Windows XP/SP2 QB3-secure WLAN Configuration Guide Using SecureW2

Connecting to the QB3-secure wireless infrastructure from a Windows XP machine running SP2 requires the installation of a special authentication adaptor (called a "supplicant" in wireless security language), and configuring that supplicant to correctly authenticate against the QB3 authentication server. The steps required to configure your computer are:

  1. Obtain a Kerberos account
  2. Download SecureW2
  3. Install SecureW2
  4. Complete Configuration
  5. Initial Connection
  6. Reconnecting

If you have problems configuring your computer or connecting to the QB3-secure network, see the Getting Help section at the end of this guide.

Note: Windows releases prior to XP are not supported.

Step 1: Obtain a Kerberos account

The QB3@UCSF secure wireless infrastructure utilizes the Kerberos authentication system (named for the three-headed dog that guards the gates of Hades) to verify your username and password. Kerberos accounts may be obtained from any WLAN account facilitator in Byers Hall. By default, Kerberos guest accounts are enabled for 24 hours and disabled after that. Accounts for longer periods of time, including permanent accounts for faculty and staff, may also be obtained. If you already have an account on the Resource for Biocomputing, Visualization, and Informatics (RBVI) socrates.cgl.ucsf.edu cluster, or through the UCSF Sequence Analysis and Consulting Service (SACS), then you already have a Kerberos account and you will not need an additional account. To verify your Kerberos account is active and your password working, try accessing the Kerberos account test page.

Step 2: Download SecureW2

SecureW2 is an open source wireless authentication client (supplicant). Information about SecureW2 is available at http://www.securew2.com. We have prepared a zip file with the SecureW2 client, a configuration file, and the two certificates you will need to validate the radius server. Click on the link below to download the zip file:

Step 3: Install SecureW2

  1. You will be rebooting in this step, so you should save all of your current work now!
  2. Make sure that you have the Windows Wireless Zero Configuration utility started:
    1. Bring up the services control panel: Start->Control Panel->Administative Tools->Services:
      Services Control Panel Screenshot
      WindowsXP Services Control Panel
    2. Right-click on Wireless Zero Configuration and open up the Properties panel.
    3. Now from the Startup type: list choose Automatic.
    4. Click Start if the Service status: is not "Started".
      5. Wireless Zero Configuration Properties Screenshot
      Wireless Zero Configuration Properties
  3. Install the SecureW2 client software:
    1. Double-click on the ZIP file you downloaded in step 2 above. This will unzip the SecureW2 installer, two digital certificates, an initial configuration file, and the README that comes with SecureW2.
      SecureW2 Zip File Contents Screenshot
      SecureW2 Zip File Contents
    2. Now, double click on the SecureW2_331.exe installer. This will install SecureW2, the two digital certificates, and preconfigure as much of the client as possible. Due to some changes in Windows XP/SP2, there will still be some final configuration steps required; see below. Allow your system to reboot after the installation.

Step 4: Complete Configuration

NOTE: step 5 below requires Administrator privileges on your laptop. If your account does not have Administrator privileges, you may need to login as the Administrator before continuing.

  1. First, you need to open up the wireless network properties panel. There are a couple of ways to get to the wireless network properties panel. If your wireless adaptor is already active, you should be able to right-click on the wireless network icon and select "Open Network Connections", then right-click on "Wireless Network Connection" and bring up Properties. Alternatively, you can use the start menu: Start->Control Panel->Network Connections and right-click on "Wireless Network Connection" to bring up Properties. In any case, you should see the "Wireless Network Connection Properties" dialog.
  2. Select the "Wireless Networks" tab in the dialog:
    Wireless Network Properties Screenshot
    Wireless Network Properties
  3. Select the QB3-secure network and click on "Properties", then set "Network Authentication" to WPA and "Data Encryption" to TKIP as shown here:
    QB3-secure Network Properties Screenshot
    QB3-secure Network Properties
  4. Under the "Authentication" tab, select "EAP type:" of SecureW2 and disable "Authenticate as computer when computer information is available":
    QB3-secure Network Authentication Properties Screenshot
    QB3-secure Network Authentication Properties
  5. Click the "Properties" button to bring up the SecureW2 properties and set the profile to "QB3 Secure Wireless Network":
    NOTE: this step requires Administrator privileges on your laptop. If your account does not have Administrator privileges, you may need to login as the Administrator.
    SecureW2 Properties Screenshot
    SecureW2 Properties
  6. Select the QB3 Secure Wireless Network Profile and select Configure.
  7. Under the Connection tab, select Use alternate outer identity: and set Specify outer identity: to your login name.
    SecureW2 Connection Properties Screenshot
    SecureW2 Connection Properties
  8. Select the Certificates tab and select Verify server certificate and Verify server name:. The server name should be socrates.cgl.ucsf.edu. Then, select Add CA and add Entrust.net Secure Server Certification Authority.
    SecureW2 Certificates Properties Screenshot
    SecureW2 Certificates Properties
  9. Finally, click "OK" on each of the dialogs to complete the configuration.

Step 5: Initial Connection

  1. For the final step, you need to be in range of the QB3-secure wireless network. You can check the available wireless networks on your XP machine by right-clicking on the wireless network icon in the lower-right corner of your screen. Select the View Available Wireless Networks from the popup menu. After a couple of seconds, all wireless access points within range will be listed. Select QB3-secure from the list and select "Connect":
    Connecting to the QB3-secure Network Screenshot
    Connecting to the QB3-secure Network
  2. Note that a little pop-up dialog will appear in the lower right-hand corner. You will need to click on this (unfortunately, this looks a lot like other informational dialogs presented by WindowsXP, but in this case, you must actually click on it). This should bring up a login dialog:
    QB3-secure Network Login Screenshot
    QB3-secure Network Login
  3. Type in your username and password
  4. Another popup may appear. Click on this, and you will be requested to verify the server. This will only happen the first time. Select Install All Certificates and then click "OK". You should now be connected.
    QB3-secure Unknown Server Screenshot
    QB3-secure Unknown Server

Step 6: Reconnecting

Once you have successfully configured and connected to the QB3-secure wireless network, reconnecting is reasonably straightforward. If you configured your laptop to automatically connect to "QB3-secure" when in range (the default), when you are in Byers Hall your laptop will immediately attempt to connect when you start up. This will result in the popup panel shown above: Wireless Network Connection. When you click on the popup, you will be presented with the SecureW2 Credentials dialog shown above.

If you have not selected "Automatically connect when in range", you wil need to right-click on the wireless icon and view the available networks. You can then select "QB3-secure" and click on the "Connect" button. This will again result in the procedure outlined in the previous paragraph.

Getting Help

If you have followed the configuration instructions provided here but still cannot connect to the QB3-secure network, try the following. First, verify your Kerberos account is active by accessing the Kerberos account test page. If your Kerberos account is working correctly, you should see a message that says "Kerberos authentication successful." This test can be performed from any computer, but if you are using someone else's computer you may have to restart the web browser application so that a previously cached password doesn't foul up the test. If you cannot successfully authenticate with Kerberos, then see one of the WLAN account facilitators in Byers Hall.

If you can successfully authenticate with Kerberos but still not connect to the QB3-secure network, then contact one of the WLAN support coordinators in Byers Hall. If you can connect to the QB3-secure network in some locations in Byers Hall but not others, then it may be a problem with the wireless network. In this case, contact the UCSF ITS Customer Support at 415-514-4100 Option 2, or send e-mail to itscs@its.ucsf.edu. Members of the UCSF campus community may also submit a problem report directly to ITS Customer Supoprt via the web at http://help.ucsf.edu.