Greenpass leverages EAP-TLS technology, using built-in operating system facilities to get clients to present x.509 identity certificates to the system, and then using those certs to make authorization decisions.
IMPORTANT: In order to use EAP-TLS for authentication, you need to make sure your Internet Options allow the use of TLS 1.0. To make sure, open on Internet Explorer and open up the Internet Options window (under the Tools menu). Click on the "Advanced" tab and you will see a list of options with checkboxes organized by headings. Look for the "Security" heading and check the box that reads "Use TLS 1.0" if it is not already checked.
Also EAP-TLS requires support for 802.1x authentication. 802.1x is implemented in the updated versions of the Windows operating system. Users running Windows XP must have installed Service Pack 1 and users running Windows 2000 need Service Pack 4 to use Greenpass.
Guest users will need to be delegated access by an authorized delegator. You will need an X.509 identity certificate to prove your identity to the delegator (if you don't have one, the delegation page will create a dummy certificate for you).
1. Plug in your wireless card and pull up the Wireless Network Connection Properties window. Click on the "Wireless Networks" tab and you should see two boxes, "Available Networks" and "Preferred Networks." Presumably you are configured to use some other SSID and maybe are connected to it right now. You need to disconnect from this network. Removing the entry for that SSID from your Preferred Networks sections will prevent that network from being select (it can put it back later by following this same procedure but using the previous SSID). In the "Available Networks" box, you should see the name "Greenpass_Guest". Select it, and click the "Configure" button to the right of the box. Click OK at the bottom of the Wireless Network Properties window to add "Greenpass_Guest" to your list of "Preferred Networks".
Figure 1: Wireless Network Connection Dialogs
2. Click OK to close the Wireless Network Connection Properties window. Your wireless card should now search for a new connection to the wireless network. Keep an eye on the taskbar icon (bottom right of your screen) for your wireless connection. You should see a message informing you that you have connected to Greenpass_Guest.
Greenpass_Guest is our guest wireless network used by guests to obtain the necessary credentials to connect to the main network. The only network resource available on this network is a dedicated Web server that houses the guest delegation tools and provide instructions on how to obtain guest access. Any web traffic will be redirected to our web server.
1. Open up a web browser and you should see our Web server's main page. If you set your browser to open up to a blank page, try connecting to any website to get to our server.
2. Follow the instructions on the pages to complete the delegation process. If you've got no X.509 identity cert, click on "Obtain a new, temporary certificate" and follow the instructions on the subsequent web pages to get your guest certificate.
"Authorized_User" is our secured Wireless Network that only local users or guests who have undergone delegation are allowed to access.
Access to "Authorized_User" is controlled via a modified RADIUS server. Before you can send your certificate to this server for authentication, you need to trust it. Therefore, you may need to install the root certificate of your local CA in order to trust the certificate that is received from the RADIUS server. This step may not be necessary because the server's cert could be vouched for by an institution you already trust or a large commercial trust root (like Verisign).
1. To install the another root certificate, download it onto your machine and open the file. A window displaying the certificate will open and on the bottom there will be a button labelled Install Certificate. The installation process is similiar to that of your personal certificate. The main difference is when the certificate import wizard asks you where to place the certificate, select the "Place all certificates in the following store" option. Click the Browse button and select Trusted Root Certificate Authorities as the Certificate store (Figure 2). When the wizard is finished, it will prompt you to confirm the addition of the certificate. Click OK to confirm.
Figure 2: Installing the root CA certificate.
Now you are ready to authenticate to the network.
2. Pull up the Wireless Network Connection Properties window (see Figure 1). You should again see a window with two boxes, "Available Networks" and "Preferred Networks". We need to add our secured network to your Preferred Networks so your machine knows to connect to it. Click on the Add button under the Preferred Networks box. This should bring up the Wireless Network Properties window. Under the Association tab enter "Authorized_User" (case and space sensitive) for the Network name (SSID). From the pull-down menus select "Open" for Network Authentication and "WEP" for Data Encryption. Check the box that reads, "The key is provided for me automatically" (see figure 3). Now click on the Authentication tab. Make sure the box that reads "Enable IEEE 802.1x authentication for this network" is checked. Under the EAP Type pull-down menu, select "Smart Card or other Certificate." Click OK to close the window and OK again to close the Wireless Network Connection Properties window as well.
Figure 3: The "Authorized_User" SSID properties window.
3. At this point your wireless card should look for a connection to the wireless network. Since any previous SSID was removed from the list of Preferred Networks, it will try to connect to the Greenpass network instead. Keep an eye on the taskbar icon (on the bottom right of your screen) for your wireless network connection. If you get a message about processing more information, click on the message window. This should pop up a window asking whether you want to trust the server certificate that was issued by Greenpass CA. Click OK to continue the authentication process. Eventually you should see a little window on the taskbar that informs you that you are connected to Authorized_User.