Home » Netgear Manuals » Wireless » Netgear ME103 » Manual Viewer

Netgear ME103 ME103 Reference Manual - Page 59

How to Con the 802.1x EAP-TLS Option

UPC - 606449026375

Add to My Manuals
Save this manual to your list of manuals

Page 59 highlights

User's Guide for the ME103 802.11b ProSafe Wireless Access Point How to Configure the 802.1x EAP-TLS Option Follow this procedure to configure a ME103 for 802.1x EAP-TLS security. The sample configuration worksheet below is filled in with the parameters used in this procedure. To configure your ME103, print and fill out the blank worksheet found at the end of this section and record your network configuration. A blank worksheet is provided below. EAP-TLS Configuration Worksheet EAP-TLS 802.1x Security Settings WEP Encryption Key Length: (128-bit only in EAP-TLS) Note: Be sure your wireless adapter has the WEP 128-bit encryption feature enabled. RADIUS Port: RADIUS Shared Key: 128-bit 1812 r>T(h4&3@#kB Network ME103 LAN IP Network Address Subnet Mask 192.168.0.2 255.255.255.0 Gateway IP (LAN IP Address) 192.168.0.1 1. Configure the RADIUS server to use the 802.1x settings in the worksheet above. Configure a RADIUS server to use 802.1x with the ME103. a. Add the ME103 to the RADIUS server with either its IP address or the NetBIOS name. b. Set the shared key. Both ME103 and the RADIUS entry should use the same shared key so that the RADIUS server allows the ME103 to login to the RADIUS server. 2. Configure the ME103 802.1x EAP-TLS parameters. a. Log in to the ME103 using the NetBIOS name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at whatever IP address the unit is currently configured with. Use the default user name of admin and password of password. Click the Security Settings link in the main menu Advanced section to display the Advanced Security Settings menu shown below. Advanced Configuration 4-7

Section	Page
User’s Guide for the ME103 802.11b ProSafe Wireless Access Point	1
Trademarks	2
Statement of Conditions	2
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice	3
RF Exposure Requirements	3
Radio Frequency Interference Requirements	4
Regulatory Compliance Information	4
Canadian Department of Communications Compliance Statement	4
EN 55 022 Declaration of Conformance	4
CE Declaration of Conformity	5
Contents	7
Preface About This Guide	7
Chapter 1 Introduction	7
Chapter 2 Basic Installation and Configuration	7
Chapter 3 Management	8
Chapter 4 Advanced Configuration	8
Chapter 5 Troubleshooting	8
Appendix A Specifications	9
Appendix B Wireless Networking Basics	9
Appendix C Network, Routing, Firewall, and Cabling Basics	9
Appendix D Preparing Your PCs for Network Access	10
Glossary	10
Index	10
Preface About This Guide	11
Typographical Conventions	11
Table 1. Typographical conventions	11
Special Message Formats	11
Chapter 1 Introduction	13
About the ME103 802.11b ProSafe Wireless Access Point	13
Key Features	14
802.11b Standards-based Wireless Networking	15
Autosensing Ethernet Connections with Auto Uplink	15
Compatible and Related NETGEAR Products	15
System Requirements	16
What’s In the Box?	16
Hardware Description	17
ME103 Wireless Access Point Front Panel	17
Figure 11: ME103 front panel	17
ME103 Wireless Access Point Rear Panel	19
Figure 12: ME103 rear panel	19
Left Side Primary and Right Side Secondary Detachable Antenna	19
Restore to Factory Default Button	20
RJ-45 Ethernet Port	20
Power Socket	20
Chapter 2 Basic Installation and Configuration	22
Observe Placement and Range Guidelines	22
Cabling Requirements	23
Default Factory Settings	24
Understanding ME103 Wireless Security Options	25
Figure 21: ME103 wireless data security options	25
Install the ME103 802.11b ProSafe Wireless Access Point	26
a. Unpack the box and verify the contents.	26
b. Identify a flat surface where you will put the wireless access point. For best results, follow the “Observe Placement and Range Guidelines” on page 2-1. The best location is elevated, such as wall mounted or on the top of a cubicle, at the...	26
c. Lift the antenna on either side so that they are vertical.	26
d. Connect the Ethernet cable (A) from your ME103 Access Point to a LAN port on your Cable/DSL router.	26
Figure 22: Connecting the Ethernet cable to a router, hub, or switch	27
e. Connect the power adapter to the wireless access point and plug the power adapter in to a power outlet. The Power Light and Wireless Activity lights should light up.	27
Figure 23: Configuring wireless access	27
How to Log In to the ME103	29
1. Determine the name of your access point (MDI/MDIX name).	29
2. Open a web browser such as Internet Explorer or Netscape Navigator.	29
3. Log in to the ME103 using the NetBIOS name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at whatever IP address the unit is currently configured with its default user name of admin and default passw...	29
Figure 24: ME103 NetBIOS name in browser address bar	29
Figure 25: Login window	29
4. Enter the default user name of admin and default password of password, or using whatever password you have set up.	30
Figure 26: Main menu	30
Understanding Basic Wireless Settings	31
Figure 27: Basic Wireless Settings menu	31
Understanding WEP Authentication and Data Encryption	33
Authentication Scheme Selection	33
Data Encryption Choices	34
Before You Change the SSID and WEP Settings	35
How to Set Up and Test Basic Wireless Connectivity	36
1. Log in to the ME103 using the MDI/MDIX name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at whatever IP address the unit is currently configured with its default user name of admin and default pass...	36
2. Click the Wireless Settings link in the main menu of the ME103 firewall.	36
3. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box, enter a value of up to 32 alphanumeric characters. The default SSID is NETGEAR.	36
4. Set the Country Domain. Select the Country Domain in which the wireless interface will operate.	36
5. Set the Channel. It should not be necessary to change the wireless channel unless you notice interference problems or are near another wireless access point. Select a channel that is not being used by any other wireless networks within sev...	36
6. For initial configuration and test, leave the Wireless Card Access List set to “Everyone” and the Encryption Strength set to “Disabled.”	36
7. Click Apply to save your changes.	36
8. Configure and test your PCs for wireless connectivity.	36
How to Restrict Wireless Access by MAC Address	37
1. Log in to the ME103 using the MDI/MDIX name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at whatever IP address the unit is currently configured with its default user name of admin and default pass...	37
2. From the Wireless Settings menu, click the Setup Access List button to display the Wireless Access menu shown below.	37
Figure 28: Wireless Card Access List Setup	37
3. Click Add to add a wireless device to the wireless access control list. The Wireless Adapter Access Setup menu displays.	37
4. Click the Turn Access Control On check box.	38
5. Then, either select from the list of available wireless cards the ME103 has found in your area, or enter the MAC address and device name for a device you plan to use. You can usually find the MAC address printed on the wireless adapter.	38
6. Click Add to add this wireless device to the access list. Repeat these steps for each additional device you wish to add to the list.	38
7. Be sure to click Apply to save your wireless access control list settings.	38
How to Configure WEP	38
1. Log in to the ME103 using the NetBIOS name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at whatever IP address the unit is currently configured with its default user name of admin and default passw...	38
2. Click the Wireless Settings link in the Basic section of the main menu of the ME103.	38
3. From the Wireless Settings menu drop-down list, select 64- or 128-bit encryption.	38
4. You can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network.	38
5. Click Apply to save your settings.	39
Using the Basic IP Settings Options	39
Figure 29: Basic IP Settings Menu	39
Chapter 3 Management	43
Viewing General, Log, Station, and Statistical Information	43
Figure 31: Wireless Access Point Status screen	43
Table 31. General Information Fields	44
Statistics	45
Figure 32: Wireless Access Point Status screen	45
Table 31. Statistics Fields	46
Activity Log	47
Figure 33: Activity Log screen	47
Viewing a List of Attached Devices	48
Figure 34: Information Station List of associated devices	48
Upgrading the Wireless Access Point Software	49
1. Download the new software file from NETGEAR, save it to your hard disk, and unzip it.	49
Figure 35: ME103 Upgrade menu	49
2. From the main menu Management section, click the Upgrade Firmware link to display the screen above.	49
3. In the Upgrade Firmware menu, click the Browse button and browse to the location of the image (.IMG) upgrade file.	49
4. Click Upload.	50
Configuration File Management	50
Figure 36: Settings Backup menu	50
Saving and Restoring the Configuration	51
Resetting the ME103 802.11b ProSafe Wireless Access Point	51
Using the Reset Button to Restore Factory Default Settings	51
1. Power Off the router	51
2. Hold the Reset Button down while you Power On the router.	51
3. Continue holding the Reset Button until the Status (Red) LED blinks TWICE.	51
4. Release the Reset Button.	51
Changing the Administrator Password	52
Figure 37: Set Password menu	52
Chapter 4 Advanced Configuration	53
Configuring Advanced Security 802.1x Options	53
Basic Requirements for 802.1x	53
1. Authenticator: ME103	53
2. Authentication Server: a RADIUS server.	53
3. Supplicant: Windows 2000 with the 802.1x client patch applied (SP4 802.1x client) or Windows XP.	53
4. For the EAP-TLS option, you will also need a Certificate Authority such as Windows 2000 server. Both the RADIUS server and the client need to have a certificate from a Certification Authority (CA) such as a Windows 2000 certificate server ...	54
How to Configure the 802.1x EAP-MD5 Option	54
EAP-MD5 Configuration Worksheet	54
1. Configure the RADIUS server to use the 802.1x settings in the worksheet above.	55
a. Add the ME103 to the RADIUS server with either its IP address or the NetBIOS name.	55
b. Configure the shared key so that the RADIUS server allows the ME103 to log in.	55
2. Configure the ME103 802.1x EAP-MD5 parameters.	55
a. Log in to the ME103 using the NetBIOS name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at the current IP address of the unit. Use the default user name of admin and password of password. Click the...	55
Figure 41: Advanced Security Settings EAP-MD5 Menu	55
b. Fill in the settings from the worksheet as illustrated above.	56
c. Click Apply.	56
3. Configure the PCs on network to use the 802.1x and WEP settings you just applied to the ME103.	56
a. Verify that the “Use Windows to configure my wireless network settings” check box is checked in the Windows XP Network Connections wireless adapter properties dialog box Wireless Networks tab page.	56
Figure 42: Windows XP wireless adapter configuration utility	56
b. Select the wireless network to which you will connect (NETGEAR in the screen above), and click the Configure button to display the dialog box shown below.	57
Figure 43: Configure a Windows XP wireless adapter association	57
c. Check the Data encryption (WEP enabled) and Network Authentication (Shared mode) check boxes and enter key # 1 from the ME103 Advanced Wireless Security generate keys from Passphrase Key 1 results field in the Network key and Confirm netwo...	57
d. Click the Authentication tab to display the screen below.	57
Figure 44: Configure a Windows XP wireless adapter for MD5-Challenge	57
e. Click the Enable IEEE 802.1x authentication for this network check box.	57
f. Select MD5-Challenge from the EAP drop down list.	57
g. Click OK to save your settings	57
4. Check the connection	57
a. Using our example, from a wireless PC, on the Windows taskbar click the Start button, and then click Run.	57
b. Type ping -t 192.168.0.1 , and then click OK.	57
Figure 45: Running a Ping test from Windows	58
c. This will cause a continuous ping to be sent to the router. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.”	58
Figure 46: Ping test results	58
How to Configure the 802.1x EAP-TLS Option	59
EAP-TLS Configuration Worksheet	59
1. Configure the RADIUS server to use the 802.1x settings in the worksheet above.	59
a. Add the ME103 to the RADIUS server with either its IP address or the NetBIOS name.	59
b. Set the shared key. Both ME103 and the RADIUS entry should use the same shared key so that the RADIUS server allows the ME103 to login to the RADIUS server.	59
2. Configure the ME103 802.1x EAP-TLS parameters.	59
a. Log in to the ME103 using the NetBIOS name printed on the bottom of the unit or at its default address of http://192.168.0.224 or at whatever IP address the unit is currently configured with. Use the default user name of admin and password...	59
Figure 47: Advanced Security Settings EAP-TLS Menu	60
b. Fill in the settings from the worksheet as illustrated above.	60
c. Click Apply.	60
3. Configure the PCs on network to use the 802.1x and WEP settings you just applied to the ME103.	61
a. Using a computer connected via the Ethernet LAN, obtain and install a certificate.	61
Figure 48: Request a certificate	61
b. Verify that the “Use Windows to configure my wireless network settings” check box is checked in the Windows XP Network Connections wireless adapter properties dialog box Wireless Networks tab page.	62
Figure 49: Windows XP wireless adapter configuration utility	62
c. Select the wireless network to which you will connect (NETGEAR in the screen above), and click the Configure button to display the Wireless network properties dialog box shown below.	62
Figure 410: Configure a Windows XP wireless adapter association	62
d. Check only the “Data encryption (WEP enabled)” check box.	62
e. Click the Authentication tab to display the screen below.	62
Figure 411: Configure a Windows XP wireless adapter for EAP-TLS	62
f. Configure the wireless adapter to enable 802.1x authentication by selecting the “Enable IEEE 802.1x authentication for this network” check box.	62
g. Click OK to apply the settings to your wireless adapter.	62
h. The first time you establish the EAP-TLS wireless session from a client workstation, Windows will prompt you to verify that the certificate it found is the correct one.	63
4. View the ME103 log and check the connection	63
Figure 412: Information Activity Log for starting a 802.1x wireless connection	63
a. Using our example, from a wireless PC, on the Windows taskbar click the Start button, and then click Run.	63
b. Type ping -t 192.168.0.1 , and then click OK.	63
Figure 413: Running a Ping test from Windows	64
c. This will cause a continuous ping to be sent to the router. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.”	64
Figure 414: Ping test results	64
Understanding Advanced Wireless Settings	64
Figure 415: Advanced Wireless Settings screen	65
Table 41. Advanced Wireless Settings Fields	65
Antenna Installation	67
Chapter 5 Troubleshooting	69
No lights are lit on the access point.	69
The Wireless LAN activity light does not light up.	70
The LAN light is not lit.	70
I cannot access the Internet or the LAN with a wireless capable computer.	70
I am using EAP-TLS security but get disconnected.	71
Can't connect to the ME103 to configure it.	71
When I enter a URL or IP address I get a time out error.	71
Using the Reset Button to Restore Factory Default Settings	72
1. Power Off the router	72
2. Hold the Reset Button down while you Power On the router.	72
3. Continue holding the Reset Button until the Status (Red) LED blinks TWICE.	72
4. Release the Reset Button.	72
Appendix A Specifications	73
Specifications for the ME103	73
Appendix B Wireless Networking Basics	75
Wireless Networking Overview	75
Infrastructure Mode	75
Ad Hoc Mode (Peer-to-Peer Workgroup)	76
Network Name: Extended Service Set Identification (ESSID)	76
Authentication and WEP	76
802.11 Authentication	77
1. Turn on the wireless station.	77
2. The station listens for messages from any access points that are in range.	77
3. The station finds a message from an access point that has a matching SSID.	77
4. The station sends an authentication request to the access point.	77
5. The access point authenticates the station.	77
6. The station sends an association request to the access point.	77
7. The access point associates with the station.	77
8. The station can now communicate with the Ethernet network through the access point.	77
Open System Authentication	77
1. The station sends an authentication request to the access point.	77
2. The access point authenticates the station.	77
3. The station associates with the access point and joins the network.	77
Figure 51: 802.11 open system authentication	78
Shared Key Authentication	78
1. The station sends an authentication request to the access point.	78
2. The access point sends challenge text to the station.	78
3. The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and sends the encrypted text to the access point.	78
4. The access point decrypts the encrypted text using its configured WEP Key that corresponds to the station’s default key. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the origi...	78
5. The station connects to the network.	78
Figure 52: 802.11 shared key authentication	79
Overview of WEP Parameters	79
Key Size	80
WEP Configuration Options	80
Wireless Channels	81
Table B1. 802.11b Radio Frequency Channels	82
Understanding 802.1x Port Based Network Access Control	83
1. The client sends an EAP-start message. This begins a series of message exchanges to authenticate the client.	84
2. The access point replies with an EAP-request identity message.	84
3. The client sends an EAP-response packet containing the identity to the authentication server.	84
4. The authentication server uses a specific authentication algorithm to verify the client's identity. This could be through the use of digital certificates or other EAP authentication type.	84
5. The authentication server will either send an accept or reject message to the access point.	84
6. The access point sends an EAP-success packet (or reject packet) to the client.	84
7. If the authentication server accepts the client, then the access point will transition the client's port to an authorized state and forward additional traffic.	84
Appendix C Network, Routing, Firewall, and Cabling Basics	87
Basic Router Concepts	87
What is a Router?	88
IP Addresses and the Internet	88
Figure 53: Three Main Address Classes	89
Netmask	90
Subnet Addressing	90
Figure 54: Example of Subnetting a Class B Address	91
Table 51. Netmask Notation Translation Table for One Octet	92
Table 52. Netmask Formats	92
Private IP Addresses	93
Single IP Address Operation Using NAT	93
Figure 55: Single IP Address Operation Using NAT	94
IP Configuration by DHCP	94
Domain Name Server	95
Routing Protocols	95
RIP	95
MAC Addresses and ARP	96
Internet Security and Firewalls	96
What is a Firewall?	97
Stateful Packet Inspection	97
Denial of Service Attack	97
Ethernet Cabling	98
Table 51. UTP Ethernet cable wiring, straight-through	98
Uplink Switches, Crossover Cables, and MDI/MDIX Switching	98
Cable Quality	99
Appendix D Preparing Your PCs for Network Access	101
Preparing Your Computers for TCP/IP Networking	101
Configuring Windows 98 and Me for TCP/IP Networking	101
Install or Verify Windows Networking Components	101
1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.	102
2. Double-click the Network icon.	102
a. Click the Add button.	102
b. Select Protocol, and then click Add.	102
c. Select Microsoft.	102
d. Select TCP/IP, and then click OK.	102
a. Click the Add button.	102
b. Select Client, and then click Add.	102
c. Select Microsoft.	102
d. Select Client for Microsoft Networks, and then click OK.	102
a. Click the Add button.	103
b. Select Client, and then click Add.	103
c. Select Microsoft.	103
d. Select File and Print Sharing for Microsoft Networks, and then click OK.	103
3. Restart your PC for the changes to take effect.	103
Enabling DHCP to Automatically Configure TCP/IP Settings	103
Selecting Windows’ Internet Access Method	105
1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.	105
2. Double-click the Internet Options icon.	105
3. Select “I want to set up my Internet connection manually” or “I want to connect through a Local Area Network” and click Next.	105
4. Select “I want to connect through a Local Area Network” and click Next.	105
5. Uncheck all boxes in the LAN Internet Configuration screen and click Next.	105
6. Proceed to the end of the Wizard.	105
Verifying TCP/IP Properties	105
1. On the Windows taskbar, click the Start button, and then click Run.	105
2. Type winipcfg, and then click OK.	106
3. From the drop-down box, select your Ethernet adapter.	106
Configuring Windows 2000 or XP for TCP/IP Networking	106
Install or Verify Windows Networking Components	106
1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.	106
2. Double-click the Network and Dialup Connections icon.	106
3. If an Ethernet adapter is present in your PC, you should see an entry for Local Area Connection. Double-click that entry.	106
4. Select Properties.	106
5. Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If not, select Install and add them.	106
6. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address automatically is selected.	106
7. Click OK and close all Network and Dialup Connections windows.	106
8. Then, restart your PC.	106
DHCP Configuration of TCP/IP in Windows XP	107
DHCP Configuration of TCP/IP in Windows 2000	109
Verifying TCP/IP Properties for Windows XP or 2000	111
1. On the Windows taskbar, click the Start button, and then click Run.	111
2. Type cmd and then click OK.	111
3. Type ipconfig /all	111
4. Type exit	111
Glossary	113