1. Log configuration
All SecureW2 EAP methods have a logging capability. This is controled using the Microsoft Tracing functionality located in the Windows registry.
To access the log configuration open the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\[EAP method]
For example: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EAP-TTLS
The following registry entries control the logging:
Registry Entry |
Description |
|||
EnableFileTracing |
1 will enable the logging, 0 will disable the logging. The entry is a DWORD. |
|||
MaxFileSize |
This determines the size of the log file and when it should rotate the file. The entry is a DWORD. For example HEX 0x100000 would indicate a size of 1048576 bytes. |
|||
FileDirectory |
The directory for the log file. The name of the log file is the name of the EAP method. For example c:\windows\tracing\EAP-TTLS.LOG (EAP-TTLS.OLD for a rotated file). |
|||
FileTracingMask |
SecureW2 offers 4 basic log levels. The entry is a DWORD. |
|||
Type |
Flag (Hex) |
Description |
||
Error |
0x10000 |
This level will log only error messages. |
||
Warning |
0x30000 |
This level will log additional warnings |
||
Info |
0x70000 |
This level will log information concerning the current state of the EAP method. |
||
Debug |
0xf0000 |
This will show information such as packet dumps. |
||
NOTE: Defining a level means you will receive the information defined by the specific level and all the levels below it. For example defining Info will instruct SecureW2 to log Errors, Warnings and Info messages. |
||||
NOTE: FileTraceMask is available from version EapSuite 1.1.0 and on. |
||||
2. Pre-Configuration
The SecureW2 installer searches for a pre-configuration file: SecureW2.inf file during installation. If found it executes the script. If not found it will continue as usual. SecureW2 uses the current directory in which it was executed to search for the SecureW2.inf file.
This is the configuration guide for version 3.3.0 and EapSuite 1.0.0 and higher.
For 3.2.0 and lower see:
http://www.securew2.org/wiki/AdminGuide320
Changes in EapSuite 2.0.0:
- (NEW) [WZCSVC]/[DOT3SVC]] Startup can now be any of the following: START/STOP/AUTO/DISABLED
Changes in EapSuite 1.1.3:
[SSID.n] Name -> SSID
- (NEW) [SSID.n] Name is used to define multiple profiles for an SSID
- (NEW) EAPType can be used to specify the EAP Type to be configured for the SSID (EAP-TTLS, EAP-PEAP)
Changes in EapSuite 1.1.2:
(NEW) UseComputerCredentials
(NEW) UseGuestCredentials
Changes in EapSuite 1.0.0:
(NEW) AltProfileStr
Changes in 3.3.0:
EnableSessionResumption -> UseSessionResumption
UseAlternateIdentity -> UseAlternateOuterIdentity
UseAnonymousIdentity -> UseAnonymousOuterIdentity
VerifyServerName -> ServerName (Used together with BOOLEAN VerifyServerName)
(NEW) UseEmptyOuterIdentity
- Certificate configuration no longer requires subordinate CA's to be installed
ConnectionMode and ConnectionType now also available for Windows XP SP2
2.1. Building your own setup
For organizations willing to distribute SecureW2 within their organization with their own SecureW2.inf it is possible to package the SecureW2.inf, SecureW2_xxx.exe and certificates in an installation program that unpacks the file to a temporary directory and then runs the installer.
NOTE: it is important that the SecureW2 installation program is visible to the user due to the license agreement.
An example of such an installation program is NSIS, a free open source installer from NULLSoft. The following link is an NSIS installer example script for SecureW2 that allows you to create your own SecureW2 installer: http://www.securew2.com/resources/SecureW2_example.NSI
2.2. Basic INF File
The SecureW2 pre-configuration file is based on a Microsoft INF File. There are different sections each depicting how SecureW2 is to be configured.
Each INF file must contain the following section, if not SecureW2 will not be able to read the file:
1 [Version]
2 Signature = "$Windows NT$"
3 Provider = "SecureW2"
4 Config = 7
Comments can be added in the INF file using a semicolon. A semicolon is also used to disable lines. Attributes that are not defined will be set to their Default value.
Example of a comment in the INF file:
1 ; This is a comment
Example of a enabled/disabled line in the INF file:
1 attribute1 = I am not disabled
2 ; attribute2 = I am disabled
2.3. Global Configuration
2.3.1. [WZCSVC]
Use this section to set the state of the Wireless Zero Configuration Service of Microsoft.
Option |
Description |
Type |
Default value |
Startup |
This will start the WZCSVC service. AUTO indicates the service startup type will be changed to automatic and the service will be started. START indicates the service startup type will not be changed and the service will be started. STOP indicates the service startup type will not be changed and the service will be stopped. DISABLED indicates the service will be disabled and the service will be stopped. |
String |
AUTO |
Restart |
true indicates the service will be re-started before installation. false |
Boolean |
false |
Both options will start the WZCSVC before installation. |
|||
Example:
1 [WZCSVC]
2 Startup = AUTO
3 Restart = TRUE
2.3.2. [DOT3SVC]
Use this tag to set the state of the Wired Zero Configuration Service of Microsoft.
Option |
Description |
Type |
Default Value |
Startup |
This will start the DOT3SVC service. AUTO indicates the service startup type will be changed to automatic and the service will be started. START indicates the service startup type will not be changed and the service will be started. STOP indicates the service startup type will not be changed and the service will be stopped. DISABLED indicates the service will be disabled and the service will be stopped. |
String |
AUTO |
Restart |
true indicates the service will be re-started before installation. false |
Boolean |
false |
Both options will start the DOT3SVC before installation. |
|||
Example:
1 [DOT3SVC]
2 Startup = AUTO
3 Restart = TRUE
2.3.3. Certificates
In the Certificates section you must define your certificate chain.
Option |
Description |
Type |
Default Value |
Certificate.n |
Set the location of the certificate relative to the SecureW2.inf file. The value “n” should start at 0 or 1 and be incremented with each new certificate. Currently only DER encoded X.509 certificates are supported. |
String |
empty |
Certificate.0 is optional but if defined must always refer to the TTLS Server certificate. The rest of the chain (“Certificate.n”) should refer to certificates that are either Subordinate CA’s or Root CA’s. |
|||
The following example shows a certificate chain containing a TTLS certificate, a Subordinate CA certificate and the Root CA certificate:
1 [Certificates]
2
3 Certificate.0 = ttls.cer
4 Certificate.1 = subca.cer
5 Certificate.2 = rootca.cer
2.3.3.1. Retrieving/Converting Certificates
To retrieve your CA and TTLS certificates and convert them to DER encoding you can use the following options:
1. On your radius server simply use the following openssl command to convert your CA and TTLS PEM certificates to DER encoding:
openssl x509 -inform PEM -outform DER -in ttls.pem –out ttls.der
2. On a computer (Windows) running SecureW2 that already trusts your TTLS server the certificates have already been installed in the local certificate store of that computer. To retrieve the certificates you can use the “Microsoft Management Console” and the “Certificates” snap-in:
To use the MMC do the following:
- Click on the “Start” menu
- Click on the “Run” option
- Enter the following command: mmc (This will start-up a new Microsoft Management Console in which you can add snap-ins allowing you to control the different aspects of your computer.)
- Select “File” in the top menu
- Select “Add/Remove snap-in” You are presented with the “Add/Remove snap-in” window in which you can select the snap-in’s you wish to use.
- In “Standalone” tab click on the “Add” button You are now presented with the “Add snap-in” window showing the different snap-in’s that are available.
- Select the “Certificates” snap-in and click on the “Add” button.
- When asked which certificates are to be managed select “Computer account”.
- When asked for which computer the certificates are to be managed select “Local computer” and click on “Finish”.
- Click on “Close” to return to the “Add/Remove snap-in” window that now shows the “Certificates” snap-in.
- Click on “Ok” to return to the main MMC window.
To find the CA certificate installed by SecureW2 expand the certificates snap-in so you can view the certificates in the “Trusted Root Certification Authorities”.
- Look for your CA certificates and right click on the certificate and select “All Tasks” and then ”Export…”.
- You are now presented with the “Certificate Export Wizard”. Run through the wizard and export the certificates using DER encoding to a location of your choosing.
2.4. SSID Configuration
The following describes how to configure the different SSID ytou want to use and enable for SecureW2.
2.4.1. [SSID.n]
Each [SSID.n] section describes a different SSID configuration where n is the number of the SSID section. This number must start at 1 and be incremented with each new SSID section.
Per SSID section you MUST define the following options:
Option |
Description |
Type |
SSID |
Use this to set the name of the SSID. |
String |
Name |
Use this to set the name of the SSID profile in Windows. This options allows one to define multiple profiles for the same SSID. This only works in Vista, in Windows 2K and Windows XP the last defined profile is used |
String |
Profile |
The SecureW2 TTLS Client Profile that is to be used for this SSID |
String |
IMPORTANT: Do not use spaces in the profile string, this might cause problems when having two profile such as "Eduroam Wireless" and "Eduroam".
Per SSID section you MAY define the following optional options (Options that are not defined in a SSID section will be set to their Default value):
Option |
Description |
Type |
Default Value |
AuthenticationMode |
Use this to set the type of authentication mode for this SSID. |
String |
Open |
EncryptionType |
Use this to set the type of encryption for this SSID. |
String |
WEP |
NonBroadcast |
Use this to indicate if the SSID is broadcasted by the Access Point or not. |
Boolean |
false |
ConnectionMode |
Use this to if the SSID should be connected to automatically or by manually. Valid options are auto and manual |
String |
auto |
ConnectionType |
Use this to set the operating mode of the network. Valid options are ESS (infrastructure network) and BSS (ad-hoc network). |
String |
ESS |
UseComputerCredentials |
This controls the "Use computer credentials if available" option. Setting this to TRUE will tell Windows to use computer credentials, if available, to authenticate (during startup). |
Boolean |
true |
UseGuestCredentials |
This controls the "Use guest credentials if available" option. Setting this to TRUE will tell Windows to use guest credentials, if available, to authenticate. |
Boolean |
false |
The following is only available in Windows Vista |
|||
AutoSwitch |
This option determines the roaming behaviour of an auto-connected network when a more preferred network is in range. |
Boolean |
false |
EAPType |
This option determines which EAP type to use. Possible options are 21 = TTLS, 25 = PEAP. |
Numeric |
21 |
'NOTE: The options described above are case sensitive. Best practise is to use the case shown in this document'
In Windows Vista and XP description of the security configuration items is slightly different. The following table shows which security configurations are available in Windows Vista and XP and their corresponding SecureW2 configuration items:
Windows Option |
SecureW2 Configuration |
WPA-Enterprise |
AuthenticationMode = "WPA", EncryptionType = "TKIP" or EncryptionType = "AES" |
WPA2-Enterprise |
AuthenticationMode = "WPA2", EncryptionType = "TKIP" or EncryptionType = "AES" |
802.1X |
AuthenticationMode = "Open", EncryptionType = "WEP" |
Not used with SecureW2 (without 802.1X/EAP) |
|
WPA-Personal |
AuthenticationMode = "WPA", EncryptionType = "TKIP" or EncryptionType = "AES" |
WPA2-Personal |
AuthenticationMode = "WPA2", EncryptionType = "TKIP" or EncryptionType = "AES" |
1 [SSID.1]
2 Name = INSECURESSID
3 Profile = "Default"
4 AuthenticationMode = "Open"
5 EncryptionType = "WEP"
6 ConnectionMode = "auto"
7 ConnectionType = "ESS"
8 NonBroadcast = "false"
9 AutoSwitch = "false"
10
11 [SSID.2]
12 Name = SECURESSID
13 Profile = "SW2"
14 AuthenticationMode = "WPA2
15 EncryptionType = "TKIP"
16 ConnectionMode = "auto"
17 ConnectionType = "ESS"
18 NonBroadcast = "true"
19 AutoSwitch = "false"
2.5. Profile Configuration
The following describes how to configure the different SecureW2 Client Profiles you want to use.
2.5.1. [Profile.n]
Each [Profile.n] section describes a different Profile configuration where n is the number of the Profile section. This number must start at 1 and be incremented with each new Profile section.
Per Profile section you MUST define the following options:
Option |
Description |
Type |
Name |
Use this to set the name of the Profile. |
String |
Per Profile section you MAY define the following optional options (Options that are not defined in a Profile section will be set to their Default value):
Option |
Description |
Type |
Default Value |
General |
|||
Description |
The SecureW2 TTLS Client Profile that is to be used for this SSID. |
String |
empty |
Localization |
|||
AltUsernameString |
Allows you to overide the Username label in the user interface |
String |
empty |
AltPasswordStr |
Allows you to overide the Password label in the user interface |
String |
empty |
AltRePasswordStr |
Allows you to overide the Second Password label in the user interface |
String |
empty |
AltDomainStr |
Allows you to overide the Domain label in the user interface |
String |
empty |
AltCredsTitle |
Allows you to overide the titel of the windows in the user interface |
String |
empty |
AltProfileStr |
Allows you to overide the Profile label in the user interface |
String |
empty |
Connection |
|||
UseAlternateOuterIdentity |
This option instructs SecureW2 to use an alternate outer identity. |
Boolean |
true |
UseAnonymousOuterIdentity |
This option controls which alternate outer identity SecureW2 uses. true indicates the outer identity will be anonymous@domain. false instructs SecureW2 to use the value defined in AlternateOuterIdentity |
Boolean |
true |
AlternateOuterIdentity |
The value defined by this attribute is used as the outer identity. This option is only valid if UseAnonymousIdentity is false |
String |
empty |
UseSessionResumption |
Enabling this option instructs SecureW2 to use session resumption (quick connect) |
Boolean |
false |
Certificates |
|||
VerifyServerCertificate |
Enabling this option instructs SecureW2 verify the TTLS server certificate |
Boolean |
true |
TrustedRootCA.n |
Each TrustedRootCA.n option defines a root certificate that will be trusted by SecureW2 where "n" is the number of the TrustedRootCA option. This number must start at 0 and be incremented with each new TrustedRootCA option. This option often coincides with the global certificate configuration. The value of this option is the hexadecimal string of the SHA1 hash of the Trusted Root CA certificate. SecureW2 uses this to find the correct Root CA certificate installed on the local computer. To retrieve the hexadecimal SHA1 value of a certificate in Windows, double-click on the certificate. In the Certificate window select the Details tab. The SHA1 value is listed as the Thumbprint. Using openssl use the following command: openssl sha1 < ttls.cer. The hexadecimal string should not contain spaces. |
String |
empty |
VerifyServerName |
Use this option to indicate you want to verify the ServerName. Use together with the option ServerName. |
Boolean |
FALSE |
ServerName |
Use this option to define value that will be used to verify the common name in the certificate of the TTLS server. |
String |
empty |
Authentication |
|||
AuthenticationMethod |
Use this option to define the inner authentication method used by SecureW2 to authenticate the user. Currently this can be two values: 'PAP' or 'EAP'. |
String |
PAP |
EAPType |
If EAP has been selected as the AuthenticationMethod the value defined by this option is the EAP-Type that is to be used. The following EAP methods are available (depending on the EAP methods installed on the local computer): '4' (EAP-MD5) , '26' = EAP-MSCHAP v2 |
Numeric |
0 |
User account |
|||
PromptUserForCredentials |
Set this option to instruct SecureW2 to prompt the user for credentials during authentication. |
Boolean |
true |
UserName |
If the option PromptUserForCredentials is set to false then setting this value to PROMPTUSER instructs the SecureW2 installer to prompt the user for credentials during installation. |
String |
empty |
UserDomain |
Set this option to the pre-configured domain name to use during installation. |
String |
empty |
UseUserCredentialsForComputer |
Enabling this option instructs SecureW2 to use the user credentials to logon the computer. |
Boolean |
false |
AllowCachePW |
Setting this to FALSE disables the "Save credentials" option in the popup. |
Boolean |
TRUE |
Advanced |
|||
UseAlternateComputerCredentials |
Enabling this option instructs SecureW2 to use the following three credentials for a computer logon. |
Boolean |
false |
ComputerName |
The user name to use during a computer logon. |
String |
empty |
ComputerPassword |
The password to use during a computer logon. |
String |
empty |
ComputerDomain |
The domain to use during a computer logon. |
String |
empty |
ServerCertificateOnLocalComputer |
Enabling this option instructs SecureW2 to verify if the TTLS certificate is installed on the local computer. |
Boolean |
false |
CheckForMicrosoftExtension |
Enabling this option instructs SecureW2 to verify if the TTLS certificate contains the correct Microsoft Extended Key Usage. |
Boolean |
false |
AllowNewConnections |
Enabling this option instructs SecureW2 to allow users to setup new connections. |
Boolean |
false |
UseEmptyOuterIdentity |
This option instructs SecureW2 to use an empty outer anonymous identity that is compliant with RFC 4282. Requires UseAlternateOuterIdentity and UseAnonymousOuterIdenity to be enabled. |
Boolean |
false |
RenewIPAddress |
Enabling this option instructs SecureW2 renew the DHCP IP Address of the authenticating adapter. |
Boolean |
false |
3. Example SecureW2.inf
The following example can also be found here:
http://www.securew2.org/resources/SecureW2.inf
1 ;
2 ; SecureW2.inf -- SecureW2 Pre-Configuration File
3 ;
4 ; Manufacturer: SecureW2 B.V.
5 ;
6 [Version]
7 Signature = "$Windows NT$"
8 Provider = "SecureW2"
9 Config = 7
10 ;
11 ; Global configuration
12 ;
13 ; Startup wired zero config before installing
14 ; values: AUTO|DISABLED|START|STOP
15 ;[DOT3SVC]
16 ;Startup = AUTO
17 ; Startup wireless zero config before installing
18 ; values: AUTO|DISABLED|START|STOP
19 [WZCSVC]
20 Startup = AUTO
21
22 ;
23 ; Install certificates
24 ;
25 [Certificates]
26 ;
27 ; Certificate.0 points server certificate, will be installed in local "MY" store
28 ; Certificate.n points to a sub or root ca, will be installed in local "ROOT" store
29 ;
30 ;Certificate.0 = ext2.cer
31 Certificate.1 = CA.der
32 ;
33 ; SSID configuration
34 ; The SSID configuration must start with SSID.1 and then continue with SSID.2,
35 ; SSID.3 and so forth
36 ;
37 ; The following sets WPA for the RIXOM-SECURE SSID
38 ;
39 [SSID.1]
40 SSID = "RIXOM-SECURE"
41 Name = "WITHWPA"
42 Profile = "RIXOM"
43 ; Configuration options for connection, if not defined it will default to:
44 ; AuthenticationMode = "Open"
45 ; EncryptionType = "WEP"
46 ; ConnectionMode = "auto"
47 ; ConnectionType = "ESS"
48 ; NonBroadcast = "false"
49 ; AutoSwitch = "false"
50 ;
51 ; For more info on the connection values please see the following link:
52 ;
53 ; http://msdn2.microsoft.com/en-us/library/ms706965.aspx
54 ;
55 ; The following example sets WPA/TKIP
56 AuthenticationMode = "WPA"
57 EncryptionType = "TKIP"
58
59 ;
60 ; The following example sets another SSID profile for the "RIXOM-SECURE" SSID
61 ; This time WPA2/AES
62 ; This only works on VISTA!, Windows 2K and Windows XP use the last defined profile
63 ; In this case the WPA2/AES is used
64 ;
65 [SSID.3]
66 SSID = "RIXOM-SECURE"
67 Name = "WITHWPA2"
68 Profile = "RIXOM"
69 AuthenticationMode = "WPA2"
70 EncryptionType = "AES"
71
72 ;
73 ; The following example sets WEP
74 ;
75 ; NOTE: This is case sensitive!
76 ;
77 ; AuthenticationMode = "Open"
78 ; EncryptionType = "WEP"
79 [SSID.3]
80 Name = "RIXOM-INSECURE"
81 Profile = "RIXOM"
82 AuthenticationMode = "Open"
83 EncryptionType = "WEP"
84 ;
85 ; Profile configuration
86 ;
87 ; The Profile configuration must start with Profile.1 and then continue with
88 ; Profile.2, Profile.3 and so forth
89 ;
90 [Profile.1]
91 Name = "RIXOM"
92 Description = "Enter the username and password of your serviceaccount:"
93 ;
94 ; Connection
95 ;
96 ;UseAlternateOuterIdentity= FALSE
97 ;UseAnonymousOuterIdentity = TRUE
98 ;AlternateOuterIdentity = user@somedomain.com
99 ;UseSessionResumption = TRUE
100 ;
101 ; Certificates
102 ;
103 VerifyServerCertificate = TRUE
104 VerifyServerName = TRUE
105 ServerName = somedomain.com
106 TrustedRootCA.0 = 3cdaba08113d934207b91d1c525683cc09bbc829
107 ;
108 ; Authentication
109 ;
110 AuthenticationMethod = PAP
111 ;AuthenticationMethod = EAP
112 ;EAPType = 4 ; MD5-Challenge (EAP-MD5)
113 ;EAPType = 13 ; Smart Card or other Certificate (EAP-TLS)
114 ;EAPType = 21 ; SecureW2 (EAP-TTLS)
115 ;EAPType = 25 ; Protected EAP (EAP-PEAP)
116 ;EAPType = 26 ; Secured password (EAP-MSCHAP v2)
117 ;EAPType = 42 ; Mob@c (EAP-MOBAC)
118 ;
119 ; Use the following to alter the user credentials popup during authentication
120 ;
121 ;AltUsernameString = "Who are you:"
122 ;AltPasswordStr = "Enter your secret:"
123 ;AltRePasswordStr = "Re-Enter your secret:"
124 ;AltDomainStr = "Where are you from:"
125 ;AltCredsTitle = "Welcome to ..."
126 ;AltProfileStr = "Your profile is:"
127 ;
128 ; The following disables the "Save credentials" option in the popup
129 ;AllowCachePW = FALSE
130 ;
131 ; User Account
132 ;
133 ; To ask the user for credentials during startup use the following example:
134 PromptUserForCredentials = FALSE
135 UserName = PROMPTUSER
136 ;UserPassword = xxx
137 ;UserDomain = alfa-ariss.com
138 ;
139 ; The following saves the user credentials as computer credentials
140 ; allowing 802.1X authentication during startup
141 ; UseUserCredentialsForComputer = TRUE
142 ;
143 ; Advanced
144 ;
145 ;UseAlternateComputerCredentials = TRUE
146 ;ComputerName = admin
147 ;ComputerPassword = xxx
148 ;ComputerDomain = somedomain.com
149 ;ServerCertificateOnLocalComputer = TRUE
150 ;CheckForMicrosoftExtension = TRUE
151 ;AllowNewConnections = TRUE
152 ;UseEmptyIdentity = FALSE
153 ;RenewIPAddress = TRUE