1. Pre-Configuration

The SecureW2 installer searches for a pre-configuration file: SecureW2.inf file during installation. If found it executes the script. If not found it will continue as usual. SecureW2 uses the current directory in which it was executed to search for the SecureW2.inf file.

This is the configuration guide for version 3.3.0 and EapSuite 1.0.0 and higher.

For 3.2.0 and lower see:

http://www.securew2.org/wiki/AdminGuide320

Changes in 3.3.0:

EnableSessionResumption -> UseSessionResumption
UseAlternateIdentity -> UseAlternateOuterIdentity
UseAnonymousIdentity -> UseAnonymousOuterIdentity
VerifyServerName -> ServerName
(NEW) UseEmptyOuterIdentity
Certificate configuration no longer requires subordinate CA's to be installed
ConnectionMode and ConnectionType now also available for Windows XP SP2

Changes in EapSuite 1.0.0:

(NEW) AltProfileStr

1.1. Building your own setup

For organizations willing to distribute SecureW2 within their organization with their own SecureW2.inf it is possible to package the SecureW2.inf, SecureW2_xxx.exe and certificates in an installation program that unpacks the file to a temporary directory and then runs the installer.

NOTE: it is important that the SecureW2 installation program is visible to the user due to the license agreement.

An example of such an installation program is NSIS, a free open source installer from NULLSoft. The following link is an NSIS installer example script for SecureW2 that allows you to create your own SecureW2 installer: http://www.securew2.com/resources/SecureW2_example.NSI

1.2. Basic INF File

The SecureW2 pre-configuration file is based on a Microsoft INF File. There are different sections each depicting how SecureW2 is to be configured.

Each INF file must contain the following section, if not SecureW2 will not be able to read the file:

   1 [Version] 
   2 Signature  = "$Windows NT$" 
   3 Provider   = "SecureW2" 
   4 Config     = 7

Comments can be added in the INF file using a semicolon. A semicolon is also used to disable lines. Attributes that are not defined will be set to their Default value.

Example of a comment in the INF file:

   1 ; This is a comment

Example of a disabled line in the INF file:

   1 ; attribute1 = I am disabled attribute2 = I am not disabled

1.3. Global Configuration

1.3.1. [WZCSVC]

Use this section to set the state of the Wireless Zero Configuration Service of Microsoft.

Option	Description	Type	Default value
Startup	AUTO indicates the service startup type will be changed to automatic. NORMAL indicates the service startup type will not be changed.	String	NORMAL
Restart	true indicates the service will be re-started before installation. false	Boolean	false
Both options will start the WZCSVC before installation.

Example:

   1 [WZCSVC]
   2 Startup = AUTO
   3 Restart = TRUE

1.3.2. [DOTSVC]

Use this tag to set the state of the Wired Zero Configuration Service of Microsoft.

Option	Description	Type	Default Value
Startup	AUTO indicates the service startup type will be changed to automatic. NORMAL indicates the service startup type will not be changed.	String	NORMAL
Restart	true indicates the service will be re-started before installation. false	Boolean	false
Both options will start the DOTSVC before installation.

Example:

   1 [DOTSVC]
   2 Startup = AUTO
   3 Restart = TRUE

1.3.3. Certificates

In the Certificates section you must define your certificate chain.

Option	Description	Type	Default Value
Certificate.n	Set the location of the certificate relative to the SecureW2.inf file. The value “n” should start at 0 or 1 and be incremented with each new certificate. Currently only DER encoded X.509 certificates are supported.	String	empty
Certificate.0 is optional but if defined must always refer to the TTLS Server certificate. The rest of the chain (“Certificate.n”) should refer to certificates that are either Subordinate CA’s or Root CA’s.

The following example shows a certificate chain containing a TTLS certificate, a Subordinate CA certificate and the Root CA certificate:

   1 [Certificates] 
   2 
   3 Certificate.0 = ttls.cer 
   4 Certificate.1 = subca.cer 
   5 Certificate.2 = rootca.cer

1.3.3.1. Retrieving/Converting Certificates

To retrieve your CA and TTLS certificates and convert them to DER encoding you can use the following options:

1. On your radius server simply use the following openssl command to convert your CA and TTLS PEM certificates to DER encoding:

openssl x509 -inform PEM -outform DER -in ttls.pem –out ttls.der

2. On a computer (Windows) running SecureW2 that already trusts your TTLS server the certificates have already been installed in the local certificate store of that computer. To retrieve the certificates you can use the “Microsoft Management Console” and the “Certificates” snap-in:

To use the MMC do the following:

Click on the “Start” menu
Click on the “Run” option
Enter the following command: mmc (This will start-up a new Microsoft Management Console in which you can add snap-ins allowing you to control the different aspects of your computer.)
Select “File” in the top menu
Select “Add/Remove snap-in” You are presented with the “Add/Remove snap-in” window in which you can select the snap-in’s you wish to use.
In “Standalone” tab click on the “Add” button You are now presented with the “Add snap-in” window showing the different snap-in’s that are available.
Select the “Certificates” snap-in and click on the “Add” button.
When asked which certificates are to be managed select “Computer account”.
When asked for which computer the certificates are to be managed select “Local computer” and click on “Finish”.
Click on “Close” to return to the “Add/Remove snap-in” window that now shows the “Certificates” snap-in.
Click on “Ok” to return to the main MMC window.
To find the CA certificate installed by SecureW2 expand the certificates snap-in so you can view the certificates in the “Trusted Root Certification Authorities”.
Look for your CA certificates and right click on the certificate and select “All Tasks” and then ”Export…”.
You are now presented with the “Certificate Export Wizard”. Run through the wizard and export the certificates using DER encoding to a location of your choosing.

1.4. SSID Configuration

The following describes how to configure the different SSID ytou want to use and enable for SecureW2.

1.4.1. [SSID.n]

Each [SSID.n] section describes a different SSID configuration where n is the number of the SSID section. This number must start at 1 and be incremented with each new SSID section.

Per SSID section you MUST define the following options:

Option	Description	Type
Name	Use this to set the name of the SSID.	String
Profile	The SecureW2 TTLS Client Profile that is to be used for this SSID	String

Per SSID section you MAY define the following optional options (Options that are not defined in a SSID section will be set to their Default value):

Option	Description	Type	Default Value
AuthenticationMode	Use this to set the type of authentication mode for this SSID.	String	Open
EncryptionType	Use this to set the type of encryption for this SSID.	String	WEP
NonBroadcast	Use this to indicate if the SSID is broadcasted by the Access Point or not.	Boolean	false
ConnectionMode	Use this to if the SSID should be connected to automatically or by manually. Valid options are auto and manual	String	auto
ConnectionType	Use this to set the operating mode of the network. Valid options are ESS (infrastructure network) and BSS (ad-hoc network).	String	ESS
The following is only available in Windows Vista
AutoSwitch	This option determines the roaming behaviour of an auto-connected network when a more preferred network is in range.	Boolean	false

'NOTE: The options described above are case sensitive. Best practise is to use the case shown in this document'

In Windows Vista and XP description of the security configuration items is slightly different. The following table shows which security configurations are available in Windows Vista and XP and their corresponding SecureW2 configuration items:

Windows Option	SecureW2 Configuration
WPA-Enterprise	AuthenticationMode = "WPA", EncryptionType = "TKIP" or EncryptionType = "AES"
WPA2-Enterprise	AuthenticationMode = "WPA2", EncryptionType = "TKIP" or EncryptionType = "AES"
802.1X	AuthenticationMode = "Open", EncryptionType = "WEP"
Not used with SecureW2 (without 802.1X/EAP)
WPA-Personal	AuthenticationMode = "WPA", EncryptionType = "TKIP" or EncryptionType = "AES"
WPA2-Personal	AuthenticationMode = "WPA2", EncryptionType = "TKIP" or EncryptionType = "AES"

   1 [SSID.1]
   2 Name = INSECURESSID 
   3 Profile = "Default"
   4 AuthenticationMode = "Open"
   5 EncryptionType = "WEP"
   6 ConnectionMode = "auto"
   7 ConnectionType = "ESS"
   8 NonBroadcast = "false"
   9 AutoSwitch = "false"
  10 
  11 [SSID.2] 
  12 Name = SECURESSID 
  13 Profile = "SW2"
  14 EncryptionType = "WPA2"
  15 ConnectionMode = "TKIP"
  16 ConnectionType = "ESS"
  17 NonBroadcast = "true"
  18 AutoSwitch = "false"

1.5. Profile Configuration

The following describes how to configure the different SecureW2 Client Profiles you want to use.

1.5.1. [Profile.n]

Each [Profile.n] section describes a different Profile configuration where n is the number of the Profile section. This number must start at 1 and be incremented with each new Profile section.

Per Profile section you MUST define the following options:

Option	Description	Type
Name	Use this to set the name of the Profile.	String

Per Profile section you MAY define the following optional options (Options that are not defined in a Profile section will be set to their Default value):

Option	Description	Type	Default Value
General
Description	The SecureW2 TTLS Client Profile that is to be used for this SSID.	String	empty
Localization
AltUsernameString	Allows you to overide the Username label in the user interface	String	empty
AltPasswordStr	Allows you to overide the Password label in the user interface	String	empty
AltRePasswordStr	Allows you to overide the Second Password label in the user interface	String	empty
AltDomainStr	Allows you to overide the Domain label in the user interface	String	empty
AltCredsTitle	Allows you to overide the titel of the windows in the user interface	String	empty
AltProfileStr	Allows you to overide the Profile label in the user interface	String	empty
Connection
UseAlternateOuterIdentity	This option instructs SecureW2 to use an alternate outer identity.	Boolean	true
UseAnonymousOuterIdentity	This option controls which alternate outer identity SecureW2 uses. true indicates the outer identity will be anonymous@domain. false instructs SecureW2 to use the value defined in AlternateOuterIdentity	Boolean	true
AlternateOuterIdentity	The value defined by this attribute is used as the outer identity. This option is only valid if UseAnonymousIdentity is false	String	empty
UseSessionResumption	Enabling this option instructs SecureW2 to use session resumption (quick connect)	Boolean	false
Certificates
VerifyServerCertificate	Enabling this option instructs SecureW2 verify the TTLS server certificate	Boolean	true
TrustedRootCA.n	Each TrustedRootCA.n option defines a root certificate that will be trusted by SecureW2 where "n" is the number of the TrustedRootCA option. This number must start at 0 and be incremented with each new TrustedRootCA option. This option often coincides with the global certificate configuration. The value of this option is the hexadecimal string of the SHA1 hash of the Trusted Root CA certificate. SecureW2 uses this to find the correct Root CA certificate installed on the local computer. To retrieve the hexadecimal SHA1 value of a certificate in Windows, double-click on the certificate. In the Certificate window select the Details tab. The SHA1 value is listed as the Thumbprint. Using openssl use the following command: openssl sha1 < ttls.cer. The hexadecimal string should not contain spaces.	String	empty
ServerName	Use this option to define value that will be used to verify the common name in the certificate of the TTLS server.	String	empty
Authentication
AuthenticationMethod	Use this option to define the inner authentication method used by SecureW2 to authenticate the user. Currently this can be two values: 'PAP' or 'EAP'.	String	PAP
EAPType	If EAP has been selected as the AuthenticationMethod the value defined by this option is the EAP-Type that is to be used. The following EAP methods are available (depending on the EAP methods installed on the local computer): '4' (EAP-MD5) , '26' = EAP-MSCHAP v2	Numeric	0
User account
PromptUserForCredentials	Set this option to instruct SecureW2 to prompt the user for credentials during authentication.	Boolean	true
UserName	If the option PromptUserForCredentials is set to false then setting this value to PROMPTUSER instructs the SecureW2 installer to prompt the user for credentials during installation.	String	empty
UserDomain	Set this option to the pre-configured domain name to use during installation.	String	empty
UseUserCredentialsForComputer	Enabling this option instructs SecureW2 to use the user credentials to logon the computer.	Boolean	false
AllowCachePW	Setting this to FALSE disables the "Save credentials" option in the popup	Boolean	TRUE
Advanced
ServerCertificateOnLocalComputer	Enabling this option instructs SecureW2 to verify if the TTLS certificate is installed on the local computer.	Boolean	false
CheckForMicrosoftExtension	Enabling this option instructs SecureW2 to verify if the TTLS certificate contains the correct Microsoft Extended Key Usage.	Boolean	false
AllowNewConnections	Enabling this option instructs SecureW2 to allow users to setup new connections.	Boolean	false
UseEmptyOuterIdentity	This option instructs SecureW2 to use an empty outer anonymous identity that is compliant with RFC 4282. Requires UseAlternateOuterIdentity and UseAnonymousOuterIdenity to be enabled.	Boolean	true
!RenewIPAddress	Enabling this option instructs SecureW2 renew the DHCP IP Address of the authenticating adapter.	Boolean	false

2. Example SecureW2.inf

The following example can also be found here:

http://www.securew2.org/resources/SecureW2.inf

   1 ;
   2 ; SecureW2.inf -- SecureW2 Pre-Configuration File
   3 ;
   4 ; Manufacturer: SecureW2 B.V.
   5 ;
   6 [Version]
   7 Signature = "$Windows NT$"
   8 Provider = "SecureW2"
   9 Config = 7
  10 ;
  11 ; Global configuration
  12 ;
  13 ; Startup wired zero config before installing
  14 ; values: AUTO|NORMAL
  15 ; AUTO: will start the device and change the startup type to automatic
  16 ; NORMAL: will start the service, but will not change the startup type
  17 ;[DOT3SVC]
  18 ;Startup = AUTO
  19 ; Startup wireless zero config before installing
  20 ; values: AUTO|NORMAL
  21 ; AUTO: will start the device and change the startup type to automatic
  22 ; NORMAL: will start the service, but will not change the startup type
  23 [WZCSVC]
  24 Startup = AUTO
  25 
  26 ;
  27 ; Install certificates
  28 ;
  29 [Certificates]
  30 ;
  31 ; Certificate.0 points server certificate, will be installed in local "MY" store
  32 ; Certificate.n points to a sub or root ca, will be installed in local "ROOT" store
  33 ;
  34 ;Certificate.0 = ext2.cer
  35 Certificate.1 = CA.der
  36 ;
  37 ; SSID configuration
  38 ; The SSID configuration must start with SSID.1 and then continue with SSID.2,
  39 ; SSID.3 and so forth
  40 ;
  41 [SSID.1]
  42 Name = "RIXOM-SECURE"
  43 Profile = "RIXOM"
  44 ; Configuration options for connection, if not defined it will default to:
  45 ; AuthenticationMode = "Open"
  46 ; EncryptionType = "WEP"
  47 ; ConnectionMode = "auto"
  48 ; ConnectionType = "ESS"
  49 ; NonBroadcast = "false"
  50 ; AutoSwitch = "false"
  51 ;
  52 ;  For more info on the connection values please see the following link:
  53 ;
  54 ;  http://msdn2.microsoft.com/en-us/library/ms706965.aspx
  55 ;
  56 ; The following example sets WPA/TKIP
  57 AuthenticationMode = "WPA"
  58 EncryptionType = "TKIP"
  59 ;
  60 ; The following example sets WEP
  61 ;
  62 ; NOTE: This is case sensitive!
  63 ;
  64 ; AuthenticationMode = "Open"
  65 ; EncryptionType = "WEP"
  66 [SSID.2]
  67 Name = "RIXOM-INSECURE"
  68 Profile = "RIXOM"
  69 AuthenticationMode = "Open"
  70 EncryptionType = "WEP"
  71 ;
  72 ; Profile configuration
  73 ;
  74 ; The Profile configuration must start with Profile.1 and then continue with
  75 ; Profile.2, Profile.3 and so forth
  76 ;
  77 [Profile.1]
  78 Name = "RIXOM"
  79 Description = "Enter the username and password of your serviceaccount:"
  80 ;
  81 ; Connection
  82 ;
  83 ;UseAlternateOuterIdentity= FALSE
  84 ;UseAnonymousOuterIdentity = TRUE
  85 ;AlternateOuterIdentity = user@somedomain.com
  86 ;UseSessionResumption = TRUE
  87 ;
  88 ; Certificates
  89 ;
  90 VerifyServerCertificate = TRUE
  91 ServerName = somedomain.com
  92 TrustedRootCA.0 = 3cdaba08113d934207b91d1c525683cc09bbc829
  93 ;
  94 ; Authentication
  95 ;
  96 AuthenticationMethod = PAP
  97 ;AuthenticationMethod = EAP
  98 ;EAPType = 4 ; MD5-Challenge (EAP-MD5)
  99 ;EAPType = 13 ; Smart Card or other Certificate (EAP-TLS)
 100 ;EAPType = 21 ; SecureW2 (EAP-TTLS)
 101 ;EAPType = 25 ; Protected EAP (EAP-PEAP)
 102 ;EAPType = 26 ; Secured password (EAP-MSCHAP v2)
 103 ;EAPType = 42 ; Mob@c (EAP-MOBAC)
 104 ;
 105 ; Use the following to alter the user credentials popup during authentication
 106 ;
 107 ;AltUsernameString = "Who are you:"
 108 ;AltPasswordStr = "Enter your secret:"
 109 ;AltRePasswordStr = "Re-Enter your secret:"
 110 ;AltDomainStr = "Where are you from:"
 111 ;AltCredsTitle = "Welcome to ..."
 112 ;AltProfileStr = "Your profile is:"
 113 ;
 114 ; The following disables the "Save credentials" option in the popup
 115 ;AllowCachePW = FALSE
 116 ;
 117 ; User Account
 118 ;
 119 ; To ask the user for credentials during startup use the following example:
 120 PromptUserForCredentials = FALSE
 121 UserName = PROMPTUSER
 122 ;UserPassword = xxx
 123 ;UserDomain = alfa-ariss.com
 124 ;
 125 ; The following saves the user credentials as computer credentials
 126 ; allowing 802.1X authentication during startup
 127 ; UseUserCredentialsForComputer = TRUE
 128 ;
 129 ; Advanced
 130 ;
 131 ;UseAlternateComputerCredentials = TRUE
 132 ;ComputerUserName = admin
 133 ;ComputerPassword = xxx
 134 ;ComputerDomain = somedomain.com
 135 ;ServerCertificateOnLocalComputer = TRUE
 136 ;CheckForMicrosoftExtension = TRUE
 137 ;AllowNewConnections = TRUE
 138 ;UseEmptyIdentity = FALSE
 139 ;RenewIPAddress = TRUE