Evolution WiFi Device Servers Configuring EAP-TLS for Microsoft IAS EAP-TLS requires a client certificate to authenticate the

user. This certificate must first be generated, and then uploaded to the MatchPort b/g Pro. The following steps detail this process. 1. Make sure that Certificate Services are running on the Windows server. Open the Services program though the Start Menu (Start->Administrative Tools->Services). Find the Certificate Services line and check if the status shows up as Started. If not, right click on the Certificate Services line and select Start.

2. Login to the Windows server as the user configured for EAP authentication. On the Windows server, open a web browser (e.g. Internet Explorer), and enter http://127.0.0.1/certsrv for the address. If prompted for user name and password, enter those configured for the EAP authentication user.

3. Click on Request a certificate. On the page that loads, click on advanced certificate request.

4. On the next page click on Create and submit a request to this CA.

5. On the page that loads select User under Certificate Template. Make sure Mark keys as exportable is selected, and also select Export keys to file. Then select a full path name to save the private key to under Full path name:. The request format should be set to CMC. Select a Friendly name in the box provided. Once completed, click on the Submit button. If prompted whether or not you want to request a certificate now, click Yes.

6. When prompted to create a private key password, select None.

7. On the next page, make sure that DER encoded is selected, and click on Download certificate.

8. Save the certificate to the desired path. It is recommended to save it to the same directory as the private key. 9. Use the Linux OpenSSL program (or other certificate conversion program) to convert from the DER X509 format to the PEM certificate format. openssl x509 in <orig_cert_file.cer> -inform der out <new_cert_name.pem> -outform PEM 10. To convert the private key file to PEM format you will first need to download the pvktool program from: http://www.drh-consultancy.demon.co.uk/pvk.html Click on the Win32 binary here link to download the zipped file. Extract the executable file to a suitable directory. Once extracted run the following command from a Windows/DOS command prompt within the key files directory: <pvktool_dir>\pvk.exe in <keyfile.pvk> -out <keyfile.pem> -nocrypt

11. Login to the MatchPort b/g Pro and go to the SSL page. Under Upload Certificate set the paths for the new certificate and private key. Once complete, click on the Submit button to commit the changes.

Open the Internet Authentication Service on the Windows server. Click on Remote Access Policies, and double click on the policy previously setup for EAP authentication.

12. Click on Edit Profile, then click on the Authentication tab.

13. Click on EAP Methods.

14. On the Select EAP Providers window, click on Add and select Smart Card or other certificate. Select any other EAP types configured and click Remove for each of these. Click OK. once complete. Then click OK on the previous window.

15. Reboot the MatchPort b/g Pro and test the EAP-TLS configuration.

Exporting the MS CA Root Certificate & Configuring the User for Allowing Access Using IAS.
1. Open the Certificate Authority Program (assumes certificate authority is already setup). You can find the CA in Start Menu/Administrative Tools/Certificate Authority.

2. Right click on the CA and select Properties. Then click on View Certificate.

3. Click on the Details tab, and then the Copy to File button.

4. Click Next on the initial certificate export wizard window. Then select DER encoded binary X.509 (.CER) and click the Next button.

5. Select a file path to export to by clicking on the browse button, name the file and click save. Then click Next.

6. Now click Finish. You will see The Export was successful. Window and click OK. Then click OK twice more to exit all windows and close the CA program.

7. Open Active Directory Users and Computers Form Administrative Tools. Double click the user you want to allow access to use IAS authentication. Select the Dial-in tab and check the button for Allow access. Click Apply Then OK. This allows you to control who is able to log in the Wireless network to gain access by IAS authentication.

Follow the steps below to convert the .cer file to a .pem file to load on the MatchPort b/g Pro Authority Certificate:
8. Use the Linux OpenSSL program (or other certificate conversion program) to convert from the DER X.509 to the PEM certificate format. At a command prompt type: openssl x509 -in <orig_cert_file.cer> -inform der -out <new_cert_name.pem> -outform PEM 9. Login to the MatchPort b/g Pro and go to the SSL page. Under Upload Authority Certificate, select browse to the path where the converted PEM encoded certificate is stored and click Submit.

10. The certificate will upload successfully to the MatchPort b/g Pro.

Select WLAN Profiles page and click on the Profile you created for IAS authentication. Choose EAP-TLS from the drop down box for the IEEE 802.1X Configuration. Check the boxes for CCMP & TKIP for Encryption and click submit.

You are now ready to use your MatchPort b/g Pro with IAS authentication to access your wireless network.