Honeywell VM3WLANA User Manual
Main
Start > All Programs > Summit > Summit Client Utility > Main tab
Factory Default Settings
Admin Login SUMMIT
Radio Enabled
Active Config/Profile Default
Regulatory Domain FCC, ETSI or Worldwide
The Main tab displays information about the wireless client device including:
• SCU (Summit Client Utility) version
• Driver version
• Radio Type (ABGN is an 802.11 a/b/g/n radio).
• Regulatory Domain
• Copyright Information can be accessed by tapping the About SCU button
• Active Config profile / Active Profile name
• Status of the client (Down, Associated, Authenticated, etc.).
The Active Profile can be switched without logging in to Admin mode. Selecting a different profile from the drop down list
does not require logging in to Administrator mode. The profile must already exist. Profiles can be created or edited after the
Admin login password has been entered and accepted.
When the profile named “ThirdPartyConfig” is chosen as the active profile, the Summit Client Utility passes control to Wireless Manager for configuration of all client and security settings for the network module.
The Disable Radio button can be used to disable the network card. Once disabled, the button label changes to Enable
Radio. By default the radio is enabled.
The Admin Login button provides access to editing wireless parameters. Profile and Global may only be edited after entering the Admin Login password.
The password is case-sensitive.
Once logged in, the button label changes to Admin Logout. To logout, either tap the Admin Logout button or exit the SCU
without tapping the Admin Logout button.
Admin Login
To login to Administrator mode, tap the Admin Login button.
Once logged in, the button label changes to Admin Logout. The admin is automatically logged out when the SCU is
exited. The Admin can either tap the Admin Logout button, or the OK button to logout.
3 - 3
Enter the Admin password (the default password is SUMMIT and is case sensitive) and tap OK. If the pass word is
incorrect, an error message is displayed.
The Administrator default password can be changed on the tab.
The end-user can:
• Turn the radio on or off on the Main tab.
• Select an active Profile on the Main tab.
• View the current parameter settings for the profiles on the Profile tab.
• View the global parameter settings on the Global tab.
• View the current connection details on the Status tab.
• View radio status, software versions and regulatory domain on the Main tab.
• Access additional troubleshooting features on the Diags tab.
After Admin Login, the end-user can also:
• Create, edit, rename and delete profiles on the Profile tab.
• Edit global parameters on the Global tab.
• Enable/disable the Summit tray icon in the taskbar.
3 - 4
Profile
Start > All Programs > Summit > Summit Client Utility > Profile tab
Note: Tap the Commit button to save changes before leaving this panel or the SCU. If the panel is exited before tapping
the Commit button, changes are not saved!
Factory Default Settings
Profile Default
SSID Blank
Client Name Blank
Power Save CAM
Tx Power Maximum
Bit Rate Auto
Radio Mode BGA rates full
Auth Type Open
EAP Type None
Encryption None
When logged in as an Admin use the Profile tab to manage profiles. When not logged in as an Admin, the parameters can
be viewed, and cannot be changed. The buttons on this tab are dimmed if the user is not logged in as Admin. The Profile
tab was previously labeled Config.
Buttons
Button Function
Commit Saves the profile settings made on this screen. Settings are saved in the profile.
Credentials Allows entry of a username and password, certificate names, and other information required to authen-
Delete Deletes the profile. The current active profile cannot be deleted and an error message is displayed if a
New Creates a new profile with the default settings (see Profile Parameters) and prompts for a unique name.
Rename Assigns a new, unique name. If the new name is not unique, an error message is displayed and the
ticate with the access point. The information required depends on the EAP type.
delete is attempted.
If the name is not unique, an error message is displayed and the new profile is not created.
profile is not renamed.
3 - 5
Button Function
Scan Opens a window that lists access points that are broadcasting their SSIDs. Tap the Refresh button to
WEP Keys /
PSK Keys
Note: Unsaved Changes – The SCU will display a reminder if the Commit button is not clicked before an attempt is
made to close or browse away from this tab.
Important – The settings for Auth Type, EAP Type and Encryption depend on the security type chosen.
view an updated list of APs. Each AP’s SSID, its received signal strength indication (RSSI) and whether
or not data encryption is in use (true or false). Sort the list by tapping on the column headers.
If the scan finds more than one AP with the same SSID, the list displays the AP with the strongest RSSI
and the least security.
If you are logged in as an Admin, tap an SSID in the list and tap the Configure button, you return to the
Profile window to recreate a profile for that SSID, with the profile name being the same as the SSID (or
the SSID with a suffix such as “_1” if a profile with the SSID as its name exists already).
Allows entry of WEP keys or pass phrase as required by the type of encryption.
Profile Parameters
Parameter Default Explanation
Edit Profile Default A string of 1 to 32 alphanumeric characters, establishes the name of the Profile.
SSID Blank A string of up to 32 alphanumeric characters. Establishes the Service Set Iden-
Client Name Blank A string of up to 16 characters. The client name is assigned to the network card
Power Save CAM Power save mode.
Tx Power Maximum Maximum setting regulates Tx power to the Max power setting for the current
Bit Rate Auto Setting the rate to Auto will allow the Access Point to automatically negotiate the
Auth Type Open 802.11 authentication type used when associating with the Access Point.
EAP Type None Extensible Authentication Protocol (EAP) type used for 802.1x authentication to
Options are Default or ThirdPartyConfig.
tifier (SSID) of the WLAN to which the client connects.
and the device using the network card. The client name may be passed to networking wireless devices, e.g. Access Points.
Options are: Constantly Awake Mode (CAM) power save off, Maximum (power
saving mode) and Fast (power saving mode). When using power management,
use FAST for best throughput results.
regulatory domain.
Options are: Maximum, 50mW, 30mW, 20mW, 10mW, 5mW, or 1mW.
bit rate with the client device.
Options are: Auto, 1 Mbit, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48 or 54 Mbit.
Options are: Open, LEAP, or Shared key.
the Access Point.
Options are: None, LEAP, EAP-FAST, PEAP-MSCHAP, PEAP-GTC, PEAPTLS, EAP-TTLS, or EAP-TLS.
EAP Type chosen determines whether the Credentials button is active and also
determines the available entries in the Credentials pop-up window.
3 - 6
Parameter Default Explanation
Encryption None Type of encryption to be used to protect transmitted data. Available options may
Radio Mode BGA Rates
Full
It is important the Radio Mode parameter correspond to the AP to which the device is to connect. For example, if this
parameter is set to G rates only, the Thor VM3 may only connect to APs set for G rates and not those set for B and G
rates.
vary by SCU version.
Options are: None, WEP (or Manual WEP), WEP EAP (or Auto WEP), WPA
PSK, WPA TKIP, WPA CCKM, WPA2 PSK, WPA2 AES, or WPA2 CCKM.
CKIP is not supported in the Thor VM3.
Note: The Encryption type chosen determines if the WEP Keys / PSK Keys
button is active and also determines the available entries in the WEP or
PSK pop-up window.
Specify 802.11a, 802.11b and/or 802.11g rates when communicating with the
AP. The options displayed for this parameter depend on the type of radio installed in the mobile device.
Options:
B rates only (1, 2, 5.5 and 11 Mbps)
BG Rates Full (All B and G rates)
G rates only (6, 9, 12, 18, 24, 36, 48 and 54 Mbps)
BG optimized or BG subset (1, 2, 5.5, 6, 11, 24, 36 and 54 Mbps)
A rates only (6, 9, 12, 18, 24, 36, 48 and 54 Mbps)
ABG Rates Full (All A rates and all B and G rates with A rates preferred)
BGA Rates Full (All B and G rates and all A rates with B and G rates preferred)
Ad Hoc (when connecting to another client device instead of an AP)
Default:
BGA Rates Full
3 - 7
Status
Start > All Programs > Summit > Summit Client Utility > Status tab
This screen provides information on the radio:
• The profile being used.
• The status of the radio card (down, associated, authenticated, etc.).
• Client information including device name, IP address and MAC address.
• Information about the Access Point (AP) maintaining the connection to the network including AP name, IP address and
MAC address.
• Channel currently being used for wireless traffic.
• Bit rate in Mbit.
• Current transmit power in mW.
• Beacon period – the time between AP beacons in kilomicroseconds. (one kilomicrosecond = 1,024 microseconds).
• DTIM interval – A multiple of the beacon period that specifies how often the beacon contains a delivery traffic indication
message (DTIM). The DTIM tells power saving devices a packet is waiting for them. For example, if DTIM = 3, then every
third beacon contains a DTIM.
• Signal strength (RSSI) displayed in dBm and graphically.
• Signal quality, a measure of the clarity of the signal displayed in percentage and graphically.
There are no user entries on this screen.
Note: After completing radio configuration, it is a good idea to review this screen to verify the radio has associated (no
encryption, WEP) or authenticated (LEAP, any WPA), as indicated above.
3 - 8
Diags
Start > All Programs > Summit > Summit Client Utility > Diags tab
The Diags screen can be used for troubleshooting network traffic and radio connectivity issues.
• (Re)connect – Use this button to apply (or reapply) the current profile and attempt to associate or authenticate to the
wireless LAN. All activity is logged in the Diagnostic Output box on the lower part of the screen.
• Release/Renew – Obtain a new IP address through release and renew. All activity is logged in the Diagnostic Output
box. If a fixed IP address has been assigned to the radio, this is also noted in the Diagnostic Output box. Note that the
current IP address is displayed above this button.
• Start Ping – Start a continuous ping to the IP address specified in the text box to the right of this button. Once the button
is clicked, the ping begins and the button label changes to Stop Ping. Clicking the button ends the ping. The ping also
ends when any other button on this screen is clicked or the user browses away from the Diags tab. The results of the ping
are displayed in the Diagnostic Output box.
• Diagnostics – Also attempts to (re)connect to the wireless LAN. However, this option provides more data in the
Diagnostic Output box than the (Re)connect option. This data dump includes radio state, profile settings, global settings,
and a list of broadcast SSID APs.
• Save To… – Use this to save the results of the diagnostics to a text file. Use the explorer window to specify the name
and location for the diagnostic file. The text file can viewed using an application such as WordPad.
3 - 9
Global
Start > All Programs > Summit > Summit Client Utility > Global tab
The parameters on this panel can only be changed when an with a password. The current values for the parameters can
be viewed by the general user without requiring a password.
Note: Tap the Commit button to save changes. If the panel is exited before tapping the Commit button, changes are not
saved!
Factory Default Settings
Roam Trigger -65 dBm
Roam Delta 5 dBm
Roam Period 10 sec.
BG Channel Set Full
DFS Channels Off
DFS Scan Time 120 ms.
Ad Hoc Channel 1
Aggressive Scan On
CCX Features Optimized
WMM On
Auth Server Type 1
TTLS Inner Method Auto-EAP
PMK Caching Standard
WAPI Off (dimmed)
TX Diversity On
RX Diversity On Start on Main
Frag Threshold 2346
RTS Threshold 2347
LED Off
Tray Icon On
Hide Passwords On
Admin Password SUMMIT (or blank)
Auth Timeout 8 seconds
Certs Path C:\Program Files\Summit\certs
Ping Payload 32 bytes
Ping Timeout 5000 ms
Ping Delay ms 1000 ms
Logon Options Use SCU credentials
3 - 10
Custom Parameter Option
The parameter value is displayed as “Custom” when the operating system registry has been edited to set the Summit
parameter to a value that is not available from the parameter’ s drop down list. Selecting Custom from the drop down list
has no effect. Selecting any other value from the drop down list will overwrite the “custom” value in the registry.
Global Parameters
Parameter Default Function
Roam Trigger -65 dBm If signal strength is less tha n this trigger value, the client looks for a dif-
Roam Delta 5 dBm The amount by which a different Access Point signal strength must ex-
Roam Period 10 sec. The amount of time, after association or a roam scan with no roam, that
BG Channel Set Full Defines the 2.4GHz channels to be scanned for an AP when the radio is
DFS Channels Off Support for 5GHZ 802.11a channels where support for DFS is required.
DFS Scan Time 120 ms. ABG radio only. The amount of time the radio will passively scan each
Ad Hoc Channel 1 Use this parameter when the Radio Mode profile parameter is set to Ad
ferent Access Point with a stronger signal.
Options are: -50 dBm, -55, -60, -65, -70, -75, -80, -85, -90 dBm or .
ceed the current Access Point signal strength before roaming to the different Access Point is attempted.
Options are: 5 dBm, 10, 15, 20, 25, 30, 35 dBm or Custom.
the radio collects Received Signal Strength Indication (RSSI) scan data
before a roaming decision is made.
Options are: 5 sec, 10, 15, 20, 25, 30, 35, 40, 45, 50, 55, 60 seconds or
Custom.
contemplating roaming. By specifying the channels to search, roaming
time may be reduced over scanning all channels.
Options are:
Full (all channels)
1,6,11 (the most commonly used channels)
1,7,13 (for ETSI and TELEC radios only)
or Custom.
Options are: On, Off, Optimized.
Not supported (always off) in some releases.
DFS channel to see if it will receive a beacon.
Recommended value is 1.5 times that of the AP's beacon period.
Hoc.
Specifies the channel to be used for an Ad Hoc connection to another client device. If a channel is selected that is not supported by the by the radio, the default value is used.
Options are:
1 through 14 (the 2.4GHz channels)
36, 40, 44, 48 (the UNII-1 channels)
3 - 11
Parameter Default Function
Aggressive Scan On When set to On and the current connection to an AP weakens, the radio
CCX or CCX Features Optimized Use of Cisco Compatible Extensions (CCX) radio management and AP
WMM On Use of Wi-Fi Multimedia extensions.
Auth Server Type 1 Specifies the type of authentication server.
TTLS Inner Method Auto-EAP Authentication method used within the secure tunnel created by EAP-
PMK Caching Standard Type of Pairwise Master Key (PMK) caching to use when WPA2 is in
WAPI Off Default is Off and dimmed (cannot be changed).
TX Diversity On How to handle antenna diversity when transmitting packets to the Access
RX Diversity On Start on
Main
Frag Thresh 2346 If the packet size (in bytes) exceeds the specified number of bytes set in
aggressively scans for available APs.
Aggressive scanning works with standard scanning (set through Roam
Trigger, Roam Delta and Roam Period). Aggressive scanning should be
set to On unless there is significant co-channel interference due to overlapping APs on the same channel.
Options are: On, Off
specified maximum transmit power features.
Options are:
Full - Use Cisco IE and CCX version number, support all CCX features.
The option known as “On” in previous versions.
Optimized –Use Cisco IE and CCX version number, support all CCX features except AP assisted roaming, AP specified maximum transmit power and radio management.
Off - Do not use Cisco IE and CCX version number.
Cisco IE = Cisco Information Element.
Devices running Windows XP can change the default value. Devices running all other OS cannot change the default value.
Options are: Type 1 (ACS server) and Type 2 (non-ACS server)
TTLS.
Options are:
AUTO-EAP (Any available EAP method), MSCHAPV2, MSCHAP, PAP
CHAP, EAP-MSCHAPV2
use. PMK caching is designed to speed up roaming between APs by allowing the client and the AP to cache the results of 802.1X authentications, eliminating the need to communicate with the ACS server.
Standard PMK is used when there are no controllers. The reauthentication information is cached on the original AP. The client and the AP use
the cached information to perform the four-way handshake to exchange
keys. Opportunistic PMK (OPMK) is used when there are controllers.
The reauthentication information cached on the controllers. The client
and the controller behind the AP use the cached information to perform
the four-way handshake to exchange keys.
If the selected PMK caching method is not supported by the network infrastructure, every roam requires full 802.11X authentication, including
interaction with the ACS server.
If the active profile is using WPA2 CCKM, the global PMK Caching setting is ignored and the client attempts to use CCKM.
Options are: Standard, OPMK
Point.
Options are: Main only, and On.
How to handle antenna diversity when receiving packets from the Access
Point.
Option is: On-start on Main
This parameter cannot be changed for some Summit radios.
the fragment threshold, the packet is fragmented (sent as several pieces
instead of as one block). Use a low setting in areas whe r e communication is poor or where there is a great deal of wireless interference.
Options are: Any number between 256 bytes and 2346 bytes.
3 - 12
Parameter Default Function
RTS Thresh 2347 If the packet size exceeds the specified number of bytes set in the Re-
LED Off The LED on the wireless card is not visible to the user when the wireless
Tray Icon On Determines if the Summit icon is displayed in the System tray.
Hide Password On When On, the Summit Config Utility masks passwords (characters on the
Admin Password SUMMIT
(or Blank)
Auth Timeout 8 seconds Specifies the number of seconds the Summit software waits for an EAP
Certs Path certificates A valid directory path, of up to 64 characters, where WPA Certificate Au-
Ping Payload 32 bytes Maximum amount of data to be transmitted on a ping.
Ping Timeout ms 5000 The amount of time, in milliseconds, that a device will be continuously
Ping Delay ms 1000 The amount of time, in milliseconds, between each ping after a Start Ping
Logon Options SCU Use SCU or Windows login credentials.
quest to Send (RTS) threshold, an RTS is sent before sending the packet. A low RTS threshold setting can be useful in areas where many client
devices are associating with the Access Point.
This parameter cannot be changed.
card is installed in a sealed mobile device.
Options are: On, Off.
Options are: On, Off
The tray icon is not displayed when the Thor VM3 is running a Windows
Embedded Standard 2009 operating system.
screen are displayed as an *) as they are typed and when they are
viewed. When Off, password characters are not masked.
Options are: On, Off.
A string of up to 64 alphanumeric characters that must be entered when
the Admin Login button is tapped. If Hide Password is On, the password
is masked when typed in the Admin Password Entry dialog box. The
password is case sensitive. This value is masked when the Admin is
logged out.
Options are: none.
authentication request to succeed or fail.
If the authentication credentials are stored in the active profile and the
authentication times out, the association fails. No error message or
prompting for corrected credentials is displayed.
If the authentication credentials are not stored in the active profile and
the authentication times out, the user is again prompted to enter the credentials.
Options are: An integer from 3 to 60.
thority and User Certificates are stored on the mobile device when not
using the Windows certificates store. Ensure the Windows folder path exists before assigning the path in this parameter. See Certificates (page
3-32) for instructions on obtaining CA and User Certificates. This value
is masked when the Admin is logged out.
Options are: none.
The complete path is C:\Program Files\Summit\certs
Options are: 32 bytes, 64, 128, 256, 512, or 1024 bytes.
pinged. The Stop Ping button can be tapped to end the ping process
ahead of the ping timeout.
Options are: Any number between 0 and 30000 ms.
button tap.
Options are: Any number between 0 and 30000 ms.
Note: Tap the Commit button to save changes. If this panel is closed before tapping the Commit button, changes are
not saved!
Logon Options
There are two options available, a Single Signon (page 3-14) option which uses the Windows username and password
as the credentials for 802.1x authentication and a Pre-Logon Connection (page 3-14) option which uses saved credentials for 802.1x authentication before Windows logon.
3 - 13
If either option is enabled, the credentials entered here take precedence over any credentials entered on the profile
tab.
To use either option, select Logon Options from the Property list which activates the Logon Options button.
Click the Logon Options button.
Single Signon
To use the Single Signon option, select the checkbox for Use the Windows username and password when
available. When the activ e profile is using LEAP, PEAP-MSCHAP, PEAP-GTC or EAP-FAST, the SCU ignores the
username and password, if any, saved in the profile. Instead, the username and password used for Windows
logon is used. Any certificates needed for authentication must still be specified in the profile.
Click OK then click Commit.
Pre-Logon Connection
To use the Pre_logon connection, select the checkbox for Enable pre-logon connection. This option is designed to
be used when:
• EAP authentication is required for a WLAN connection
• Single Signon is configured, so the Windows username and password are used as credentials for EAP
authentication
• The WLAN connection needs to be established before the Windows login.
Once this option is enabled, the Authentication delay and Association timeout values can be adjusted as necessary. Both v alues are specified in milliseconds (ms).
The default authentication delay is 5000 ms and the valid range is 0 - 600,000 ms.
The default association timeout is 10,000 ms and the valid range is 10,000 to 600,000 ms.
Click on the Credentials button to enter the logon credentials.
3 - 14
If using the Windows certificate store:
1. Check the Use MS store checkbox. The default is to use the Full Trusted Store.
2. To select an individual certificate, click on the Browse button.
3. Uncheck the Use full trusted store checkbox.
4. Select the desired certificate and click Select. You are returned to the Credentials screen.
5. Click OK then click Commit.
If using the Certs Path option:
1. Leave the Use MS store box unchecked.
2. Enter the certificate filename in the CA Cert text box.
3. Click OK then click Commit.
Sign-On vs. Stored Credentials
When using wireless security that requires a user name and password to be entered, the Summit Client Utility offers these
choices:
• The Username and Password may be entered on the Credentials screen. If this method is selected, anyone using the device
can access the network.
• The Username and Password are left blank on the Credentials screen. When the device attempts to connect to the network,
a sign on screen is displayed. The user must enter the Username and Password at that time to authenticate.
• When using Summit with the Thor VM3, there is an option on the Global tab to use the Windows user name and password to
log on instead of any username and password stored in the profile.
To Use Stored Credentials
1. After completing the other entries in the profile, click on the Credentials button.
2. Enter the Username and Password on the Credentials screen and click the OK button.
3. Click the Commit button.
4. For LEAP and WPA/LEAP, configuration is complete.
5. For PEAP-MSCHAP and PEAP-GTC, importing the CA certificate into the Windows certificate store is optional.
6. For EAP-TLS, import the CA certificate into the Windows certificate store. Also import the User Cer tificate into the
Windows certificate store.
7. Access the Credentials screen again. Make sure the Validate server and Use MS store checkboxes are checked.
8. The default is to use the entire certificate store for the CA certificate. Alternatively, use the Browse button next to the
CA Cert (CA Certificate Filename) on the Credentials screen to select an individual certificate.
9. For EAP-TLS, also enter the User Cert (User Certificate filename) on the credentials screen by using the Browse
button.
10. If using EAP FAST and manual PAC provisioning, input the PAC filename and password.
11. Click the OK button then the Commit button.
3 - 15
12. If changes are made to the stored credentials, click Commit to save those changes before making any additional
changes to the profile or global parameters.
13. Verify the device is authenticated by reviewing the Status tab. When the device is property configured, the Status tab
indicates the device is Authenticated and the method used.
Note: See Configuring the Profile (page 3-18) for more details.
Note: If invalid credentials are entered into the stored credentials, the authentication will fail. No error message is displayed.
The user may or may not be prompted to enter valid credentials.
To Use Sign On Screen
1. After completing the other entries in the profile, click on the Credentials button. Leave the Username and Password
blank. No entries are necessary on the Credentials screen for LEAP or LEAP/WPA.
2. For PEAP-MSCHAP and PEAP-GTC, importing the CA certificate into the Windows certificate store is optional.
3. For EAP-TLS, import the CA certificate into the Windows certificate store. Also import the User Cer tificate into the
Windows certificate store.
4. Access the Credentials screen again. Make sure the Validate server and Use MS store checkboxes are checked.
5. The default is to use the entire certificate store for the CA certificate . Alternatively, use the Browse button next to the
CA Cert (CA Certificate Filename) on the Credentials screen to select an individual certificate.
6. For EAP-TLS, also enter the User Cert (User Certificate filename) on the credentials screen by using the Browse
button.
7. Click the OK button then the Commit button.
8. When the device attempts to connect to the network, a sign-on screen is displayed.
9. Enter the Username and Password. Click the OK button.
10. Verify the device is authenticated by reviewing the Status tab. When the device is property configured, the indicates
the device is Authenticated and the method used.
11. The sign-on screen is displayed after a reboot.
Note: See Configuring the Profile (page 3-18) for more details.
If a user enters invalid credentials and clicks OK, the device associates but does not authenticate. The user is again
prompted to enter credentials.
If the user clicks the Cancel button, the device does not associate. The user is not prompted again for credentials until:
• the device is rebooted,
• the radio is disabled then enabled,
•the Reconnect button on the is clicked or
• the profile is modified and the Commit button is clicked.
To Use Windows Username and Password
Please see Logon Options (page 3-13) for information.
3 - 16
Windows Certificate Store vs. Certs Path
!
Note: It is important th at all dates are correct on th e Thor VM3 and host computers when using any type of certificate. Certificates
are date sensitive and if the date is not correct authentication will fail.
If using the Windows Certificate Store, the Windows Account must have a password. The password cannot be left blank.
The Summit Client Utility uses the Windows user account credentials to access the Certificate Store. The Windows user
account credentials need not be the same as the credentials entered in the Summit Client Utility.
User Certificates
EAP-TLS authentication requires a user certificate. The user certificate must be stored in the Windows certificate store.
• To generate the user certificate, see Generate a User Certificate (page 3-35).
• To import the user certificate into the Windows certificate store, see Install a User Certificate (page 3-37).
• A Root CA certificate is also needed. Refer to the section below.
Root CA Certificates
Root CA certificates are required for EAP/TLS, PEAP/GTC and PEAP/MSCHAP. Two options are offered for storing these
certificates. They may be imported into the Windows certifi c ate store or copied into the Certs Path directory.
Certs Path
1. See Generate a Root CA Certificate (page 3-32) and follow the instructions to download the Root Certificate to a
PC.
2. Copy the certificate to specified directory on the mobile device. The default location for Certs Path is C:\ Program
Files\Summit\certs. A different location may be specified by using the Certs Path global variable.
3. When completing the Credentials screen for the desired authentication, do not check the Use MS store checkbox
after checking the Validate server checkbox.
4. Enter the certificate name in the CA Cert text box.
5. Click OK to exit the Credentials screen and then Commit to save the profile changes.
Windows Certificate Store
1. See Generate a Root CA Certificate (page 3-32) and follow the instructions to download the Root Certificate to a
PC.
2. To import the certificate into the Windows store, See Install a Root CA Certificate (page 3-34).
3. When completing the Credentials screen for the desired authentication, be sure to check the Use MS store checkbox after checking the Validate server checkbox.
4. The default is to use all certificates in the store. If this is OK, skip to the last step.
5. Otherwise, to select a specific certificate click on the Browse (…) button.
3 - 17
6. Uncheck the Use full trusted store checkbox.
7. Select the desired certificate and click the Select button to return the selected certificate to the CA Cert text box.
8. Click OK to exit the Credentials screen and then Commit to save the profile changes.
Configuring the Profile
Use the instructions in this section to complete the entries on the Profile tab according to the type of wireless security used by
your network. The instructions that follow are the minimum required to successfully connect to a network. Your system may
require more parameters than are listed in these instructions. Please see your system administrator for complete information
about your network and its wireless security requirements.
To begin the configuration process:
• On the Main click the Admin Login button and enter the password.
• If using a single profile, edit the default profile with the parameter s for your network. Select the Default profile from the pulldown menu.
• Make any desired parameter changes as described in the applicable following section determined by network security type
and click the Commit button to save the changes.
IMPORTANT – Remember to click the Commit button after making changes to ensure the changes are saved. Many versions of
the SCU display a reminder if the Commit button is not clicked before an attemp t is ma de to close or browse away from the tab
in focus if there are unsaved changes.
If changes are made to the stored credentials, click Commit to save those changes first before making any additional changes.
3 - 18
No Security
To connect to a wireless network with no security, make sure the following profile options are used.
1. Enter the SSID of the Access Point assigned to this profile
2. Set EAP Type to None
3. Set Encryption to None
4. Set Auth Type to Open
Once configured, click the Commit button.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated
after the radio connects to the network.
3 - 19
WEP
To connect using WEP, make sure the following profile options are used.
1. Enter the SSID of the Access Point assigned to this profile
2. Set EAP Type to None
3. Set Encryption to WEP or Manual WEP (depending on SCU version)
4. Set Auth Type to Open
Click the WEP keys/PSKs button.
Valid keys are 10 hexadecimal or 5 ASCII characters (for 40-bit encryption) or 26 hexadecimal or 13 ASCII characters (for
128-bit encryption). Enter the key(s) and click OK.
Once configured, click the Commit button.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated
after the radio connects to the network.
3 - 20
LEAP
To use LEAP (without WPA, also called WEP-LEAP), make sure the following profile options are used.
1. Enter the SSID of the Access Point assigned to this profile
2. Set EAP Type to LEAP
3. Set Encryption to WEP EAP or Auto WEP (depending on SCU version)
4. Set Auth Type as follows:
5. If the Cisco/CCX certified AP is configured for open authentication, set the Auth Type radio parameter to Open.
6. If the AP is configured to use shared key or passphrase, set the Auth Type radio parameter to Shared.
7. If the AP is configured for network EAP only, set the Auth Type radio parameter to LEAP.
See Sign-On vs. Stored Credentials (page 3-15) for information on entering credentials.
To use Stored Credentials, click on the Credentials button. No entries are necessary for Sign-On Credentials as the user
will be prompted for the Username and Password when connecting to the network.
Enter the Domain\Username (if the Domain is required), otherwise enter the Username.
Enter the password. Click OK then click Commit.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated
after the radio connects to the network.
3 - 21
PEAP/MSCHAP
To use PEAP/MSCHAP, make sure the following profile options are used.
1. Enter the SSID of the Access Point assigned to this profile
2. Set EAP Type to PEAP-MSCHAP
3. Set Encryption to WPA TKIP
4. Set Auth Type to Open
To use another encryption type, select WPA CCKM, WP A2 AES or WPA2 CCKM for encryption and complete other entries
as detailed in this section.
See Sign-On vs. Stored Credentials (page 3-15) for information on entering credentials.
Click the Credentials button.
• No entries except the CA Certificate Filename are necessary for Sign-On Credentials as the user will be prompted for the
User Name and Password when connecting to the network.
• For Stored Credentials, User, Password and the CA Certificate Filename must be entered.
Enter these items as directed below.
Enter the Domain\Username (if the Domain is required), otherwise enter the Username.
Enter the password.
Leave the CA Certificate File Name blank for now.
Click OK then click Commit. Ensure the correct Active profile is selected on the Main tab.
See Windows Certificate Store vs. Certs Path (page 3-17) for more information on certificate storage.
Once successfully authenticated, import the CA certificate into the Windows certificate store. Return to the Credentials
screen and check the Validate server checkbox.
3 - 22
If using the Windows certificate store:
1. Check the Use MS store checkbox. The default is to use the Full Trusted Store.
2. To select an individual certificate, click on the Browse button.
3. Uncheck the Use full trusted store checkbox.
4. Select the desired certificate and click Select. You are returned to the Credentials screen.
5. Click OK then click Commit.
If using the Certs Path option:
1. Leave the Use MS store box unchecked.
2. Enter the certificate filename in the CA Cert text box.
3. Click OK then click Commit.
The device should be authenticating the server certificate and using PEAP/MSCHAP for the user authentication.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated
after the radio connects to the network.
Note: The date must be properly set on the device to authenticate a certificate.
3 - 23
PEAP/GTC
To use PEAP/GTC, make sure the following profile options are used.
1. Enter the SSID of the Access Point assigned to this profile
2. Set EAP Type to PEAP-GTC
3. Set Encryption to WPA TKIP
4. Set Auth Type to Open
To use another encryption type, select WPA CCKM, WP A2 AES or WPA2 CCKM for encryption and complete other entries
as detailed in this section.
See Sign-On vs. Stored Credentials (page 3-15) for information on entering credentials.
Click the Credentials button.
• No entries except the CA Certificate Filename are necessary for Sign-On Credentials as the user will be prompted for the
User Name and Password when connecting to the network.
Enter these items as directed below.
Enter the Domain\Username (if the Domain is required), otherwise enter the Username.
Enter the password.
Leave the CA Certificate File Name blank for now.
Click OK then click Commit. Ensure the correct Active Profile is selected on the Main tab.
See Windows Certificate Store vs. Certs Path (page 3-17) for more information on certificate storage.
Once successfully authenticated, import the CA certificate into the Windows certificate store. Return to the Credentials
screen and check the Validate server checkbox.
Note: Some servers may be configured to allow only a single use of the password for PEAP/GTC. In this case, wait for the
token to update with a new password before attempting to validate the server. Then enter the new password, check
the Validate Server checkbox and proceed with the certificate process below.
3 - 24
If using the Windows certificate store:
1. Check the Use MS store checkbox. The default is to use the Full Trusted Store.
2. To select an individual certificate, click on the Browse button.
3. Uncheck the Use full trusted store checkbox.
4. Select the desired certificate and click Select. You are returned to the Credentials screen.
5. Click OK then click Commit.
If using the Certs Path option:
1. Leave the Use MS store box unchecked.
2. Enter the certificate filename in the CA Cert text box.
3. Click OK then click Commit.
The device should be authenticating the server certificate and using PEAP/GTC for the user authentication.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated
after the radio connects to the network.
Note: The date must be properly set on the device to authenticate a certificate.
3 - 25
Loading...