Networks Tab

Click on the Properties button to configure PEAP Properties, and configure these settings:

  • Validate Server Certificate Determines if Windows XP will attempt to verify the identity of your Elektron server. You will need to add the certificate authority that signed your Elektron server certificate. If you are having trouble with your wireless connection, begin your troubleshooting by disabling this option. In our experience, most Windows Vista connection issues are caused by server certificate configuration problems. We do, however, recommend that for normal operation you leave this option enabled.
  • Connect to these servers Leave this option unchecked.
  • Trusted Root Certificate Authorities In this list, locate the Elektron certificate you previously installed. If you followed the certificate installation instructions above, it will be called "<Your Company> Elektron CA"
  • Do not prompt user to authorize new servers or trusted certification authorities Leave this option unchecked.
  • Select Authentication Method Select "Secured password EAP-MSCHAPv2".
  • Enable Fast Reconnect Disable this option.

PEAP Properties

Click OK several times to close the various property dialogs that have been opened, and your wireless network is configured.

Troubleshooting

We have found that in most cases, when the Windows XP machine fails to connect to the network it is because it is misconfigured in one of two ways:

  • Certificate Issue If the connection is silently failing, and you have verified that the Windows XP machine is able to communicate with Elektron (to check if the communication is occurring, use Elektron Settings to enable debug-level logging on Elektron, and check the Elektron error log — it will display all packets sent back and forth), it is usually because the Windows XP machine is unsatisfied with the Elektron certificate. You can test this by unchecking the "Validate server certificate" option in the PEAP properties dialog. See above for information on finding the PEAP Properties dialog.

  • PEAP Not Configured When attempting to connect to your wireless network, you receive an alert stating that "A certificate could not be found to log in to the wireless network" is the result of Windows XP being configured to use EAP-TLS (called "Smart card or other certificate" by Windows XP) rather than PEAP to log in. On the Authentication tab, make sure that "EAP Type" is set to "Protected EAP". See above for information on finding the Authentication tab.