1. Pre-Configuration

The SecureW2 installer searches for a pre-configuration file: SecureW2.inf file during installation. If found it executes the script. If not found it will continue as usual. SecureW2 uses the current directory in which it was executed to search for the SecureW2.inf file.

1.1. Building your own setup

For organizations willing to distribute SecureW2 within their organization with their own SecureW2.inf it is possible to package the SecureW2.inf, SecureW2_xxx.exe and certificates in an installation program that unpacks the file to a temporary directory and then runs the installer.

NOTE: it is important that the SecureW2 installation program is visible to the user due to the license agreement.

An example of such an installation program is NSIS, a free open source installer from NULLSoft. The following link is an NSIS installer example script for SecureW2 that allows you to create your own SecureW2 installer: http://www.securew2.com/resources/SecureW2_example.NSI

1.2. Basic INF File

The SecureW2 pre-configuration file is based on a Microsoft INF File. There are different sections each depicting how SecureW2 is to be configured.

Each INF file must contain the following section, if not SecureW2 will not be able to read the file:

   1 [Version] 
   2 Signature  = "$Windows NT$" 
   3 Provider   = "SecureW2" 
   4 Config     = 7

Comments can be added in the INF file using a semicolon. A semicolon is also used to disable lines. Attributes that are not defined will be set to their Default value.

Example of a comment in the INF file:

   1 ; This is a comment

Example of a disabled line in the INF file:

   1 ; attribute1 = I am disabled attribute2 = I am not disabled

1.3. Global Configuration

1.3.1. [WZCSVC]

Use this section to set the state of the Wireless Zero Configuration Service of Microsoft.

Option	Description	Type	Default value
Startup	AUTO indicates the service startup type will be changed to automatic. NORMAL indicates the service startup type will not be changed.	String	NORMAL
Restart	true indicates the service will be re-started before installation. false	Boolean	false
Both options will start the WZCSVC before installation.

Example:

   1 [WZCSVC]
   2 Startup = AUTO
   3 Restart = TRUE

1.3.2. [DOTSVC]

Use this tag to set the state of the Wired Zero Configuration Service of Microsoft.

Option	Description	Type	Default Value
Startup	AUTO indicates the service startup type will be changed to automatic. NORMAL indicates the service startup type will not be changed.	String	NORMAL
Restart	true indicates the service will be re-started before installation. false	Boolean	false
Both options will start the DOTSVC before installation.

Example:

   1 [DOTSVC]
   2 Startup = AUTO
   3 Restart = TRUE

1.3.3. [GINA]

Use this section to enable and configure the SecureW2 GINA.

Option	Description	Type	Default Value
UseSecureW2Gina	TRUE enables the SecureW2 GINA	Boolean	false
GinaDomainName	Use this to set the default domain that is used while logging a user on using the SecureW2 Gina. This is required for the Novell Interactive Logon.	String	empty
GinaType	Use this to set the type of Gina that SecureW2 will be using. Currently the following values are supported: Novell	String	Novell
UseGinaVLAN	Use this option to enable the Gina VLAN Functionality.	Boolean	false
GinaVLANIPAddress	Use this to set the VLAN IP Address. The VLAN configuration will be used to check if 802.1X is performed or not. IP addresses that match the configuration will perform 802.1X.	String	empty
GinaVLANSubnetMask	Use this to set the VLAN Subnet Mask	String	empty

Example:

   1 [GINA]
   2 UseSecureW2Gina = TRUE
   3 GinaDomainName = domain.com
   4 GinaType = Novell
   5 UseGinaVLAN = TRUE
   6 GinaVLANIPAddress = 192.168.2.0
   7 GinaVLANSubnetMask = 255.255.255.0

1.3.4. Certificates

In the Certificates section you must define your certificate chain.

Option	Description	Type	Default Value
Certificate.n	Set the location of the certificate relative to the SecureW2.inf file. The value “n” should start at 0 or 1 and be incremented with each new certificate. Currently only DER encoded X.509 certificates are supported.	String	empty
Certificate.0 is optional but if defined must always refer to the TTLS Server certificate. The rest of the chain (“Certificate.n”) should refer to certificates that are either Subordinate CA’s or Root CA’s.

The following example shows a certificate chain containing a TTLS certificate, a Subordinate CA certificate and the Root CA certificate:

   1 [Certificates] 
   2 
   3 Certificate.0 = ttls.cer 
   4 Certificate.1 = subca.cer 
   5 Certificate.2 = rootca.cer

1.3.4.1. Retrieving/Converting Certificates

To retrieve your CA and TTLS certificates and convert them to DER encoding you can use the following options:

1. On your radius server simply use the following openssl command to convert your CA and TTLS PEM certificates to DER encoding:

openssl x509 -inform PEM -outform DER -in ttls.pem –out ttls.der

2. On a computer (Windows) running SecureW2 that already trusts your TTLS server the certificates have already been installed in the local certificate store of that computer. To retrieve the certificates you can use the “Microsoft Management Console” and the “Certificates” snap-in:

Upload new attachment "mmc.png"

To use the MMC do the following:

Click on the “Start” menu
Click on the “Run” option
Enter the following command: mmc (This will start-up a new Microsoft Management Console in which you can add snap-ins allowing you to control the different aspects of your computer.)
Select “File” in the top menu
Select “Add/Remove snap-in” You are presented with the “Add/Remove snap-in” window in which you can select the snap-in’s you wish to use.
In “Standalone” tab click on the “Add” button You are now presented with the “Add snap-in” window showing the different snap-in’s that are available.
Select the “Certificates” snap-in and click on the “Add” button.
When asked which certificates are to be managed select “Computer account”.
When asked for which computer the certificates are to be managed select “Local computer” and click on “Finish”.
Click on “Close” to return to the “Add/Remove snap-in” window that now shows the “Certificates” snap-in.
Click on “Ok” to return to the main MMC window.
To find the CA certificate installed by SecureW2 expand the certificates snap-in so you can view the certificates in the “Trusted Root Certification Authorities”.
Look for your CA certificates and right click on the certificate and select “All Tasks” and then ”Export…”.
You are now presented with the “Certificate Export Wizard”. Run through the wizard and export the certificates using DER encoding to a location of your choosing.

1.4. SSID Configuration

The following describes how to configure the different SSID ytou want to use and enable for SecureW2.

1.4.1. [SSID.n]

Each [SSID.n] section describes a different SSID configuration where n is the number of the SSID section. This number must start at 1 and be incremented with each new SSID section.

Per SSID section you MUST define the following options:

Option	Description	Type
Name	Use this to set the name of the SSID.	String
Profile	The SecureW2 TTLS Client Profile that is to be used for this SSID	String

Per SSID section you MAY define the following optional options (Options that are not defined in a SSID section will be set to their Default value):

Option	Description	Type	Default Value
AuthenticationMode	Use this to set the type of authentication mode for this SSID.	String	open
EncryptionType	Use this to set the type of encryption for this SSID.	String	WEP
NonBroadcast	Use this to indicate if the SSID is broadcasted by the Access Point or not.	Boolean	false
The following is only available in Windows Vista
ConnectionMode	Use this to if the SSID should be connected to automatically or by manually. Valid options are auto and manual	String	auto
ConnectionType	Use this to set the operating mode of the network. Valid options are ESS (infrastructure network) and BSS (ad-hoc network).	String	ESS
AutoSwitch	This option determines the roaming behaviour of an auto-connected network when a more preferred network is in range.	Boolean	false

'NOTE: The options described above are case sensitive in Vista. Best practise is to use the case shown in this document'

In Windows Vista and XP description of the security configuration items is slightly different. The following table shows which security configurations are available in Windows Vista and XP and their corresponding SecureW2 configuration items:

Windows Option	SecureW2 Configuration
WPA-Enterprise	AuthenticationMode = "WPA", EncryptionType = "TKIP" or EncryptionType = "AES"
WPA2-Enterprise	AuthenticationMode = "WPA2", EncryptionType = "TKIP" or EncryptionType = "AES"
802.1X	AuthenticationMode = "open", EncryptionType = "WEP"
Not used with SecureW2 (without 802.1X/EAP)
WPA-Personal	AuthenticationMode = "WPA", EncryptionType = "TKIP" or EncryptionType = "AES"
WPA2-Personal	AuthenticationMode = "WPA2", EncryptionType = "TKIP" or EncryptionType = "AES"

   1 [SSID.1]
   2 Name = INSECURESSID 
   3 Profile = "Default"
   4 AuthenticationMode = "open"
   5 EncryptionType = "WEP"
   6 ConnectionMode = "auto"
   7 ConnectionType = "ESS"
   8 NonBroadcast = "false"
   9 AutoSwitch = "false"
  10 
  11 [SSID.2] 
  12 Name = SECURESSID 
  13 Profile = "SW2"
  14 EncryptionType = "WPA2"
  15 ConnectionMode = "TKIP"
  16 ConnectionType = "ESS"
  17 NonBroadcast = "true"
  18 AutoSwitch = "false"

1.5. Profile Configuration

The following describes how to configure the different SecureW2 Client Profiles you want to use.

1.5.1. [Profile.n]

Each [Profile.n] section describes a different Profile configuration where n is the number of the Profile section. This number must start at 1 and be incremented with each new Profile section.

Per Profile section you MUST define the following options:

Option	Description	Type
Name	Use this to set the name of the Profile.	String

Per Profile section you MAY define the following optional options (Options that are not defined in a Profile section will be set to their Default value):

Option	Description	Type	Default Value
General
Description	The SecureW2 TTLS Client Profile that is to be used for this SSID.	String	empty
Connection
UseAlternateIdentity	This option instructs SecureW2 to use an alternate outer identity.	Boolean	true
UseAnonymousIdentity	This option controls which alternate outer identity SecureW2 uses. true indicates the outer identity will be anonymous@domain. false instructs SecureW2 to use the value defined in AlternateOuterIdentity	Boolean	true
AlternateOuterIdentity	The value defined by this attribute is used as the outer identity. This option is only valid if UseAnonymousIdentity is false	String	empty
EnableSessionResumption	Enabling this option instructs SecureW2 to use session resumption (quick connect)	Boolean	false
Certificates
VerifyServerCertificate	Enabling this option instructs SecureW2 verify the TTLS server certificate	Boolean	true
TrustedRootCA.n	Each TrustedRootCA.n option defines a root certificate that will be trusted by SecureW2 where "n" is the number of the TrustedRootCA option. This number must start at 0 and be incremented with each new TrustedRootCA option. This option often coincides with the global certificate configuration. The value of this option is the hexadecimal string of the SHA1 hash of the Trusted Root CA certificate. SecureW2 uses this to find the correct Root CA certificate installed on the local computer. To retrieve the hexadecimal SHA1 value of a certificate in Windows, double-click on the certificate. In the Certificate window select the Details tab. The SHA1 value is listed as the Thumbprint. Using openssl use the following command: openssl sha1 < ttls.cer. The hexadecimal string should not contain spaces.	String	empty
VerifyServerName	Use this option to define value that will be used to verify the common name in the certificate of the TTLS server.	String	empty
Authentication
AuthenticationMethod	Use this option to define the inner authentication method used by SecureW2 to authenticate the user. Currently this can be two values: 'PAP' or 'EAP'.	String	PAP
EAPType	If EAP has been selected as the AuthenticationMethod the value defined by this option is the EAP-Type that is to be used. The following EAP methods are available (depending on the EAP methods installed on the local computer): '4' (EAP-MD5) , '26' = EAP-MSCHAP v2	Numeric	0
User account
PromptUserForCredentials	Set this option to instruct SecureW2 to prompt the user for credentials during authentication.	Boolean	true
UserName	If the option PromptUserForCredentials is set to false then setting this value to PROMPTUSER instructs the SecureW2 installer to prompt the user for credentials during installation.	String	empty
UserDomain	Set this option to the pre-configured domain name to use during installation.	String	empty
UseUserCredentialsForComputer	Enabling this option instructs SecureW2 to use the user credentials to logon the computer.	Boolean	false
Advanced
ServerCertificateOnLocalComputer	Enabling this option instructs SecureW2 to verify if the TTLS certificate is installed on the local computer.	Boolean	false
CheckForMicrosoftExtension	Enabling this option instructs SecureW2 to verify if the TTLS certificate contains the correct Microsoft Extended Key Usage.	Boolean	false
AllowNewConnections	Enabling this option instructs SecureW2 to allow users to setup new connections.	Boolean	false
UseEmptyIdentity	This option instructs SecureW2 to use an empty outer anonymous identity that is compliant with RFC 4282. Requires UseAlternateIdentity and UseAnonymousIdenity to be enabled.	Boolean	true
!RenewIPAddress	Enabling this option instructs SecureW2 renew the DHCP IP Address of the authenticating adapter.	Boolean	false

2. Example SecureW2.inf

The following example can also be found here:

http://www.securew2.org/resources/SecureW2.inf

   1 ;
   2 ; SecureW2.inf -- SecureW2 Pre-Configuration File
   3 ;
   4 ; Manufacturer: SecureW2 B.V.
   5 ;
   6 [Version]
   7 Signature = "$Windows NT$"
   8 Provider = "SecureW2"
   9 Config = 7
  10 ;
  11 ; Global configuration
  12 ;
  13 ; Startup wired zero config before installing
  14 ; values: AUTO|NORMAL
  15 ; AUTO: will start the device and change the startup type to automatic
  16 ; NORMAL: will start the service, but will not change the startup type
  17 ;[DOT3SVC]
  18 ;Startup = AUTO
  19 ; Startup wireless zero config before installing
  20 ; values: AUTO|NORMAL
  21 ; AUTO: will start the device and change the startup type to automatic
  22 ; NORMAL: will start the service, but will not change the startup type
  23 [WZCSVC]
  24 Startup = AUTO
  25 
  26 ; GINA Configuration
  27 ;
  28 [GINA]
  29 ;UseSecureW2Gina = TRUE
  30 ;GinaDomainName = "securew2.com"
  31 ;GinaType = Novell
  32 ;UseGinaVLAN = TRUE
  33 ;GinaVLANIPAddress = 192.168.2.0
  34 ;GinaVLANSubnetMask = 255.255.255.0
  35 ;
  36 ; Install certificates
  37 ;
  38 [Certificates]
  39 ;
  40 ; Certificate.0 points server certificate, will be installed in local "MY" store
  41 ; Certificate.n points to a sub or root ca, will be installed in local "ROOT" store
  42 ;
  43 ;Certificate.0 = ext2.cer
  44 Certificate.1 = CA.der
  45 ;
  46 ; SSID configuration
  47 ; The SSID configuration must start with SSID.1 and then continue with SSID.2,
  48 ; SSID.3 and so forth
  49 ;
  50 [SSID.1]
  51 Name = "RIXOM-SECURE"
  52 Profile = "RIXOM"
  53 ; Configuration options for connection, if not defined it will default to:
  54 ; AuthenticationMode = "open"
  55 ; EncryptionType = "WEP"
  56 ; ConnectionMode = "auto"
  57 ; ConnectionType = "ESS"
  58 ; NonBroadcast = "false"
  59 ; AutoSwitch = "false"
  60 ;
  61 ;  For more info on the connection values please see the following link:
  62 ;
  63 ;  http://msdn2.microsoft.com/en-us/library/ms706965.aspx
  64 ;
  65 ; The following example sets WPA/TKIP
  66 AuthenticationMode = "WPA"
  67 EncryptionType = "TKIP"
  68 ;
  69 ; The following example sets WEP
  70 ;
  71 ; NOTE: For Vista this is case sensitive!
  72 ;
  73 ; AuthenticationMode = "open"
  74 ; EncryptionType = "WEP"
  75 [SSID.2]
  76 Name = "RIXOM-INSECURE"
  77 Profile = "RIXOM"
  78 AuthenticationMode = "open"
  79 EncryptionType = "WEP"
  80 ;
  81 ; Profile configuration
  82 ;
  83 ; The Profile configuration must start with Profile.1 and then continue with
  84 ; Profile.2, Profile.3 and so forth
  85 ;
  86 [Profile.1]
  87 Name = "RIXOM"
  88 Description = "Enter the username and password of your serviceaccount:"
  89 ;
  90 ; Connection
  91 ;
  92 ;UseAlternateIdentity = FALSE
  93 ;UseAnonymousIdentity = TRUE
  94 ;AlternateOuterIdentity = user@somedomain.com
  95 ;EnableSessionResumption = TRUE
  96 ;
  97 ; Certificates
  98 ;
  99 VerifyServerCertificate = TRUE
 100 VerifyServerName = somedomain.com
 101 TrustedRootCA.0 = 3cdaba08113d934207b91d1c525683cc09bbc829
 102 ;
 103 ; Authentication
 104 ;
 105 AuthenticationMethod = PAP
 106 ;AuthenticationMethod = EAP
 107 ;EAPType = 4 ; MD5-Challenge (EAP-MD5)
 108 ;EAPType = 13 ; Smart Card or other Certificate (EAP-TLS)
 109 ;EAPType = 21 ; SecureW2 (EAP-TTLS)
 110 ;EAPType = 25 ; Protected EAP (EAP-PEAP)
 111 ;EAPType = 26 ; Secured password (EAP-MSCHAP v2)
 112 ;EAPType = 42 ; Mob@c (EAP-MOBAC)
 113 ;
 114 ; Use the following to alter the user credentials popup during authentication
 115 ;
 116 ;AltUsernameString = "Who are you"
 117 ;AltPasswordStr = "Enter your secret"
 118 ;AltCredsTitle = "Welcome to ..."
 119 ;
 120 ; The following disables the "Save credentials" option in the popup
 121 ;AllowCachePW = TRUE
 122 ;
 123 ; User Account
 124 ;
 125 ; To ask the user for credentials during startup use the following example:
 126 PromptUserForCredentials = FALSE
 127 UserName = PROMPTUSER
 128 ;UserPassword = xxx
 129 ;UserDomain = alfa-ariss.com
 130 ;
 131 ; The following saves the user credentials as computer credentials
 132 ; allowing 802.1X authentication during startup
 133 ; UseUserCredentialsForComputer = TRUE
 134 ;
 135 ; Advanced
 136 ;
 137 ;UseAlternateComputerCredentials = TRUE
 138 ;ComputerUserName = admin
 139 ;ComputerPassword = xxx
 140 ;ComputerDomain = somedomain.com
 141 ;ServerCertificateOnLocalComputer = TRUE
 142 ;CheckForMicrosoftExtension = TRUE
 143 ;AllowNewConnections = TRUE
 144 ;RenewIPAddress = TRUE