dparm
10-17-2006, 10:59 PM
Has anyone gotten this to work?
Taken from:
http://www.microsoft.com/technet/security/topics/cryptographyetc/peap_6.mspx
Configuring Pocket PC 2003 Clients
Pocket PC 2003 has full support for 802.1X WLAN networks using either PEAP (with passwords) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) (with certificates). However, Pocket PC 2003 is a modular operating system and the vendor of the handheld device can choose whether or not to include this facility; therefore, you should not assume that all Pocket PC 2003 devices are WLAN-capable. Leading vendors of these devices provide 802.1X WLAN-capable systems either with built-in WLAN hardware or with an add-on WLAN network adapter. This section describes the configuration of the generic Pocket PC WLAN interface and is based on the HP IPAQ 5550 Pocket PC. However, some vendors implement their own WLAN drivers and interfaces. The following instructions may not be correct for these latter devices and you should follow the instructions provided by your device vendor.
Some Pocket PC device vendors also offer 802.1X WLAN support on Pocket PC 2002. Pocket PC 2002 has not been tested with this solution. You should consult your vendor's Web site for details of their Pocket PC 2002 support for WLAN.
Preparing the Pocket PC Device
Before configuring the device, you should obtain and install any relevant updates for your Pocket PC available from its vendor, including:
•Read-only memory (ROM) updates. (These may contain a variety of updates including drivers.)
•Network driver updates.
•Other WLAN or network updates that are relevant to 802.1X networking.
Important: Before installing the updates, you should carefully read the documentation accompanying each of them. Some updates may be incompatible with others or with what you are trying to achieve. For example, HP has published an update for the IPAQ 555x series to support Cisco LEAP but this update is incompatible with their 802.1X WLAN driver update and will prevent PEAP from working.
Making the CA Certificate Available
You need to install the CA certificate of your network CA into the Trusted Root CA store of all Pocket PCs that need to connect to the WLAN. To do this, you must export the certificate from the CA and make it available for Pocket PC users or information technology (IT) staff.
To export the CA certificate
1.
Log on to the CA server and open a command shell.
2.
Run the following command to export the CA certificate to a file:
certutil –ca.cert rootca.cer
You can specify a path to the Rootca.cer file if you want to save it in a different folder. (You need to enclose the path and file name in quotes if it contains embedded spaces.)
3.
Copy the certificate file to a file share or Web server directory so that users can easily download it when required for the Pocket PC installation.
Configuring the Pocket PC
You must configure each Pocket PC with the CA certificate and WLAN settings before it can be connected to the WLAN. You need some means of copying the certificate file to the Pocket PC. This procedure assumes the use of ActiveSync connection established using a docking cradle, Infrared, or Bluetooth connection. You can also use removable media (such as a Compact Flash, Secure Digital, or Multimedia Card) to transfer the certificate file, or use an unauthenticated WLAN connection to allow the Pocket PC to download the certificate from a Web site. You can also send the certificate to the user in e-mail, allow them to synchronize (to transfer the e-mail to Pocket Outlook), and then have the use execute the attached certificate file.
To import the CA certificate to the Pocket PC
1.
Connect the Pocket PC to a host computer using ActiveSync (you may need to establish an ActiveSync partnership to do this) and your preferred connection method.
2.
From the host computer, use the ActiveSync Explore option to open a folder window on the device; it should open the My Documents folder.
3.
Obtain the CA certificate file from its published location and copy it to the My Documents folder. You can ignore the warning about file conversion. You can now disconnect the device from the ActiveSync connection.
4.
On the Pocket PC, locate the CA certificate file using File Explorer and double-tap the file.
5.
You will be asked whether you want to install the certificate. Verify that the CA name matches the name of your network CA and tap Yes to install it.
You can verify successful installation of the certificate by selecting Settings, System, Certificates, and then clicking the Root tab.
To configure the 802.1X WLAN settings on the Pocket PC
1.
If the WLAN adapter is not already enabled on the device, enable it using either a hardware switch or a software tool.
2.
If a pop-up message displays indicating that a new network has been found, select Work as the location to which the WLAN will connect you. Then tap Settings.
If the pop-up message does not appear (because the WLAN had been previously detected), perform the following steps:
•Tap the Connectivity icon (two arrows pointing in opposite directions) on the Pocket PC title bar and tap Settings.
•Tap the Advanced tab and then tap the Network Card button.
On the Wireless tab, you should see your WLAN SSID in the list of available wireless networks (if there are any other WLANs in range, their names may appear here).
•Tap the name of your WLAN in the list.
3.
On the General tab, select Work from the Connects to: list.
4.
On the Authentication tab, select the following options:
•Data encryption (WEP Enabled)
•The Key is provided for me automatically
•Enable network access using IEEE 802.1X
Clear the Network Authentication (Shared mode) option.
5.
In the Extensible Authentication Protocol Type: list, select PEAP.
6.
Tap OK to close the WLAN settings screen.
7.
When prompted to enter domain credentials to connect to the WLAN, type the name, password, and domain of a user who is authorized to connect to the WLAN.
Warning: You should select the Save Password option only if a strong security mechanism, such as fingerprint scanning or strong password access, is implemented to help protect the device from unauthorized use. Remember that the user credentials are used to authenticate to domain resources as well as the WLAN. If they are compromised, they will allow an intruder to access all your internal network resources over the WLAN without detection.
8.
If you navigated to the WLAN settings through the New Network popup in step 2, tap the Connectivity icon on the title bar of the Pocket PC and tap Settings to open the Connections Settings screen.
9.
Tap the Advanced tab and then the Network Card button. (You will already be at this screen if you did not navigate through the New Network popup in step 2.)
10.
In the Wireless Networks list, you should see the name of the WLAN that you just configured. The status should be Connected; if it is not, tap and hold the name and tap Connect. (You may be prompted to enter the user credentials again.)
11.
If the WLAN is now shown as Connected, tap OK to close the Configure Wireless Networks and the Connections Settings screens.
Note: If you are going to give these instructions to the Pocket PC users to configure their own devices, they can enter their own domain credentials when prompted. However, if the IT support engineers are preconfiguring the Pocket PCs for the users, you need to provide the engineers with valid domain accounts (with access to the WLAN); it is especially important that they do not select the Save Password option when using such accounts. The users should then be instructed to enter their own credentials when they first connect using the Pocket PCs.
Verifying the Pocket PC Connection to the WLAN
You can verify that the Pocket PC has successfully connected to the WLAN in a number of ways. The simplest way is to connect to an application on the network, such as a Web site. (You may need to configure a proxy server on the device if the Web server is not on the LAN.)
If the connection fails, see the “Troubleshooting” section in Chapter 8, “Maintaining the Secure Wireless LAN Solution.”
Taken from:
http://www.microsoft.com/technet/security/topics/cryptographyetc/peap_6.mspx
Configuring Pocket PC 2003 Clients
Pocket PC 2003 has full support for 802.1X WLAN networks using either PEAP (with passwords) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) (with certificates). However, Pocket PC 2003 is a modular operating system and the vendor of the handheld device can choose whether or not to include this facility; therefore, you should not assume that all Pocket PC 2003 devices are WLAN-capable. Leading vendors of these devices provide 802.1X WLAN-capable systems either with built-in WLAN hardware or with an add-on WLAN network adapter. This section describes the configuration of the generic Pocket PC WLAN interface and is based on the HP IPAQ 5550 Pocket PC. However, some vendors implement their own WLAN drivers and interfaces. The following instructions may not be correct for these latter devices and you should follow the instructions provided by your device vendor.
Some Pocket PC device vendors also offer 802.1X WLAN support on Pocket PC 2002. Pocket PC 2002 has not been tested with this solution. You should consult your vendor's Web site for details of their Pocket PC 2002 support for WLAN.
Preparing the Pocket PC Device
Before configuring the device, you should obtain and install any relevant updates for your Pocket PC available from its vendor, including:
•Read-only memory (ROM) updates. (These may contain a variety of updates including drivers.)
•Network driver updates.
•Other WLAN or network updates that are relevant to 802.1X networking.
Important: Before installing the updates, you should carefully read the documentation accompanying each of them. Some updates may be incompatible with others or with what you are trying to achieve. For example, HP has published an update for the IPAQ 555x series to support Cisco LEAP but this update is incompatible with their 802.1X WLAN driver update and will prevent PEAP from working.
Making the CA Certificate Available
You need to install the CA certificate of your network CA into the Trusted Root CA store of all Pocket PCs that need to connect to the WLAN. To do this, you must export the certificate from the CA and make it available for Pocket PC users or information technology (IT) staff.
To export the CA certificate
1.
Log on to the CA server and open a command shell.
2.
Run the following command to export the CA certificate to a file:
certutil –ca.cert rootca.cer
You can specify a path to the Rootca.cer file if you want to save it in a different folder. (You need to enclose the path and file name in quotes if it contains embedded spaces.)
3.
Copy the certificate file to a file share or Web server directory so that users can easily download it when required for the Pocket PC installation.
Configuring the Pocket PC
You must configure each Pocket PC with the CA certificate and WLAN settings before it can be connected to the WLAN. You need some means of copying the certificate file to the Pocket PC. This procedure assumes the use of ActiveSync connection established using a docking cradle, Infrared, or Bluetooth connection. You can also use removable media (such as a Compact Flash, Secure Digital, or Multimedia Card) to transfer the certificate file, or use an unauthenticated WLAN connection to allow the Pocket PC to download the certificate from a Web site. You can also send the certificate to the user in e-mail, allow them to synchronize (to transfer the e-mail to Pocket Outlook), and then have the use execute the attached certificate file.
To import the CA certificate to the Pocket PC
1.
Connect the Pocket PC to a host computer using ActiveSync (you may need to establish an ActiveSync partnership to do this) and your preferred connection method.
2.
From the host computer, use the ActiveSync Explore option to open a folder window on the device; it should open the My Documents folder.
3.
Obtain the CA certificate file from its published location and copy it to the My Documents folder. You can ignore the warning about file conversion. You can now disconnect the device from the ActiveSync connection.
4.
On the Pocket PC, locate the CA certificate file using File Explorer and double-tap the file.
5.
You will be asked whether you want to install the certificate. Verify that the CA name matches the name of your network CA and tap Yes to install it.
You can verify successful installation of the certificate by selecting Settings, System, Certificates, and then clicking the Root tab.
To configure the 802.1X WLAN settings on the Pocket PC
1.
If the WLAN adapter is not already enabled on the device, enable it using either a hardware switch or a software tool.
2.
If a pop-up message displays indicating that a new network has been found, select Work as the location to which the WLAN will connect you. Then tap Settings.
If the pop-up message does not appear (because the WLAN had been previously detected), perform the following steps:
•Tap the Connectivity icon (two arrows pointing in opposite directions) on the Pocket PC title bar and tap Settings.
•Tap the Advanced tab and then tap the Network Card button.
On the Wireless tab, you should see your WLAN SSID in the list of available wireless networks (if there are any other WLANs in range, their names may appear here).
•Tap the name of your WLAN in the list.
3.
On the General tab, select Work from the Connects to: list.
4.
On the Authentication tab, select the following options:
•Data encryption (WEP Enabled)
•The Key is provided for me automatically
•Enable network access using IEEE 802.1X
Clear the Network Authentication (Shared mode) option.
5.
In the Extensible Authentication Protocol Type: list, select PEAP.
6.
Tap OK to close the WLAN settings screen.
7.
When prompted to enter domain credentials to connect to the WLAN, type the name, password, and domain of a user who is authorized to connect to the WLAN.
Warning: You should select the Save Password option only if a strong security mechanism, such as fingerprint scanning or strong password access, is implemented to help protect the device from unauthorized use. Remember that the user credentials are used to authenticate to domain resources as well as the WLAN. If they are compromised, they will allow an intruder to access all your internal network resources over the WLAN without detection.
8.
If you navigated to the WLAN settings through the New Network popup in step 2, tap the Connectivity icon on the title bar of the Pocket PC and tap Settings to open the Connections Settings screen.
9.
Tap the Advanced tab and then the Network Card button. (You will already be at this screen if you did not navigate through the New Network popup in step 2.)
10.
In the Wireless Networks list, you should see the name of the WLAN that you just configured. The status should be Connected; if it is not, tap and hold the name and tap Connect. (You may be prompted to enter the user credentials again.)
11.
If the WLAN is now shown as Connected, tap OK to close the Configure Wireless Networks and the Connections Settings screens.
Note: If you are going to give these instructions to the Pocket PC users to configure their own devices, they can enter their own domain credentials when prompted. However, if the IT support engineers are preconfiguring the Pocket PCs for the users, you need to provide the engineers with valid domain accounts (with access to the WLAN); it is especially important that they do not select the Save Password option when using such accounts. The users should then be instructed to enter their own credentials when they first connect using the Pocket PCs.
Verifying the Pocket PC Connection to the WLAN
You can verify that the Pocket PC has successfully connected to the WLAN in a number of ways. The simplest way is to connect to an application on the network, such as a Web site. (You may need to configure a proxy server on the device if the Web server is not on the LAN.)
If the connection fails, see the “Troubleshooting” section in Chapter 8, “Maintaining the Secure Wireless LAN Solution.”