Configuring Windows7 built-in wireless client for PEAP+MSCHAPv2 (v2.0, 17th Oct 2011)
Described here are the steps involved in configuring the built-in wireless client under Windows 7 to use eduroam, authenticating via PEAP+MSCHAPv2. Your home site will be able to tell you whether PEAP+MSCHAPv2 is the appropriate authenticiation method that you should use.
Wherever you see the 
icon in the instructions below you can click on the text beside it to display further information and click on it again to hide the detailed text once more. Click on an image to open a larger version in a new browser window.
Information you will need
To complete these instructions you'll need some information specific to your home site/organisation, plus your own credentials, as listed below. If any of the details in your wifi profile are incorrect then your authentication will fail and you will not gain wifi access via eduroam. The IT department of your home site will be able to provide you with these details:
| Information required | Sample string in the instructions below |
|---|
| Your home site's domain name as would appear in, for example, your e-mail address e.g. ucd.ie | mysite.ie |
| [OPTIONAL] The name of the CA certificate used by your home site for eduroam. You will not require this if your site is using a public CA which is already defined within your wireless client. | GTE CyberTrust Global Root |
| [OPTIONAL] A file containing the actual CA certificate used by your site for eduroam. You will not require this if your site is using a public CA which is already defined within your wireless client. | cacert.crt |
| The name on the SSL certificate presented by the authentication server at your home site e.g. tweedledum.ucd.ie | certname.mysite.ie |
| The username you use to authenticate against your home account. Note the inclusion of your domain name e.g. jsoap@ucd.ie | myname@mysite.ie |
| The password you use to authenticate against your home account. | mypassword |
Notes on the built-in wireless client under Windows7
Notes on the built-in wireless client under Windows7
- The Windows 7 wireless client supports WPA2, which is the preferred (more secure) option for eduroam, but with this wireless client if you configure an eduroam profile for WPA2 the client will not fall back to WPA mode if the local eduroam service supports WPA only. In that scenario you won't be able to connect to the local eduroam wifi network without manually modifying your wireless client configuration. The workaround is to define two eduroam profiles, one for WPA2 and the other for WPA. The client can then fall back to the WPA profile if the local eduroam network doesn't support WPA2, without any user intervention.
Configuration instructions
Follow these steps to configure your wireless client:
- If your home site has provided you with a file containing a CA certificate then you will need to install it here, otherwise skip to the next step.
Installing the CA certificate
Installing the CA Certificate
Download/copy the certificate file, cacert.crt, to your computer.
Double-click the file, and click Install Certificate...
Follow the Certificate Import Wizard steps - when prompted for the certificate store in which to save the certificate:
- Select Place all certificates in the following store
- Click Browse...
- Select Trusted Root Certification Authorities
You can verify that the certificate is installed by running MMC (mmc.exe), adding the "Certificates" snap-in, and browsing to the appropriate certificate store ("Trusted Root Certification Authorities"->"Certificates") to see if your site's CA certificate is listed there.
Further info on CA certificate
CA Certificate
As described in a later step, you must supply the details of the SSL certificate of your home authentication server as part of the eduroam profile. These details include the identity of the Certificate Authority (CA) that signed the server certificate. The built-in wireless client comes with a list of public CA's already installed and if your site's certificate is signed by one of those CA's then you don't need to install a CA certificate yourself. However, if you wish to explicitly identify an intermediate CA, or your server's certificate is signed by a private root CA, then you must install that intermediate/root CA's certificate before proceeding.
- Left-click on the application icon
in the tray.
Click Open Network and Sharing Center.
- Click Manage wireless networks.
- Click Add
- Select Manually create a network profile
- Define the profile general details:
| Network name: | eduroam |
| Security type: | WPA-Enterprise |
| Encryption type: | TKIP |
| Select Start this connection automatically |
| Select Connect even if the network is not broadcasting |
|
|
Click Next
- Click Change connection settings
- Click on the Security tab.
- Define the authentication method:
| Security type: | WPA-Enterprise |
| Encryption type: | TKIP |
| Choose a network authentication method: | Protected EAP (PEAP) |
| Select Remember my credentials for this connection each time I'm logged on |
|
|
Click Settings
- Define your server security details:
| Select Validate Server Certificate |
| Select Connect to these servers: | certname.mysite.ie |
| Trusted Root Certification Authorities: | Select the appropriate CA entry for your home site from the list. |
| Select Do not prompt user to authorize new servers or trusted certification authorities. |
| Select Authentication Method: | Secured password (EAP-MSCHAP v2) |
| Select Enable Fast Reconnect |
| Select Enable Identity Privacy: | anonymous |
|
|
Further info on server identity
Server Identity
When your client connects to eduroam, it will try to verify the identity of your home authentication server before it passes your credentials to the server for validation. The wireless client relies upon the SSL certificate presented by your home authentication server in order to carry out this verification. Defining the SSL certificate details here allows the client to complete this verification without any intervention required by you, and provides the greatest level of protection of your credentials.
Click Configure
- Define your EAP MSCHAPv2 properties:
| Un-select Automatically use my Windows logon name and password (and domain if any) |
|
|
Click OK
Click OK again.
Click Advanced settings
- Define your authentication mode:
| Select Specify authentication mode: | User authentication |
|
|
Click Save credentials
- Provide your credentials:
| User name: | myname@mysite.ie |
| Password: | mypassword |
|
|
Further info on credential settings
Credential Settings
Your credentials consist of your username, in a form much like an e-mail address, and your password.
Once you have been successfully authenticated your credentials will be cached by the wireless client and you will typically not have to enter them again on future occasions where you use eduroam.
Click OK
Click OK on subsquent windows until you are back at the Manage Wireless Networks window.
- Highlight the eduroam profile from the list, right-click it, and select Rename.
Rename this profile to eduroam-tkip.
- The next steps create a second eduroam profile with small but important differences to the first profile.
Click Add
- Select Manually create a network profile
- Define the profile general details:
| Network name: | eduroam |
| Security type: | WPA2-Enterprise |
| Encryption type: | AES |
| Select Start this connection automatically |
| Select Connect even if the network is not broadcasting |
|
|
Click Next
- Click Change connection settings
- Click on the Security tab.
- Define the authentication method:
| Security type: | WPA2-Enterprise |
| Encryption type: | AES |
| Choose a network authentication method: | Protected EAP (PEAP) |
| Select Remember my credentials for this connection each time I'm logged on |
|
|
Click Settings
- Define your server security details:
| Select Validate Server Certificate |
| Select Connect to these servers: | certname.mysite.ie |
| Trusted Root Certification Authorities: | Select the appropriate CA entry for your home site from the list. |
| Select Do not prompt user to authorize new servers or trusted certification authorities. |
| Select Authentication Method: | Secured password (EAP-MSCHAP v2) |
| Select Enable Fast Reconnect |
| Select Enable Identity Privacy: | anonymous |
|
|
Further info on server identity
Server Identity
When your client connects to eduroam, it will try to verify the identity of your home authentication server before it passes your credentials to the server for validation. The wireless client relies upon the SSL certificate presented by your home authentication server in order to carry out this verification. Defining the SSL certificate details here allows the client to complete this verification without any intervention required by you, and provides the greatest level of protection of your credentials.
Click Configure
- Define your EAP MSCHAPv2 properties:
| Un-select Automatically use my Windows logon name and password (and domain if any) |
|
|
Click OK
Click OK again.
Click Advanced settings
- Define your authentication mode:
| Select Specify authentication mode: | User authentication |
|
|
Click Save credentials
- Provide your credentials:
| User name: | myname@mysite.ie |
| Password: | mypassword |
|
|
Further info on credential settings
Credential Settings
Your credentials consist of your username, in a form much like an e-mail address, and your password.
Once you have been successfully authenticated your credentials will be cached by the wireless client and you will typically not have to enter them again on future occasions where you use eduroam.
Click OK
Click OK on subsquent windows until you are back at the Manage Wireless Networks window.
- You can make eduroam your preferred network by highlighting the eduroam entry and using the Move Up button to move it to the top of the list of preferred networks. Ensure that the eduroam entry appears higher in the list than the eduroam-tkip entry.
Close the window.
Your wireless client is now configured to avail of eduroam and should connect automatically when at a site where the eduroam service is available.
