Main
Start > All Programs > Summit > Summit Client Utility > Main tab
Factory Default Settings
Admin Login |
SUMMIT |
|
|
Radio |
Enabled |
|
|
Active Config/Profile |
Default |
|
|
Regulatory Domain |
FCC, ETSI or Worldwide |
|
|
The Main tab displays information about the wireless client device including:
•SCU (Summit Client Utility) version
•Driver version
•Radio Type (ABGN is an 802.11 a/b/g/n radio).
•Regulatory Domain
•Copyright Information can be accessed by tapping the About SCU button
•Active Config profile / Active Profile name
•Status of the client (Down, Associated, Authenticated, etc.).
The Active Profile can be switched without logging in to Admin mode. Selecting a different profile from the drop down list does not require logging in to Administrator mode. The profile must already exist. Profiles can be created or edited after the Admin login password has been entered and accepted.
When the profile named “ThirdPartyConfig” is chosen as the active profile, the Summit Client Utility passes control to Wireless Manager for configuration of all client and security settings for the network module.
The Disable Radio button can be used to disable the network card. Once disabled, the button label changes to Enable Radio. By default the radio is enabled.
The Admin Login button provides access to editing wireless parameters. Profile and Global may only be edited after entering the Admin Login password.
The password is case-sensitive.
Once logged in, the button label changes to Admin Logout. To logout, either tap the Admin Logout button or exit the SCU without tapping the Admin Logout button.
Admin Login
To login to Administrator mode, tap the Admin Login button.
Once logged in, the button label changes to Admin Logout. The admin is automatically logged out when the SCU is exited. The Admin can either tap the Admin Logout button, or the OK button to logout.
3 - 3
Enter the Admin password (the default password is SUMMIT and is case sensitive) and tap OK. If the password is incorrect, an error message is displayed.
The Administrator default password can be changed on the tab.
The end-user can:
•Turn the radio on or off on the Main tab.
•Select an active Profile on the Main tab.
•View the current parameter settings for the profiles on the Profile tab.
•View the global parameter settings on the Global tab.
•View the current connection details on the Status tab.
•View radio status, software versions and regulatory domain on the Main tab.
•Access additional troubleshooting features on the Diags tab.
After Admin Login, the end-user can also:
•Create, edit, rename and delete profiles on the Profile tab.
•Edit global parameters on the Global tab.
•Enable/disable the Summit tray icon in the taskbar.
3 - 4
Profile
Start > All Programs > Summit > Summit Client Utility > Profile tab
Note: Tap the Commit button to save changes before leaving this panel or the SCU. If the panel is exited before tapping the Commit button, changes are not saved!
Factory Default Settings
Profile |
Default |
|
|
SSID |
Blank |
|
|
Client Name |
Blank |
|
|
Power Save |
CAM |
|
|
Tx Power |
Maximum |
|
|
Bit Rate |
Auto |
|
|
Radio Mode |
BGA rates full |
|
|
Auth Type |
Open |
|
|
EAP Type |
None |
|
|
Encryption |
None |
|
|
When logged in as an Admin use the Profile tab to manage profiles. When not logged in as an Admin, the parameters can be viewed, and cannot be changed. The buttons on this tab are dimmed if the user is not logged in as Admin. The Profile tab was previously labeled Config.
Buttons
Button |
Function |
|
|
Commit |
Saves the profile settings made on this screen. Settings are saved in the profile. |
|
|
Credentials |
Allows entry of a username and password, certificate names, and other information required to authen- |
|
ticate with the access point. The information required depends on the EAP type. |
|
|
Delete |
Deletes the profile. The current active profile cannot be deleted and an error message is displayed if a |
|
delete is attempted. |
|
|
New |
Creates a new profile with the default settings (see Profile Parameters) and prompts for a unique name. |
|
If the name is not unique, an error message is displayed and the new profile is not created. |
|
|
Rename |
Assigns a new, unique name. If the new name is not unique, an error message is displayed and the |
|
profile is not renamed. |
|
|
3 - 5
Button |
Function |
|
|
Scan |
Opens a window that lists access points that are broadcasting their SSIDs. Tap the Refresh button to |
|
view an updated list of APs. Each AP’s SSID, its received signal strength indication (RSSI) and whether |
|
or not data encryption is in use (true or false). Sort the list by tapping on the column headers. |
|
If the scan finds more than one AP with the same SSID, the list displays the AP with the strongest RSSI |
|
and the least security. |
If you are logged in as an Admin, tap an SSID in the list and tap the Configure button, you return to the Profile window to recreate a profile for that SSID, with the profile name being the same as the SSID (or the SSID with a suffix such as “_1” if a profile with the SSID as its name exists already).
WEP Keys / Allows entry of WEP keys or pass phrase as required by the type of encryption. PSK Keys
Note: Unsaved Changes – The SCU will display a reminder if the Commit button is not clicked before an attempt is made to close or browse away from this tab.
Important – The settings for Auth Type, EAP Type and Encryption depend on the security type chosen.
Profile Parameters
Parameter |
Default |
Explanation |
|
|
|
Edit Profile |
Default |
A string of 1 to 32 alphanumeric characters, establishes the name of the Profile. |
|
|
Options are Default or ThirdPartyConfig. |
|
|
|
SSID |
Blank |
A string of up to 32 alphanumeric characters. Establishes the Service Set Iden- |
|
|
tifier (SSID) of the WLAN to which the client connects. |
|
|
|
Client Name |
Blank |
A string of up to 16 characters. The client name is assigned to the network card |
|
|
and the device using the network card. The client name may be passed to net- |
|
|
working wireless devices, e.g. Access Points. |
|
|
|
Power Save |
CAM |
Power save mode. |
|
|
Options are: Constantly Awake Mode (CAM) power save off, Maximum (power |
|
|
saving mode) and Fast (power saving mode). When using power management, |
|
|
use FAST for best throughput results. |
|
|
|
Tx Power |
Maximum |
Maximum setting regulates Tx power to the Max power setting for the current |
|
|
regulatory domain. |
|
|
Options are: Maximum, 50mW, 30mW, 20mW, 10mW, 5mW, or 1mW. |
|
|
|
Bit Rate |
Auto |
Setting the rate to Auto will allow the Access Point to automatically negotiate the |
|
|
bit rate with the client device. |
|
|
Options are: Auto, 1 Mbit, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48 or 54 Mbit. |
|
|
|
Auth Type |
Open |
802.11 authentication type used when associating with the Access Point. |
|
|
Options are: Open, LEAP, or Shared key. |
|
|
|
EAP Type |
None |
Extensible Authentication Protocol (EAP) type used for 802.1x authentication to |
|
|
the Access Point. |
|
|
Options are: None, LEAP, EAP-FAST, PEAP-MSCHAP, PEAP-GTC, PEAP- |
|
|
TLS, EAP-TTLS, or EAP-TLS. |
|
|
EAP Type chosen determines whether the Credentials button is active and also |
|
|
determines the available entries in the Credentials pop-up window. |
|
|
|
3 - 6
Parameter |
Default |
Explanation |
|
|
|
Encryption |
None |
Type of encryption to be used to protect transmitted data. Available options may |
|
|
vary by SCU version. |
|
|
Options are: None, WEP (or Manual WEP), WEP EAP (or Auto WEP), WPA |
|
|
PSK, WPA TKIP, WPA CCKM, WPA2 PSK, WPA2 AES, or WPA2 CCKM. |
|
|
CKIP is not supported in the Thor VM3. |
|
|
Note: The Encryption type chosen determines if the WEP Keys / PSK Keys |
|
|
button is active and also determines the available entries in the WEP or |
|
|
PSK pop-up window. |
|
|
|
Radio Mode |
BGA Rates |
Specify 802.11a, 802.11b and/or 802.11g rates when communicating with the |
|
Full |
AP. The options displayed for this parameter depend on the type of radio in- |
|
|
stalled in the mobile device. |
|
|
Options: |
|
|
B rates only (1, 2, 5.5 and 11 Mbps) |
|
|
BG Rates Full (All B and G rates) |
|
|
G rates only (6, 9, 12, 18, 24, 36, 48 and 54 Mbps) |
|
|
BG optimized or BG subset (1, 2, 5.5, 6, 11, 24, 36 and 54 Mbps) |
|
|
A rates only (6, 9, 12, 18, 24, 36, 48 and 54 Mbps) |
|
|
ABG Rates Full (All A rates and all B and G rates with A rates preferred) |
|
|
BGA Rates Full (All B and G rates and all A rates with B and G rates preferred) |
|
|
Ad Hoc (when connecting to another client device instead of an AP) |
|
|
Default: |
|
|
BGA Rates Full |
|
|
|
It is important the Radio Mode parameter correspond to the AP to which the device is to connect. For example, if this parameter is set to G rates only, the Thor VM3 may only connect to APs set for G rates and not those set for B and G rates.
3 - 7
Status
Start > All Programs > Summit > Summit Client Utility > Status tab
This screen provides information on the radio:
•The profile being used.
•The status of the radio card (down, associated, authenticated, etc.).
•Client information including device name, IP address and MAC address.
•Information about the Access Point (AP) maintaining the connection to the network including AP name, IP address and MAC address.
•Channel currently being used for wireless traffic.
•Bit rate in Mbit.
•Current transmit power in mW.
•Beacon period – the time between AP beacons in kilomicroseconds. (one kilomicrosecond = 1,024 microseconds).
•DTIM interval – A multiple of the beacon period that specifies how often the beacon contains a delivery traffic indication message (DTIM). The DTIM tells power saving devices a packet is waiting for them. For example, if DTIM = 3, then every third beacon contains a DTIM.
•Signal strength (RSSI) displayed in dBm and graphically.
•Signal quality, a measure of the clarity of the signal displayed in percentage and graphically.
There are no user entries on this screen.
Note: After completing radio configuration, it is a good idea to review this screen to verify the radio has associated (no encryption, WEP) or authenticated (LEAP, any WPA), as indicated above.
3 - 8
Diags
Start > All Programs > Summit > Summit Client Utility > Diags tab
The Diags screen can be used for troubleshooting network traffic and radio connectivity issues.
•(Re)connect – Use this button to apply (or reapply) the current profile and attempt to associate or authenticate to the wireless LAN. All activity is logged in the Diagnostic Output box on the lower part of the screen.
•Release/Renew – Obtain a new IP address through release and renew. All activity is logged in the Diagnostic Output box. If a fixed IP address has been assigned to the radio, this is also noted in the Diagnostic Output box. Note that the current IP address is displayed above this button.
•Start Ping – Start a continuous ping to the IP address specified in the text box to the right of this button. Once the button is clicked, the ping begins and the button label changes to Stop Ping. Clicking the button ends the ping. The ping also ends when any other button on this screen is clicked or the user browses away from the Diags tab. The results of the ping are displayed in the Diagnostic Output box.
•Diagnostics – Also attempts to (re)connect to the wireless LAN. However, this option provides more data in the Diagnostic Output box than the (Re)connect option. This data dump includes radio state, profile settings, global settings, and a list of broadcast SSID APs.
•Save To… – Use this to save the results of the diagnostics to a text file. Use the explorer window to specify the name and location for the diagnostic file. The text file can viewed using an application such as WordPad.
3 - 9
Global
Start > All Programs > Summit > Summit Client Utility > Global tab
The parameters on this panel can only be changed when an with a password. The current values for the parameters can be viewed by the general user without requiring a password.
Note: Tap the Commit button to save changes. If the panel is exited before tapping the Commit button, changes are not saved!
Factory Default Settings
Roam Trigger |
-65 dBm |
|
|
Roam Delta |
5 dBm |
|
|
Roam Period |
10 sec. |
|
|
BG Channel Set |
Full |
|
|
DFS Channels |
Off |
|
|
DFS Scan Time |
120 ms. |
|
|
Ad Hoc Channel |
1 |
|
|
Aggressive Scan |
On |
|
|
CCX Features |
Optimized |
|
|
WMM |
On |
|
|
Auth Server |
Type 1 |
|
|
TTLS Inner Method |
Auto-EAP |
|
|
PMK Caching |
Standard |
|
|
WAPI |
Off (dimmed) |
|
|
TX Diversity |
On |
|
|
RX Diversity |
On Start on Main |
|
|
Frag Threshold |
2346 |
|
|
RTS Threshold |
2347 |
|
|
LED |
Off |
|
|
Tray Icon |
On |
|
|
Hide Passwords |
On |
|
|
Admin Password |
SUMMIT (or blank) |
|
|
Auth Timeout |
8 seconds |
|
|
Certs Path |
C:\Program Files\Summit\certs |
|
|
Ping Payload |
32 bytes |
|
|
Ping Timeout |
5000 ms |
|
|
Ping Delay ms |
1000 ms |
|
|
Logon Options |
Use SCU credentials |
|
|
3 - 10
Custom Parameter Option
The parameter value is displayed as “Custom” when the operating system registry has been edited to set the Summit parameter to a value that is not available from the parameter’s drop down list. Selecting Custom from the drop down list has no effect. Selecting any other value from the drop down list will overwrite the “custom” value in the registry.
Global Parameters
Parameter |
Default |
Function |
|
|
|
Roam Trigger |
-65 dBm |
If signal strength is less than this trigger value, the client looks for a dif- |
|
|
ferent Access Point with a stronger signal. |
|
|
Options are: -50 dBm, -55, -60, -65, -70, -75, -80, -85, -90 dBm or . |
|
|
|
Roam Delta |
5 dBm |
The amount by which a different Access Point signal strength must ex- |
|
|
ceed the current Access Point signal strength before roaming to the dif- |
|
|
ferent Access Point is attempted. |
|
|
Options are: 5 dBm, 10, 15, 20, 25, 30, 35 dBm or Custom. |
|
|
|
Roam Period |
10 sec. |
The amount of time, after association or a roam scan with no roam, that |
|
|
the radio collects Received Signal Strength Indication (RSSI) scan data |
|
|
before a roaming decision is made. |
|
|
Options are: 5 sec, 10, 15, 20, 25, 30, 35, 40, 45, 50, 55, 60 seconds or |
|
|
Custom. |
|
|
|
BG Channel Set |
Full |
Defines the 2.4GHz channels to be scanned for an AP when the radio is |
|
|
contemplating roaming. By specifying the channels to search, roaming |
|
|
time may be reduced over scanning all channels. |
|
|
Options are: |
|
|
Full (all channels) |
|
|
1,6,11 (the most commonly used channels) |
|
|
1,7,13 (for ETSI and TELEC radios only) |
|
|
or Custom. |
|
|
|
DFS Channels |
Off |
Support for 5GHZ 802.11a channels where support for DFS is required. |
|
|
Options are: On, Off, Optimized. |
|
|
Not supported (always off) in some releases. |
|
|
|
DFS Scan Time |
120 ms. |
ABG radio only. The amount of time the radio will passively scan each |
|
|
DFS channel to see if it will receive a beacon. |
|
|
Recommended value is 1.5 times that of the AP's beacon period. |
|
|
|
Ad Hoc Channel |
1 |
Use this parameter when the Radio Mode profile parameter is set to Ad |
|
|
Hoc. |
|
|
Specifies the channel to be used for an Ad Hoc connection to another cli- |
|
|
ent device. If a channel is selected that is not supported by the by the ra- |
|
|
dio, the default value is used. |
|
|
Options are: |
|
|
1 through 14 (the 2.4GHz channels) |
|
|
36, 40, 44, 48 (the UNII-1 channels) |
|
|
|
3 - 11
Parameter |
Default |
Function |
|
|
|
Aggressive Scan |
On |
When set to On and the current connection to an AP weakens, the radio |
|
|
aggressively scans for available APs. |
|
|
Aggressive scanning works with standard scanning (set through Roam |
|
|
Trigger, Roam Delta and Roam Period). Aggressive scanning should be |
|
|
set to On unless there is significant co-channel interference due to over- |
|
|
lapping APs on the same channel. |
|
|
Options are: On, Off |
|
|
|
CCX or CCX Features |
Optimized |
Use of Cisco Compatible Extensions (CCX) radio management and AP |
|
|
specified maximum transmit power features. |
|
|
Options are: |
|
|
Full - Use Cisco IE and CCX version number, support all CCX features. |
|
|
The option known as “On” in previous versions. |
|
|
Optimized –Use Cisco IE and CCX version number, support all CCX fea- |
|
|
tures except AP assisted roaming, AP specified maximum transmit pow- |
|
|
er and radio management. |
|
|
Off - Do not use Cisco IE and CCX version number. |
|
|
Cisco IE = Cisco Information Element. |
|
|
|
WMM |
On |
Use of Wi-Fi Multimedia extensions. |
|
|
Devices running Windows XP can change the default value. Devices run- |
|
|
ning all other OS cannot change the default value. |
|
|
|
Auth Server |
Type 1 |
Specifies the type of authentication server. |
|
|
Options are: Type 1 (ACS server) and Type 2 (non-ACS server) |
|
|
|
TTLS Inner Method |
Auto-EAP |
Authentication method used within the secure tunnel created by EAP- |
|
|
TTLS. |
|
|
Options are: |
|
|
AUTO-EAP (Any available EAP method), MSCHAPV2, MSCHAP, PAP |
|
|
CHAP, EAP-MSCHAPV2 |
|
|
|
PMK Caching |
Standard |
Type of Pairwise Master Key (PMK) caching to use when WPA2 is in |
|
|
use. PMK caching is designed to speed up roaming between APs by al- |
|
|
lowing the client and the AP to cache the results of 802.1X authentica- |
|
|
tions, eliminating the need to communicate with the ACS server. |
|
|
Standard PMK is used when there are no controllers. The reauthentica- |
|
|
tion information is cached on the original AP. The client and the AP use |
|
|
the cached information to perform the four-way handshake to exchange |
|
|
keys. Opportunistic PMK (OPMK) is used when there are controllers. |
|
|
The reauthentication information cached on the controllers. The client |
|
|
and the controller behind the AP use the cached information to perform |
|
|
the four-way handshake to exchange keys. |
|
|
If the selected PMK caching method is not supported by the network in- |
|
|
frastructure, every roam requires full 802.11X authentication, including |
|
|
interaction with the ACS server. |
|
|
If the active profile is using WPA2 CCKM, the global PMK Caching set- |
|
|
ting is ignored and the client attempts to use CCKM. |
|
|
Options are: Standard, OPMK |
|
|
|
WAPI |
Off |
Default is Off and dimmed (cannot be changed). |
|
|
|
TX Diversity |
On |
How to handle antenna diversity when transmitting packets to the Access |
|
|
Point. |
|
|
Options are: Main only, and On. |
|
|
|
RX Diversity |
On Start on |
How to handle antenna diversity when receiving packets from the Access |
|
Main |
Point. |
|
|
Option is: On-start on Main |
|
|
This parameter cannot be changed for some Summit radios. |
|
|
|
Frag Thresh |
2346 |
If the packet size (in bytes) exceeds the specified number of bytes set in |
|
|
the fragment threshold, the packet is fragmented (sent as several pieces |
|
|
instead of as one block). Use a low setting in areas where communica- |
|
|
tion is poor or where there is a great deal of wireless interference. |
|
|
Options are: Any number between 256 bytes and 2346 bytes. |
|
|
|
3 - 12
Parameter |
Default |
Function |
|
|
|
RTS Thresh |
2347 |
If the packet size exceeds the specified number of bytes set in the Re- |
|
|
quest to Send (RTS) threshold, an RTS is sent before sending the pack- |
|
|
et. A low RTS threshold setting can be useful in areas where many client |
|
|
devices are associating with the Access Point. |
|
|
This parameter cannot be changed. |
|
|
|
LED |
Off |
The LED on the wireless card is not visible to the user when the wireless |
|
|
card is installed in a sealed mobile device. |
|
|
Options are: On, Off. |
|
|
|
Tray Icon |
On |
Determines if the Summit icon is displayed in the System tray. |
|
|
Options are: On, Off |
|
|
The tray icon is not displayed when the Thor VM3 is running a Windows |
|
|
Embedded Standard 2009 operating system. |
|
|
|
Hide Password |
On |
When On, the Summit Config Utility masks passwords (characters on the |
|
|
screen are displayed as an *) as they are typed and when they are |
|
|
viewed. When Off, password characters are not masked. |
|
|
Options are: On, Off. |
|
|
|
Admin Password |
SUMMIT |
A string of up to 64 alphanumeric characters that must be entered when |
|
(or Blank) |
the Admin Login button is tapped. If Hide Password is On, the password |
|
|
is masked when typed in the Admin Password Entry dialog box. The |
|
|
password is case sensitive. This value is masked when the Admin is |
|
|
logged out. |
|
|
Options are: none. |
|
|
|
Auth Timeout |
8 seconds |
Specifies the number of seconds the Summit software waits for an EAP |
|
|
authentication request to succeed or fail. |
|
|
If the authentication credentials are stored in the active profile and the |
|
|
authentication times out, the association fails. No error message or |
|
|
prompting for corrected credentials is displayed. |
|
|
If the authentication credentials are not stored in the active profile and |
|
|
the authentication times out, the user is again prompted to enter the cre- |
|
|
dentials. |
|
|
Options are: An integer from 3 to 60. |
|
|
|
Certs Path |
certificates |
A valid directory path, of up to 64 characters, where WPA Certificate Au- |
|
|
thority and User Certificates are stored on the mobile device when not |
|
|
using the Windows certificates store. Ensure the Windows folder path ex- |
|
|
ists before assigning the path in this parameter. See Certificates (page |
|
|
3-32) for instructions on obtaining CA and User Certificates. This value |
|
|
is masked when the Admin is logged out. |
|
|
Options are: none. |
|
|
The complete path is C:\Program Files\Summit\certs |
|
|
|
Ping Payload |
32 bytes |
Maximum amount of data to be transmitted on a ping. |
|
|
Options are: 32 bytes, 64, 128, 256, 512, or 1024 bytes. |
|
|
|
Ping Timeout ms |
5000 |
The amount of time, in milliseconds, that a device will be continuously |
|
|
pinged. The Stop Ping button can be tapped to end the ping process |
|
|
ahead of the ping timeout. |
|
|
Options are: Any number between 0 and 30000 ms. |
|
|
|
Ping Delay ms |
1000 |
The amount of time, in milliseconds, between each ping after a Start Ping |
|
|
button tap. |
|
|
Options are: Any number between 0 and 30000 ms. |
|
|
|
Logon Options |
SCU |
Use SCU or Windows login credentials. |
|
|
|
Note: Tap the Commit button to save changes. If this panel is closed before tapping the Commit button, changes are not saved!
Logon Options
There are two options available, a Single Signon (page 3-14) option which uses the Windows username and password as the credentials for 802.1x authentication and a Pre-Logon Connection (page 3-14) option which uses saved credentials for 802.1x authentication before Windows logon.
3 - 13
If either option is enabled, the credentials entered here take precedence over any credentials entered on the profile tab.
To use either option, select Logon Options from the Property list which activates the Logon Options button.
Click the Logon Options button.
Single Signon
To use the Single Signon option, select the checkbox for Use the Windows username and password when available. When the active profile is using LEAP, PEAP-MSCHAP, PEAP-GTC or EAP-FAST, the SCU ignores the username and password, if any, saved in the profile. Instead, the username and password used for Windows logon is used. Any certificates needed for authentication must still be specified in the profile.
Click OK then click Commit.
Pre-Logon Connection
To use the Pre_logon connection, select the checkbox for Enable pre-logon connection. This option is designed to be used when:
•EAP authentication is required for a WLAN connection
•Single Signon is configured, so the Windows username and password are used as credentials for EAP authentication
•The WLAN connection needs to be established before the Windows login.
Once this option is enabled, the Authentication delay and Association timeout values can be adjusted as necessary. Both values are specified in milliseconds (ms).
The default authentication delay is 5000 ms and the valid range is 0 - 600,000 ms.
The default association timeout is 10,000 ms and the valid range is 10,000 to 600,000 ms.
Click on the Credentials button to enter the logon credentials.
3 - 14
If using the Windows certificate store:
1.Check the Use MS store checkbox. The default is to use the Full Trusted Store.
2.To select an individual certificate, click on the Browse button.
3.Uncheck the Use full trusted store checkbox.
4.Select the desired certificate and click Select. You are returned to the Credentials screen.
5.Click OK then click Commit.
If using the Certs Path option:
1.Leave the Use MS store box unchecked.
2.Enter the certificate filename in the CA Cert text box.
3.Click OK then click Commit.
Sign-On vs. Stored Credentials
When using wireless security that requires a user name and password to be entered, the Summit Client Utility offers these choices:
•The Username and Password may be entered on the Credentials screen. If this method is selected, anyone using the device can access the network.
•The Username and Password are left blank on the Credentials screen. When the device attempts to connect to the network, a sign on screen is displayed. The user must enter the Username and Password at that time to authenticate.
•When using Summit with the Thor VM3, there is an option on the Global tab to use the Windows user name and password to log on instead of any username and password stored in the profile.
To Use Stored Credentials
1.After completing the other entries in the profile, click on the Credentials button.
2.Enter the Username and Password on the Credentials screen and click the OK button.
3.Click the Commit button.
4.For LEAP and WPA/LEAP, configuration is complete.
5.For PEAP-MSCHAP and PEAP-GTC, importing the CA certificate into the Windows certificate store is optional.
6.For EAP-TLS, import the CA certificate into the Windows certificate store. Also import the User Certificate into the Windows certificate store.
7.Access the Credentials screen again. Make sure the Validate server and Use MS store checkboxes are checked.
8.The default is to use the entire certificate store for the CA certificate. Alternatively, use the Browse button next to the CA Cert (CA Certificate Filename) on the Credentials screen to select an individual certificate.
9.For EAP-TLS, also enter the User Cert (User Certificate filename) on the credentials screen by using the Browse button.
10.If using EAP FAST and manual PAC provisioning, input the PAC filename and password.
11.Click the OK button then the Commit button.
3 - 15
12.If changes are made to the stored credentials, click Commit to save those changes before making any additional changes to the profile or global parameters.
13.Verify the device is authenticated by reviewing the Status tab. When the device is property configured, the Status tab indicates the device is Authenticated and the method used.
Note: See Configuring the Profile (page 3-18) for more details.
Note: If invalid credentials are entered into the stored credentials, the authentication will fail. No error message is displayed. The user may or may not be prompted to enter valid credentials.
To Use Sign On Screen
1.After completing the other entries in the profile, click on the Credentials button. Leave the Username and Password blank. No entries are necessary on the Credentials screen for LEAP or LEAP/WPA.
2.For PEAP-MSCHAP and PEAP-GTC, importing the CA certificate into the Windows certificate store is optional.
3.For EAP-TLS, import the CA certificate into the Windows certificate store. Also import the User Certificate into the Windows certificate store.
4.Access the Credentials screen again. Make sure the Validate server and Use MS store checkboxes are checked.
5.The default is to use the entire certificate store for the CA certificate. Alternatively, use the Browse button next to the CA Cert (CA Certificate Filename) on the Credentials screen to select an individual certificate.
6.For EAP-TLS, also enter the User Cert (User Certificate filename) on the credentials screen by using the Browse button.
7.Click the OK button then the Commit button.
8.When the device attempts to connect to the network, a sign-on screen is displayed.
9.Enter the Username and Password. Click the OK button.
10.Verify the device is authenticated by reviewing the Status tab. When the device is property configured, the indicates the device is Authenticated and the method used.
11.The sign-on screen is displayed after a reboot.
Note: See Configuring the Profile (page 3-18) for more details.
If a user enters invalid credentials and clicks OK, the device associates but does not authenticate. The user is again prompted to enter credentials.
If the user clicks the Cancel button, the device does not associate. The user is not prompted again for credentials until:
•the device is rebooted,
•the radio is disabled then enabled,
•the Reconnect button on the is clicked or
•the profile is modified and the Commit button is clicked.
To Use Windows Username and Password
Please see Logon Options (page 3-13) for information.
3 - 16
Windows Certificate Store vs. Certs Path
Note: It is important that all dates are correct on the Thor VM3 and host computers when using any type of certificate. Certificates are date sensitive and if the date is not correct authentication will fail.
!If using the Windows Certificate Store, the Windows Account must have a password. The password cannot be left blank. The Summit Client Utility uses the Windows user account credentials to access the Certificate Store. The Windows user account credentials need not be the same as the credentials entered in the Summit Client Utility.
User Certificates
EAP-TLS authentication requires a user certificate. The user certificate must be stored in the Windows certificate store.
•To generate the user certificate, see Generate a User Certificate (page 3-35).
•To import the user certificate into the Windows certificate store, see Install a User Certificate (page 3-37).
•A Root CA certificate is also needed. Refer to the section below.
Root CA Certificates
Root CA certificates are required for EAP/TLS, PEAP/GTC and PEAP/MSCHAP. Two options are offered for storing these certificates. They may be imported into the Windows certificate store or copied into the Certs Path directory.
Certs Path
1.See Generate a Root CA Certificate (page 3-32) and follow the instructions to download the Root Certificate to a PC.
2.Copy the certificate to specified directory on the mobile device. The default location for Certs Path is C:\Program Files\Summit\certs. A different location may be specified by using the Certs Path global variable.
3.When completing the Credentials screen for the desired authentication, do not check the Use MS store checkbox after checking the Validate server checkbox.
4.Enter the certificate name in the CA Cert text box.
5.Click OK to exit the Credentials screen and then Commit to save the profile changes.
Windows Certificate Store
1.See Generate a Root CA Certificate (page 3-32) and follow the instructions to download the Root Certificate to a PC.
2.To import the certificate into the Windows store, See Install a Root CA Certificate (page 3-34).
3.When completing the Credentials screen for the desired authentication, be sure to check the Use MS store checkbox after checking the Validate server checkbox.
4.The default is to use all certificates in the store. If this is OK, skip to the last step.
5.Otherwise, to select a specific certificate click on the Browse (…) button.
3 - 17
6.Uncheck the Use full trusted store checkbox.
7.Select the desired certificate and click the Select button to return the selected certificate to the CA Cert text box.
8.Click OK to exit the Credentials screen and then Commit to save the profile changes.
Configuring the Profile
Use the instructions in this section to complete the entries on the Profile tab according to the type of wireless security used by your network. The instructions that follow are the minimum required to successfully connect to a network. Your system may require more parameters than are listed in these instructions. Please see your system administrator for complete information about your network and its wireless security requirements.
To begin the configuration process:
•On the Main click the Admin Login button and enter the password.
•If using a single profile, edit the default profile with the parameters for your network. Select the Default profile from the pulldown menu.
•Make any desired parameter changes as described in the applicable following section determined by network security type and click the Commit button to save the changes.
IMPORTANT – Remember to click the Commit button after making changes to ensure the changes are saved. Many versions of the SCU display a reminder if the Commit button is not clicked before an attempt is made to close or browse away from the tab in focus if there are unsaved changes.
If changes are made to the stored credentials, click Commit to save those changes first before making any additional changes.
3 - 18
No Security
To connect to a wireless network with no security, make sure the following profile options are used.
1.Enter the SSID of the Access Point assigned to this profile
2.Set EAP Type to None
3.Set Encryption to None
4.Set Auth Type to Open
Once configured, click the Commit button.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated after the radio connects to the network.
3 - 19
WEP
To connect using WEP, make sure the following profile options are used.
1.Enter the SSID of the Access Point assigned to this profile
2.Set EAP Type to None
3.Set Encryption to WEP or Manual WEP (depending on SCU version)
4.Set Auth Type to Open
Click the WEP keys/PSKs button.
Valid keys are 10 hexadecimal or 5 ASCII characters (for 40-bit encryption) or 26 hexadecimal or 13 ASCII characters (for 128-bit encryption). Enter the key(s) and click OK.
Once configured, click the Commit button.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated after the radio connects to the network.
3 - 20
LEAP
To use LEAP (without WPA, also called WEP-LEAP), make sure the following profile options are used.
1.Enter the SSID of the Access Point assigned to this profile
2.Set EAP Type to LEAP
3.Set Encryption to WEP EAP or Auto WEP (depending on SCU version)
4.Set Auth Type as follows:
5.If the Cisco/CCX certified AP is configured for open authentication, set the Auth Type radio parameter to Open.
6.If the AP is configured to use shared key or passphrase, set the Auth Type radio parameter to Shared.
7.If the AP is configured for network EAP only, set the Auth Type radio parameter to LEAP.
See Sign-On vs. Stored Credentials (page 3-15) for information on entering credentials.
To use Stored Credentials, click on the Credentials button. No entries are necessary for Sign-On Credentials as the user will be prompted for the Username and Password when connecting to the network.
Enter the Domain\Username (if the Domain is required), otherwise enter the Username.
Enter the password. Click OK then click Commit.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated after the radio connects to the network.
3 - 21
PEAP/MSCHAP
To use PEAP/MSCHAP, make sure the following profile options are used.
1.Enter the SSID of the Access Point assigned to this profile
2.Set EAP Type to PEAP-MSCHAP
3.Set Encryption to WPA TKIP
4.Set Auth Type to Open
To use another encryption type, select WPA CCKM, WPA2 AES or WPA2 CCKM for encryption and complete other entries as detailed in this section.
See Sign-On vs. Stored Credentials (page 3-15) for information on entering credentials.
Click the Credentials button.
•No entries except the CA Certificate Filename are necessary for Sign-On Credentials as the user will be prompted for the User Name and Password when connecting to the network.
•For Stored Credentials, User, Password and the CA Certificate Filename must be entered.
Enter these items as directed below.
Enter the Domain\Username (if the Domain is required), otherwise enter the Username.
Enter the password.
Leave the CA Certificate File Name blank for now.
Click OK then click Commit. Ensure the correct Active profile is selected on the Main tab.
See Windows Certificate Store vs. Certs Path (page 3-17) for more information on certificate storage.
Once successfully authenticated, import the CA certificate into the Windows certificate store. Return to the Credentials screen and check the Validate server checkbox.
3 - 22
If using the Windows certificate store:
1.Check the Use MS store checkbox. The default is to use the Full Trusted Store.
2.To select an individual certificate, click on the Browse button.
3.Uncheck the Use full trusted store checkbox.
4.Select the desired certificate and click Select. You are returned to the Credentials screen.
5.Click OK then click Commit.
If using the Certs Path option:
1.Leave the Use MS store box unchecked.
2.Enter the certificate filename in the CA Cert text box.
3.Click OK then click Commit.
The device should be authenticating the server certificate and using PEAP/MSCHAP for the user authentication.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated after the radio connects to the network.
Note: The date must be properly set on the device to authenticate a certificate.
3 - 23
PEAP/GTC
To use PEAP/GTC, make sure the following profile options are used.
1.Enter the SSID of the Access Point assigned to this profile
2.Set EAP Type to PEAP-GTC
3.Set Encryption to WPA TKIP
4.Set Auth Type to Open
To use another encryption type, select WPA CCKM, WPA2 AES or WPA2 CCKM for encryption and complete other entries as detailed in this section.
See Sign-On vs. Stored Credentials (page 3-15) for information on entering credentials.
Click the Credentials button.
•No entries except the CA Certificate Filename are necessary for Sign-On Credentials as the user will be prompted for the User Name and Password when connecting to the network.
Enter these items as directed below.
Enter the Domain\Username (if the Domain is required), otherwise enter the Username.
Enter the password.
Leave the CA Certificate File Name blank for now.
Click OK then click Commit. Ensure the correct Active Profile is selected on the Main tab.
See Windows Certificate Store vs. Certs Path (page 3-17) for more information on certificate storage.
Once successfully authenticated, import the CA certificate into the Windows certificate store. Return to the Credentials screen and check the Validate server checkbox.
Note: Some servers may be configured to allow only a single use of the password for PEAP/GTC. In this case, wait for the token to update with a new password before attempting to validate the server. Then enter the new password, check the Validate Server checkbox and proceed with the certificate process below.
3 - 24
If using the Windows certificate store:
1.Check the Use MS store checkbox. The default is to use the Full Trusted Store.
2.To select an individual certificate, click on the Browse button.
3.Uncheck the Use full trusted store checkbox.
4.Select the desired certificate and click Select. You are returned to the Credentials screen.
5.Click OK then click Commit.
If using the Certs Path option:
1.Leave the Use MS store box unchecked.
2.Enter the certificate filename in the CA Cert text box.
3.Click OK then click Commit.
The device should be authenticating the server certificate and using PEAP/GTC for the user authentication.
Ensure the correct Active Profile is selected on the Main tab and restart. The SCU Main tab shows the device is associated after the radio connects to the network.
Note: The date must be properly set on the device to authenticate a certificate.
3 - 25