Test Case

Show / Hide direct link   <MAIN> 2877PA: WL Security environment setup procedure - PP-80483



Version 1.3
Created on 19/03/2004 20:11:36  by Sankar Venkata Narasimhan
Summary
Preconditions
Status:   New
Priority:   Medium
BASIC INFORMATION
Section:S/W Test Require attachment:No
Team:Network Group:Advanced Function
Lessons Learned:No Phase:SIV (BBFV), SIT
Locations:Inhouse: AWS and Cambridge, Inhouse: AWS, Inhouse: Cambridge, Compal, Flextronics, Quanta, Wistron Owned By:Eiji Ogata/LENOVO
Objective:To verify PEAP Authentication verification using Access Connection for all the supported wireless adapters
CRITERIA
PEAP authentication function should work properly.
No system malfunction
EUT QUANTITY
One System per WL Model
EQUIPMENT
PPA Test Facilities
Critical Attribute:[0] : WLS - Wireless

[1] : CDC - Communication Daughter Card

CONFIGURATION
REFERENCE PROCEDURE
PEAP Authentication Concept








Authentication Server
  • Install and Configure Windows 2003 Server or Windows 2000 Server with SP4 Patch as per Microsoft Documentation
  • Configure PEAP Server as per attached documentation.
  • Attachment "PEAPAuthentication Server Settings.doc"can be seen at the bottom of the page.


Wireless Access Point
  • Update Latest Firmware (Vx Works / IOS) in or Cisco 1200 AP.The Latest Firmware can be downloaded from the following Link;-

http://www.cisco.com/pcgi-bin/Software/WLAN/wlplanner.cgi
  • For PEAP Configuration in Accespoint, follow the guidence in above attached Documentation

Wireless Client

Windows XP
  • The Wireless Driver shall have been installed as per the approprite Build letter
  • Ensure Meetinghouse Supplicant shall have been installed (Normally Installed during Installation of Wireless Driver)
  • Access Connection shall have been installed as per build Letter

Windows 2K:

  • Install Win2K Ghost Image with all supported drivers as per Thinkpad OS Patch collection
  • Wireless Driver shall have been installed as per the appropriate Build Letter
  • Ensure Meetinghouse Supplicant shall have been installed (Normally Installed during Installation of Wireless Driver)
  • Access Connection shall have been installed as per the Build Letter
  • Windows Wireless Configuration Service shall be in stopped state.



Fill out the following or attach the ATS system information file. Specify driver/EEPROM/firmware/card revision tested for Entry/Exit period.

Windows XP

Phase Entry :
Phase Exit :
Windows 2000

Phase Entry :
Phase Exit :
EUT
BIOS
H8
Preload Image
Wireless Driver
Ethernet Driver details
EEPROM for Ethernet
Modem Driver
Audio
Video
ThinkPad Utility
Access Connections
Other driver details


Known Limitations/Restrictions /Warnings
As the Wireless Utility like Intel / Lee itself has inbuilt Meetinghouse supplicant for 802.1x Authentication service without OS Support, at any time, only one Service i.e. either Utility or Access Connection or Native OS Utility shall be used for 802.1x related authentication .Conncurrent usage of all or more than one Service is not allowed.
Wireless Utility / OS Service will be used for creating WL profiles only if Access Connection support is unavailable / or if any related Security function is not supported by Access Connection for WL Adapter .
If Access connection supports Wireless adapter or Authentication function, then Wireless Utility / OS Service will not be used for testing.
Please read the Build letter of Wireless Driver and Access Connection for Installation sequence and follow accordingly.


STATISTIC INFO
Operating System Win10-32bit Win10-64bit Win7- 64bit Win7- 32bit Total
Test Points
Duration
Workload
# Step actions Win10-32bitWin10-64bitWin7- 64bitWin7- 32bit
1 PEAP-CHAP AAAA
2 RSA Server Setup AAAA
3 CCKM setup procedure AAAA
4 EAP-TTLS server setup procedure AAAA
5 Funk Odyssey server configuration AAAA
6 EAPFAST Deployment guide AAAA
DETAILS
ATTENTION!! Please follow below information.
1. Please check Error and Warning message in Event Viewer before you start the test case and after you complete the test case, and report it to your team lead, then arrange to open defect, if needed.

2. Perform All Test in Battery Mode (Some of the test items need to perform in AC Mode, follow each Test Case).

3. All Test Activity should be performed with AMT Enabled as Default (applicable on vPro enabled systems).

4. Please check Usability / Cosmetic issues (correct sentence/appropriate display/etc.) and open defect, if needed.

SERVER SETUP DOCUMENTS.

PEAP-CHAP

Below mentioned procedure is conceptual wise.

The procedure is almost the same as set for EAP-TLS setup procedure. It only differs only in the type of authentication that is to be selected in IAS server. Moreover instead of using user certificate we will be using user id in this case.

Screen captures are attached as below.

1. Windows 2003 Server
2. Install ADS and DDNS and create users or groups to have dialin permission. Add users to those groups.
3. Install IIS, Certificate server and IAS server.
4. All servers should download Wireless Server certificate.
5. Configure IAS server to use Radius authentication between the Radius server(IAS server) and a Access Point.
6. Configure IAS server to have a remote access policy for users connecting through the Acess point. (refer jpgs in this document)
7. Configure Access Point to have Radius authentication.
8. Configure SSIDs to use the EAP authentication with the Radius server as the authentication server.
9. Download Root certificate for the client systems.
10. Configure Access Connection to use the certificate and use ADS user id.

Attachment "Access Point config - Encryption setting.JPG"can be seen at the bottom of the page.

Attachment "IAS server Remote Access policies.JPG"can be seen at the bottom of the page.

Attachment "IAS server Radius Clients config.JPG"can be seen at the bottom of the page.

Attachment "Access Point config - SSID setting.JPG"can be seen at the bottom of the page.




RSA Server Setup

RSA SecurID ACE/Server 5.2 Configuration:

Requirements:
Windows 2000/2003 Server
Active Directory
DNS
DHCP
WINS
RSA Server

Notes:
1. To Start RSA Service, go to Control Panel > RSA/ACE Server > Start
2. To enable Automatic RSA/ACE Server startup, go to Control Panel > RSA/ACE Server > put a check Automatic RSA/ACE Server startup > OK
3. Make sure to create backup copies of the License File and Token Floppies and store the originals in a safe place.
4. FQDN of ACE server should resolve when pinging hostname from targer ACS machine.
5. The following does not indicate step-by-step procedure, only changes made to default settings and key points are noted.

Procedure: RSA Server Installation
1. Synchronize the following on all systems (date, time, timezone)
2. Install using D:\Windows\SETUP.EXE
3. Select Install for Asia Pacific radio button
4. Insert backup copy of License File Floppy into drive .
5. Set installation path as C:\RSASRV
6. Make sure the following options are selected:
- New Primary ACE/Server
- Documentation
7. Restart the system.

Procedure: RSA Server Configuration
8. Launch console from Start > Programs > Database Administration - Host Mode
9. In System menu > Edit System Parameters > make sure the following optiotns are selected:
In Administrator Authentication Methods:
- Secure ID Cards and Fobs - Secure ID Software Tokens
- User Passwords
In PIN Options:
- First User Created PIN
10. Apply changes.

Procedure: Import Tokens
11. Insert backup copy of Token Floppy into drive.
12. In Token menu > Import Tokens > double click on file to start import.
Note: *.asc supports both hardware and software token and *.xml supports only hardware tokens.
13. Use Token menu > List Tokens to list available tokens.

Procedure: Adding Users
14. In User menu > Add User > enter the following details at a minimum:
- First Name & Last Name
- Default Login (case sensitive)
15. Make sure the following option is selected:
- Allow to create a PIN
16. Click the Assign Token button > click Yes > then select an available token from the list.
17. Token Serial Number, Token Type and Authentication Width, and Status of Token will be added on the Add User window.
18. Click Ok to apply.

Procedure: Adding Agents
19. In Agent Host menu > Add Agent Host > select Net OS Agent.
20. Add the following information:
- Name (ACS Server Name which should be resolved)
- Network Address (Should be automatically resolved also, if not, manually type IP address of ACS Server)
21. Select User Activations button > click Yes > add Administrator > Activate User (do the same for the rest of the users) > Exit
22. Select Assign Acting Servers > Master > select RSA Server from the list > IP address will be included accordingly.
23. Click Ok.
24. In Agent Host menu > Generate config files > select any of the 3 options if only 1 RSA server is configured.
- Range : RSA Server
25. Click Ok, then get location of sdconf.rec copy to ACS Server. (this is usually C:\RSASRV\ace\data\config_files\sdconf.rec)


ACS Server / RSA Agent Configuration:

Requirements:
Windows 2000/2003 Server
Active Directory
DNS
IIS
CA
ACS
RSA Agent

Procedure: ACS Server Installation
1. Install Cisco ACS Server from Cisco CD.
1.1. Make sure all check boxes are performed before continuing and check all boxes.
1.2. Check the Cisco Secure ACS database only and then select RADIUS (Cisco Aironet).
1.3. Enter Access Server Name (the RSA Server machine server name)
1.4. Enter Access Server IP (the RSA Server IP)
1.5. Enter Windows Server IP (this IP will be inserted automatically, this is the ACS IP)
1.6. Enter a TACACS/RADIUS Key (this key will be shared by ACS and Access Point)
1.7. Make sure to check all next 6 options.

Procedure: RSA Agent Installation
2. Copy and install installation files from Cisco ACS CD to C:\AceAgent_55_W2KXP\AceClnt\_i386\agent.exe.
3. Select Install for Asia Pacific radio button
4. Make sure the following options are selected:
- Remote Access Authentication (Server)
- Common Shared Files
5. Enter path for sdconf.rec.
6. Unselect the Register Now option.
7. Restart the system.

Procedure: Obtaining Certificate from CA Server
8. Launch IE and enter the CA Server IP address in the following format: http://201.201.201.2/certsrv.
9. Enter Username, Password and correct domain name.
10. Select Advanced Request > Submit Certificate Request to this CA using a form.
11. Enter the following information:
- Certificate Template - Web Server
- Identifying info for Offline Template - (enter ACS Server hostname*1 and user email address)
- Key Options - Key size 1024
- Make sure Mark Keys as Exportable is selected
12. Submit form and Install Certificate.

Procedure: ACS Configuration
13. Start ACS and Click Network Configuration, add the following entries:
- AAA Client Host Name - (enter Access Point SSID to identify)
- AAA Client IP - (enter Access Point IP)
- Authenticate using - Radius (Cisco Aironet)
- Key - (same with RSA server - wirelessnet)

Procedure: Outer Authentication Configuration
14. Click on Server Name and enter the following details:
- AAA Server IP Address - (enter ACS Server IP)
- Key - (same with RSA server - wirelessnet)
- AAA Server Type - Radius
- Traffic Type - Inbound / Outbound
15. Select Submit.
16. Select System Configuration button > ACS Certificate Setup > install ACS Certificate
17. Select Use Certificate from Storage > Certificate CN - (enter ACS Server hostname*1)
18. Select Submit but DO NOT INSTALL!
19. Restart the service from System Control in Control Panel?
20. Select System Configuration > ACS Certificate Setup
21. Select Edit Trust List and make sure to select ACS Server Name.

Procedure: Inner Authentication Configuration
22. Select External User Database button > select Secure ID Token Server > Created New Configuration.
23. Select Submit, then Configure.


CCKM setup procedure

1. Setup LEAP or EAPFAST setup as mentioned in other server setup procedures.
2. Follow the procedure as said in the below said document.


Attachment "Access Point config - Radius setting.JPG"can be seen at the bottom of the page.

Attachment "CCKM3.pdf"can be seen at the bottom of the page.

EAP-TTLS server setup procedure

1. Windows 2003 Server
2. Install ADS and DDNS and create users or groups to have dialin permission. Add users to those groups.
3. Install IIS, Certificate server and IAS server.
4. All servers should download Wireless Server certificate. In case of Domain controller, Domain Controller certificate should be downloaded.
5. Domain controller on which Certificate server is installed will automatically install the domain controller certificate.
6. This can by confirmed by Start-->Run-->MMC-->Add-->Certificates-->This computer-->Local Computer-->Personal-->Certificates-->Domain controller certificate.
7. Install Funk Odyssey server from Funk Odyssery server CD.
8. Configure Funk Odyssey server as shown in the screen captures as attached with this document.
9. Configure Access Point to have Radius authentication.
10. Configure SSIDs to use the EAP authentication with the Radius server as the authentication server.
11. Download Wireless Root certificate for the client systems.
12. Configure Access Connection to use the certificate.
13. Connect to EAP-TTLS profile.

Attachment "EAP-TTLS config settings.zip"can be seen at the bottom of the page.

Below mentioned procedure is conceptual wise.

Please refer the attached document for detailed configuration.

1. Windows 2003 Server
2. Install ADS and DDNS and create users or groups to have dialin permission. Add users to those groups.
3. Install IIS, Certificate server and IAS server.
4. Create duplicates of Certificate templates
For User Template name it as Wireless User.
For Web Server Template name it as Wireless Server.
5. All servers should download Wireless Server certificate.
7. Configure IAS server to use Radius authentication between the Radius server(IAS server) and a Access Point.
8. Configure IAS server to have a remote access policy for users connecting through the Acess point.
9. Configure Access Point to have Radius authentication.
10. Configure SSIDs to use the EAP authentication with the Radius server as the authentication server.
11. Download Wireless User certificate for the client systems.(Automatically CA certificate also will get downloaded)
12. Configure Access Connection to use the certificate.
13. Connect to EAP-TLS profile.


Attachment "EAP-TLS.doc"can be seen at the bottom of the page.


Funk Odyssey server configuration

Pre requisite for server setup.

1. Windows 2003 server
2. DDNS and ADS and create users or groups in ADS to have dialin permission.
3. IIS and Certificate Server installation.
4. Download CA certificate to client machines.
5. Configure Access Connection to use the certificate and and use the user ids specified to in TTLS user admin to have connectivity.

Then follow the procedure as specified in the document below.


Attachment "Funk Odyssey server configuration.pdf"can be seen at the bottom of the page.



EAPFAST Deployment guide

Prerequisite for EAP-FAST setup

1. Windows 2003 server.
2. ADS, DDNS to be installed.

Then follow the procedure as specified in the document.


Attachment "EAP-FASTdeployment.pdf"can be seen at the bottom of the page.

OTHER DETAILS
EUT Quantity : One System per WL Model 1. "Please check Error and Warning message in Event Viewer before you start the test case and after you complete the test case, and report it to your team lead."
2. "Perform All Test in Battery Mode (Some of the test items need to perform in AC Mode, follow each Test Case)"
(All Test Activity should be performed with AMT Enabled)
TEMS Reviewer Log:10/16/2004 11:17:52 AM by Kazuo 1 Matsumoto/Japan/IBM (Review Comment: OK
Review Logs
Keywords:   None
Requirements :   None
Attached files :
PEAPAuthentication Server Settings.doc - PEAPAuthentication Server Settings.doc (672768 bytes, ) 07/03/2015
EAP-FASTdeployment.pdf - EAP-FASTdeployment.pdf (1693901 bytes, ) 07/03/2015
Funk Odyssey server configuration.pdf - Funk Odyssey server configuration.pdf (1097120 bytes, ) 07/03/2015
EAP-TLS.doc - EAP-TLS.doc (561664 bytes, ) 07/03/2015
EAP-TTLS config settings.zip - EAP-TTLS config settings.zip (388521 bytes, ) 07/03/2015
CCKM3.pdf - CCKM3.pdf (359546 bytes, ) 07/03/2015
Access Point config - SSID setting.JPG - Access Point config - SSID setting.JPG (144311 bytes, ) 07/03/2015
IAS server Radius Clients config.JPG - IAS server Radius Clients config.JPG (97237 bytes, ) 07/03/2015
IAS server Remote Access policies.JPG - IAS server Remote Access policies.JPG (165980 bytes, ) 07/03/2015
Access Point config - Encryption setting.JPG - Access Point config - Encryption setting.JPG (172633 bytes, ) 07/03/2015
Access Point config - Radius setting.JPG - Access Point config - Radius setting.JPG (168193 bytes, ) 07/03/2015

Update History:
This document is not yet modified.