Table Of Contents
Configuring the Distribution Package
Configuring Your Connection Settings
Choosing the Wi-Fi Network's Security Class
Configuring an Open Wi-Fi Network
Configuring a Shared-key Wi-Fi Network
Configuring a Shared-key, Machine Network
Configuring a Shared-key, User Network
Configuring a WPA/WPA2 Shared-key
Choosing the WPA/WPA2 Key Format
Configuring an Authenticating Wi-Fi Network
Configuring the Authentication Association Mode
Configuring the Authenticating Network Base Elements
Configuring Certificate Trusted Server Rules
Configuring PAC Trusted Server Rules
Choosing the Authentication Network's Connection Context
Configuring an Authenticating, Machine-only Network
Configuring the Authenticating, Machine Credential Source Elements
Configuring the Authenticating, Connection Independent Base Elements
Configuring the Authentication Static Credential Elements
Configuring an Authenticating, User-Only Network
Configuring the Authenticating, User-Only Connection Occurrence Elements
Configuring the Authenticating, User Credential Source (1) Elements
Configuring the Authenticating, User Credential Source (2) Elements
Choosing Prompted Credential Storage
Configuring the FAST PAC Elements
Configuring an Authenticating, Machine and User Network
Configuring the Authenticating, User Connection Occurrence Elements
Choosing the Wired Network's Security Class
Configuring an Authenticating Wired Network
Choosing Wi-Fi/Wired EAP Methods
Configuring FAST Client Certificates
Configuring PEAP Client Certificates
Configuring the Client Certificate Source
Configuring TTLS Inner Methods
Schema Elements
Introduction
This chapter contains detailed specifications for naming conventions, allowed element and attribute values, element structure and element combinations required to create the distribution package file.
This chapter contains the following sections:
•
Configuring the Distribution Package
•
Note
The path configuration/networks/[wifiNetwork | wiredNetwork]/ is an abbreviation which expands to two separate paths:
configuration/networks/wifiNetwork/
configuration/networks/wiredNetwork/
The path configuration/networks/[wifiNetwork | wiredNetwork]/authenticationNetwork/
[machineAuthentication | userAuthentication | machineUserAuthentication/machine | machineUserAuthentication/user]/ is an abbreviation which expands to eight separate paths:configuration/networks/wifiNetwork/authenticationNetwork/machineAuthentication/
configuration/networks/wifiNetwork/authenticationNetwork/userAuthentication/
configuration/networks/wifiNetwork/authenticationNetwork/
machineUserAuthentication/machine/configuration/networks/wifiNetwor/authenticationNetwork/
machineUserAuthentication/user/configuration/networks/wiredNetwork/authenticationNetwork/machineAuthentication/
configuration/networks/wiredNetwork/authenticationNetwork/userAuthentication/
configuration/networks/wiredNetwork/authenticationNetwork/
machineUserAuthentication/machine/configuration/networks/wiredNetwork/authenticationNetwork/
machineUserAuthentication/user/
Note
Configuring the Distribution Package
Start here to create your distribution package. Configure the following element:
configuration
Schema path:
configuration
The base element configuration forms the container for the distribution package. No element value is specified.
This element has the following required attributes:
•
•
•
•
The value is important only if you are using a commercial XML development tool. The sscConfigProcess utility does not use this attribute value, so use the following text in your distribution package .xml file:
xsi:noNamespaceSchemaLocation="distributionPackage.xsd"
Note
<?xml version="1.0" encoding="UTF-8"?>The need to include this line depends on your choice of distribution package file creation tools. The postprocessing utility and the SSC do not require this statement in the XML file.
Step 1
Step 2
Step 3
Step 4
The following example illustrates the distribution package XML for the base element, configuration, and its child elements. The order of the child elements is restricted to that shown.
Example 2-1 Base Element
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="C:\yourPath\distributionPackage.xsd" minor_version="1" major_version="4"><license>your-license</license><networkPolicy>{child elements}</networkPolicy><networks>{child elements}</networks><connectionSettings>{child elements}</connectionSettings><userControlPolicy>{child elements}</userControlPolicy></configuration>Configuring Your License
Configure the following element:
license
Schema path:
configuration/license
The value of the optional element license specifies the license for the deployed end-user SSC.
The following items are affected by the license:
•
•
•
•
•
A companion User Control policy element, allowLicensing, will allow the end-user to enter any required license.
Note
Example 2-2 license
<license>T244-YKGP-UMG5-Y2F2-5KMH-5OYX-DAR4-POND-52Z5-MHJZ-3LOD-SLYL-U5YA-IUKU-M3TC-JNO7-3 MEM-LGAA</license>Configuring Your Policy
All distribution package files must contain a configuration definition for the policy of any deployed SSC.
Note
User Control Policy
Configure the following element:
userControlPolicy
Schema path:
configuration/userControlPolicy
The mandatory element userControlPolicy forms the container for specifying the policy for the user control of the SSC. No element values are specified.
Follow these steps to configure the following child elements of userControlPolicy. The order of the child elements is restricted as shown in these steps.
Step 1
clientUIType
Schema path:
configuration/userControlPolicy/clientUIType
The value of the mandatory element clientUIType specifies the user interface type.
The element has the following values:
•
•
Step 2
allowLicensing
Schema path:
configuration/userControlPolicy/allowLicensing
The boolean value of the mandatory element allowLicensing specifies whether or not the end-user can directly license SSC from the user interface.
The element has the following values:
•
•
Step 3
allowedMedia
Schema path:
configuration/userControlPolicy/allowedMedia
The mandatory element allowedMedia forms the container for specifying which media types are supported. No element values are specified.
Note
Business rule: at least one child element must be specified.
Specify one or both of the following child elements. The order of the two child elements is not restricted.
wifi
Schema path:
configuration/userControlPolicy/allowedMedia/wifi
The presence of the optional element wifi specifies support for wireless (Wi-Fi) connections. It is an empty element with no value.
wired
Schema path:
configuration/userControlPolicy/allowedMedia/wired
The presence of the optional element wired specifies support for wired connections. It is an empty element with no value.
The following example illustrates the distribution package XML for the userControlPolicy element and its child elements. The order of the child elements is restricted to that shown.
Example 2-3 userControlPolicy
<userControlPolicy><clientUIType>configurable</clientUIType><allowLicensing>false</allowLicensing><allowedMedia><wired/><wifi/></allowedMedia></userControlPolicy>Network Policy
Configure the following element:
networkPolicy
Schema path:
configuration/networkPolicy
The mandatory element networkPolicy forms the container for specifying the policy for how networks can be configured and what settings are accessible to the end-user. No element values are specified.
Follow these steps to configure the following child elements of networkPolicy. The order of the child elements is restricted as shown in these steps.
Step 1
allowedAssociationModes
Schema path:
configuration/networkPolicy/allowedAssociationModes
The mandatory element allowedAssociationModes forms the container for specifying the wireless association modes allowed in any or your wireless network configurations. No element values are specified.
This policy specification applies to networks created by the administrator elsewhere in the distribution package file and to networks created by the end-user from the deployed SSC's user interface.
Business rule: At least one child element must be specified when you are also configuring a wireless network (element wifiNetwork).
Specify one or more of the following wireless association modes:
The order of the child elements is not restricted.
In a wired-only environment, only element open is necessary.
•
•
•
•
•
•
open
wpa-Personal
wpa-Enterprise
wpa2-Personal
wpa2-Enterprise
wep
Schema paths:
configuration/networkPolicy/allowedAssociationModes/open
configuration/networkPolicy/allowedAssociationModes/wpa-Personal
configuration/networkPolicy/allowedAssociationModes/wpa-Enterprise
configuration/networkPolicy/allowedAssociationModes/wpa2-Personal
configuration/networkPolicy/allowedAssociationModes/wap2-Enterprise
configuration/networkPolicy/allowedAssociationModes/wepThe presence of any of these elements specifies support for the association mode. All are empty elements with no values.
Step 2
allowedEapMethods
Schema path:
configuration/networkPolicy/allowedEapMethods
The mandatory element allowedEapMethods forms the container for specifying which EAP methods are allowed to be used for the primary (or outer tunnel) authentication protocol in any of your network configurations. (The set of EAP methods allowed for use in any inner tunnel of a tunneled EAP method is not affected by this policy.) No element values are specified.
This policy specification applies to networks created by the administrator elsewhere in the distribution package file and to networks created by the end-user from the deployed SSC's user interface.
Note
Business rule: At least one child element must be specified when also configuring an authenticating network (element authenticationNetwork).
Specify one or more of the following authentication methods:
The order of the child elements is not restricted.
•
•
•
•
•
•
•
•
eapMd5
eapMschapv2
eapGtc
eapFast
eapPeap
eapTtls
eapTls
leap
Schema paths:
configuration/networkPolicy/allowedEapMethods/eapMd5
configuration/networkPolicy/allowedEapMethods/eapMschapv2
configuration/networkPolicy/allowedEapMethods/eapGtc
configuration/networkPolicy/allowedEapMethods/eapFast
configuration/networkPolicy/allowedEapMethods/eapPeap
configuration/networkPolicy/allowedEapMethods/eapTtls
configuration/networkPolicy/allowedEapMethods/eapTls
configuration/networkPolicy/allowedEapMethods/leapThe presence of any of these elements specifies support for the authentication method. All are empty elements with no values.
Step 3
serverValidationPolicy
Schema path:
configuration/networkPolicy/serverValidationPolicy
The mandatory element serverValidationPolicy forms the container for specifying how authenticating networks must process the validation of the associated authentication server. No element value is specified.
Specify one of the following policies:
•
•
The chosen policy applies to networks created by the administrator elsewhere in the distribution package file and to networks created by the end-user from the deployed SSC's user interface.
allowUserValidationControl
Schema path:
configuration/networkPolicy/serverValidationPolicy/allowUserValidationControl
The existence of the allowUserValidationControl element allows for individualized configuring of server validation. The configuration of whether or not server validation is performed is made on a per EAP method basis within each network.
alwaysValidate
Schema path:
configuration/networkPolicy/serverValidationPolicy/alwaysValidate
The existence of the alwaysValidate element specifies that all authenticating networks using a mutually authenticating method must perform server validation as part of the authentication process. This applies for networks created by the IT administrator in the distribution package and by an end-user from the user interface.
Business rule: All network validateServerIdentity elements must have the value true.
Configure the following child element dealing with the policy for end-user creation of trusted server rules.
allowUserTrustedServers
Schema path:
configuration/networkPolicy/serverValidationPolicy/alwaysValidate/allowUserTrustedServers
The boolean value of the mandatory element allowUserTrustedServers specifies whether or not to allow the end users to define trusted servers for their own locally created private networks. (Trusted servers defined by the IT administrator, and deployed to the end-user can never be edited by the end-user and are not affected by this policy element.)
The element has the following values:
•
•
Step 4
allowUserSimultaneousConnectionsControl
Schema path:
configuration/networkPolicy/allowUserSimultaneousConnectionsControl
The boolean value of the mandatory element allowUserSimultaneousConnectionsControl specifies whether or not to allow the end users to have control over changing the setting which specifies how SSC deals with multiple network adapters. (The companion Connection Setting element, simultaneousConnections, sets the deployed mode.)
The element has the following values:
•
•
Business rule: If the deployed connection setting element, simultaneousConnections, is set to singleHomed, then the end-user is not allowed to change to a less secure mode and this option is not allowed.
Step 5
allowedCredentialStorage
Schema path:
configuration/networkPolicy/allowedCredentialStorage
The mandatory element allowedCredentialStorage forms the container for specifying how long to store credentials that are obtained directly from the user through prompting. No element values are specified.
Business rule: At least one child element must be specified when you are also configuring an authenticating network with a credential collection method of prompting (element prompt/credentialsStorage).
Specify one or more of the following storage durations for user-prompted credentials:
The order of the child elements, when present, is restricted as listed here.
•
•
•
This policy specification applies to networks created by the administrator elsewhere in the distribution package file and to networks created by the end-user from the deployed SSC's user interface.
forever
Schema path:
configuration/networkPolicy/allowedCredentialStorage/forever
The presence of this optional element specifies support for permanently saving the user credentials. When either the credentials fail or the authentication server issues a password change request, the user will be re-prompted for the new credentials which will replace the previously saved values. After the initial prompt and save, this option acts like a static credential. It is an empty element with no value.
logonSession
Schema path:
configuration/networkPolicy/allowedCredentialStorage/logonSession
The presence of this optional element specifies support for saving the user credentials only during the current login session. When the user logs out, the credentials are deleted. It is an empty element with no value.
duration
Schema path:
configuration/networkPolicy/allowedCredentialStorage/duration
The presence of this optional element specifies support for saving the user credentials only for a specified time period. When the time period expires, the credentials are deleted. However the connection is maintained and there is no immediate re-prompt. A subsequent re-authentication request that is issued after the time-out will result in a re-prompt for the user's credentials. The value of the element specifies the global time-out period (in minutes) which applies to all networks defined to use this storage type.
Restriction: The specified time must be between 1 - 3600 (1 minute to approximately 2 1/2 days).
Step 6
allowUserWpaHandshakeValidationControl
Schema path:
configuration/networkPolicy/allowUserWpaHandshakeValidationControl
The boolean value of the mandatory element allowUserWpaHandshakeValidationControl specifies whether or not to allow the end users to have control over changing the setting which specifies how SSC deals with WPA handshake validation. (The companion Connection Setting element, validateWpaHandshake, sets the deployed mode.)
The element has the following values:
•
•
Cisco recommends this setting since your user may not have sufficient knowledge of the capabilities or the network adapter in use. See the Connection Setting element, validateWpaHandshake, for more information.In a wired-only environment, this element is not used and can be given either value.
Step 7
allowPublicProfileCreation
Schema path:
configuration/networkPolicy/allowPublicProfileCreation
The boolean value of the mandatory element allowPublicProfileCreation specifies the connection scope of networks created by the end-user through the SSC's user interface.
The element has the following values:
•
–
–
•
Note
The following example illustrates the distribution package XML for the networkPolicy element and its child elements. The order of the child elements is restricted to that shown.
Example 2-4 networkPolicy
<networkPolicy><allowedAssociationModes><!--open network--><open/><!--shared key network--><staticWep/><shared/><wpa-Personal/><wpa2-Personal/><!--authenticating network--><dynamicWep/><wpa-Enterprise/><wpa2-Enterprise/></allowedAssociationModes><allowedEapMethods><!--wired only--><eapMd5/><eapMschapv2/><eapGtc/><!--wired or wireless--><eapFast/><eapPeap/><eapTls/><eapTtls/><leap/></allowedEapMethods><serverValidationPolicy><alwaysValidate><allowUserTrustedServers>true</allowUserTrustedServers></alwaysValidate></serverValidationPolicy><allowUserSimultaneousConnectionsControl>false</allowUserSimultaneousConnectionsContro l><allowedCredentialStorage><forever/><logonSession/><duration>5</duration></allowedCredentialStorage><allowUserWpaHandshakeValidationControl>false</allowUserWpaHandshakeValidationControl><allowPublicProfileCreation>false</allowPublicProfileCreation></networkPolicy>Configuring Your Connection Settings
Configure the following element:
connectionSettings
Schema path:
configuration/connectionSettings
The mandatory element connectionSettings forms the container for configuring the deployed settings for any global operational aspects of making network connections. No element values are specified.
Follow these steps to configure the following child elements of element connectionSettings. The order of the child elements is restricted as shown in these steps.
Step 1
simultaneousConnections
Schema path:
configuration/networkPolicy/simultaneousConnections
The value of the mandatory element simultaneousConnections specifies the multiplicity of connections for all networks.
The element has the following values:
•
•
Allowing the end-user to override the deployed (initial) setting is controlled by its companion network policy element, allowUserSimultaneousConnectionsControl.
Business rule: If singleHomed is configured, then the companion user control policy element, allowUserSimultaneousConnectionsControl, must be configured to false. End-users may not override the administrator's choice of the restricted mode of operation.
Step 2
validateWpaHandshake
Schema path:
configuration/networkPolicy/validateWpaHandshake
The boolean value of the mandatory element validateWpaHandshake specifies how SSC deals with WPA handshake validation. WPA's sophisticated key management requires driver capabilities that may not all be available in older embedded network adapters. In order to support situations where the environment contains a large base of older adapters, SSC provides a security bypass capability for WPA/WPA2 so that no RSN probe response/beacon IE verification is required in the 4-Way Handshake.
The element has the following values:
•
Use this setting when your end-stations all have wireless adapters with fully compliant WPA/WPA2 drivers, as required by the standards.•
Use this setting only for special cases in which your wireless adapter's driver is known to have this deficiency.In a wired-only environment, this element is not used and can be given either value.
Allowing the end-user to override the deployed (initial) setting is controlled by its companion network policy element, allowUserWpaHandshakeValidationControl.
The following example illustrates the distribution package XML for the connectionSettings element and its child elements. The order of the child elements is restricted to that shown.
Example 2-5 connectionSettings
<connectionSettings><simultaneousConnections>singleHomed</simultaneousConnections><validateWpaHandshake>false</validateWpaHandshake></connectionSettings>Configuring Networks
Tip
Configure the following element:
networks
Schema path:
configuration/networks
The element networks forms the container for your predefined enterprise networks. No element values are specified. Each child and its contents represent the configuration of an individual network.
This is an optional element. Omitting it implies that there will be no administrator-defined networks in the deployed end-user client. In this case only the end-user is expected to create network definitions.
Note
The first choice required in defining a network is to select a network type based on the media type of the connection.
Next item: "Choosing a Network Media Type".
Choosing a Network Media Type
Specify one of the following network media types:
•
•
wiredNetwork
Schema path:
configuration/networks/wiredNetwork
The optional element wiredNetwork forms the container for configuring an Ethernet (802.3) network. No element values are specified.
Business rule: only one wiredNetwork element is allowed. All wired (Ethernet) adapters can only be applied to a single wired network.
Business rule: This is a valid choice only if the wired media type is supported by the policy. See element wired in section "User Control Policy".
Next item: "Configuring a Wired Network".
wifiNetwork
Schema path:
configuration/networks/wifiNetwork
The optional element wifiNetwork forms the container for configuring an individual Wi-Fi (802.11) network. No element values are specified. Multiple wifiNetwork elements may be defined.
Business rule: This is a valid choice only if the wireless media type is supported by the policy. See element wifi in section "User Control Policy".
Next item: "Wi-Fi Network Base Elements".
The following example illustrates the distribution package XML for the networks element and its child elements. The order of the two possible child elements is not restricted.
Example 2-6 networks
<networks><wiredNetwork>{child elements}</wiredNetwork><wifiNetwork>{child elements}</wifiNetwork><wifiNetwork>{child elements}</wifiNetwork></networks>Configuring a Wi-Fi Network
Follow the tasks in the following sections to configure a Wi-Fi network.
1.
2.
Configuring a Wired Network
Follow the tasks in the following sections to configure a wired network.
1.
2.
Wi-Fi Network Base Elements
Configure the following elements:
displayName
Schema path:
configuration/networks/wifiNetwork/displayName
The value of the mandatory element displayName specifies the user-friendly name that is used only for display purposes throughout the SSC's various dialogs.
ssid
Schema path:
configuration/networks/wifiNetwork/ssid
The value of the mandatory element ssid contains the configured name of the access point, that is, its Service Set Identifier (SSID). The SSID is a unique identifier that distinguishes between multiple wireless networks in the same vicinity.
Note
Restriction: SSIDs are limited to 32 ASCII characters.
Business rule: SSIDs are unique. The same value may not be applied to more than one ssid element.
associationRetries
Schema path:
configuration/networks/wifiNetwork/associationRetries
The value of the mandatory element associationRetries specifies the number of times SSC attempts to associate with the access point during a connection attempt. Due to the variability of radio transmissions, association attempts are typically retried a few times before the authentication session gives up so as to avoid being too sensitive to occasional lost bits in the transmission.
Additionally, even though associationRetries is configured on an individual network basis, only one global setting applies to all networks. After deployment, SSC extracts the maximum value entered for all configured networks and uses that for its global value.
Restriction: the number of retries is limited to 99.
Default: the recommended value is 3.
beaconing
Schema path:
configuration/networks/wifiNetwork/beaconing
The boolean value of the mandatory element beaconing specifies whether or not the access point advertises its name and therefore sets the criteria SSC uses for determining the physical existence of the access point.
The element has the following values:
•
•
The following example illustrates the distribution package XML for the wifiNetwork element and its child elements. The order of the child elements is restricted to that shown.
Example 2-7 partial wifiNetwork
<wifiNetwork><displayName>My Corporate Wi-Fi Network</displayName><ssid>MyCorpNet</ssid><associationRetries>3</associationRetries><beaconing>true</beaconing><!--{your choice of network security class goes here}--></wifiNetwork>Choosing the Wi-Fi Network's Security Class
Specify one of the following security classes for the network:
•
•
•
openNetworkUserConnection
Schema path:
configuration/networks/wifiNetwork/openNetworkUserConnection
The optional element openNetworkUserConnection forms the container for configuring an open wireless network. An open network in SSC is one which does not use any form of data encryption and therefore represents the least secure class of networks. No element value is specified.
Business rule: This is a valid choice only if the open association mode is supported by the policy. See element allowedAssociationModes in section "Network Policy".
Next item: "Configuring an Open Wi-Fi Network".
sharedKeyNetwork
Schema path:
configuration/networks/wifiNetwork/sharedKeyNetwork
The optional element sharedKeyNetwork forms the container for configuring a wireless network that uses a static key which is pre-defined in both the client and the access point. The key is ultimately used to provide for encryption of the data. This network class primarily serves the home/small office environment. No element value is specified.
Next item: "Configuring a Shared-key Wi-Fi Network".
authenticationNetwork
Schema path:
configuration/networks/wifiNetwork/authenticationNetwork
The optional element authenticationNetwork forms the container for configuring an 802.1X wireless network. An authenticating/802.1X network adds two important aspects to wireless security, mutual authentication of the client and server and network provide keys for encryption. This network class represents the highest security level choice. No element value is specified.
Next item: "Configuring an Authenticating Wi-Fi Network"
The following example illustrates the distribution package XML for the three security classes of the wifiNetwork element and its child elements. The order of the child elements is restricted to that shown.
Example 2-8 wifiNetwork
<wifiNetwork><displayName>My Corporate Wi-Fi Network</displayName><ssid>MyCorpNet</ssid><associationRetries>3</associationRetries><beaconing>true</beaconing><openNetworkUserConnection>{child elements}</openNetworkUserConnection></wifiNetwork><wifiNetwork><displayName>My Corporate Wi-Fi Network</displayName><ssid>MyCorpNet</ssid><associationRetries>3</associationRetries><beaconing>true</beaconing><sharedKeyNetwork>{child elements}</sharedKeyNetwork></wifiNetwork><wifiNetwork><displayName>My Corporate Wi-Fi Network</displayName><ssid>MyCorpNet</ssid><associationRetries>3</associationRetries><beaconing>true</beaconing><authenticationNetwork>{child elements}</authenticationNetwork></wifiNetwork>Configuring an Open Wi-Fi Network
Configure the following element:
autoConnect
Schema path:
configuration/networks/wifiNetwork/openNetworkUserConnection/autoConnect
The mandatory boolean element autoConnect specifies whether or not the user-context connection process includes this network in its network selection algorithm. In other words, when the user logs into the system this element determines whether or not an automatic connection is attempted. Only a user-context connection is enabled and processed.
The element has the following values:
•
•
The following example illustrates the distribution package XML for the openNetworkUserConnection element and its child element.
Example 2-9 openNetworkUserConnection
<openNetworkUserConnection><autoConnect>true</autoConnect></openNetworkUserConnection>Configuring a Shared-key Wi-Fi Network
Specify one of the following connection contexts for the shared key network:
•
•
machineConnection
Schema path:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection
The optional element machineConnection forms the container for configuring a network that supports only a machine context connection. A connection is made at system boot using the configured machine credentials and is maintained when users log into or log off of the system. No element values are specified.
Next item: "Configuring a Shared-key, Machine Network"
userConnection
Schema path:
configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection
The optional element userConnection forms the container for configuring a network that supports only a user context connection. A connection is made when a user logs into the system using the configured user credentials and is maintained until the user logs off of the system. No element values are specified.
Next item: "Configuring a Shared-key, User Network".
The following example illustrates the distribution package XML for the sharedKeyNetwork element and its child element.
Example 2-10 sharedKeyNetwork
<sharedKeyNetwork><machineConnection>{child elements}</machineConnection></sharedKeyNetwork><sharedKeyNetwork><userConnection>{child elements}</userConnection></sharedKeyNetwork>Configuring a Shared-key, Machine Network
Configure the following element:
keySettings
Schema path:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings
The mandatory element keySettings forms the container for specifying the type of shared-key protocol. No element values are specified.
Next item: "Choosing the Shared-key Type".
The following example illustrates the distribution package XML for the shared-key network's machineConnection element and its child element.
Example 2-11 machineConnection
<machineConnection><keySettings>{child elements}</keySettings></machineConnection>Configuring a Shared-key, User Network
Configure the following elements:
autoConnect
Schema path:
configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/autoConnect
The mandatory boolean element autoConnect specifies whether or not the user-context connection process includes this network in its network selection algorithm. In other words, when the user logs into the system this element determines whether or not an automatic connection is attempted.
The element has the following values:
•
•
keySettings
Schema path:
configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings
The mandatory element keySettings forms the container for specifying the type of shared-key protocol. No element values are specified.
Next item: "Choosing the Shared-key Type".
The following example illustrates the distribution package XML for the shared-key network's userConnection element and its child elements. The order of the child elements is restricted to that shown.
Example 2-12 userConnection
<userConnection><keySettings>{child elements}</keySettings><autoConnect>true</autoConnect></userConnection>Choosing the Shared-key Type
Specify one of the following key types for the network:
•
•
•
wep
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep
configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep
The optional element wep forms the container for configuring a Wired Equivalent Privacy (WEP) shared key or static key. The existence of this element indicates WEP key type. No element values are specified.
These are legacy security solutions which provide a low-level mechanism for a basic, but easily breakable, data privacy capability between the client and network access device. These legacy methods are supported for backwards compatibility but are not an integral part of an enterprise level security solution.
Business rule: This is a valid choice only if the wep association mode is supported by the policy. See element allowedAssociationModes in section "Network Policy".
Next item: "Configuring a WEP Shared-key".
wpa
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wpa
configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wpa
The optional element wpa forms the container for configuring a WPA-Personal mode. The existence of this element indicates WPA key type. No element values are specified.
Wi-Fi Protected Access (WPA) is the security solution of the Wi-Fi Alliance and improves upon the legacy 802.11's encryption method, WEP. WPA-Personal uses a pass-phrase preshared key (PSK).
Business rule: This is a valid choice only if the wpa-Personal association mode is supported by the policy. See element allowedAssociationModes in section "Network Policy".
Next item: "Configuring a WPA/WPA2 Shared-key"
wpa2
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wpa2
configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wpa2
The optional element wpa2 forms the container for configuring a WPA2-Personal mode. The existence of this element indicates WPA2 key type. No element values are specified.
WPA2 is a recent upgrade based on the full 802.11i standard. WPA2 is Wi-Fi Alliance branding for 802.11i interoperability. WPA2 is not released to address any flaws in WPA. The major aspect of WPA2 is the mandating of a new and stronger encryption cipher (AES). WPA2 also introduces subtle improvements in the association request/response messaging and in the key exchange messaging. WPA2-Personal uses a pass-phrase preshared key (PSK).
Business rule: This is a valid choice only if the wpa2-Personal association mode is supported by the policy. See element allowedAssociationModes in section "Network Policy".
Next item: "Configuring a WPA/WPA2 Shared-key"
Configuring a WEP Shared-key
Follow these steps to configure a Wi-Fi, WEP shared-key network.
Step 1
ieee80211Authentication
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep/
ieee80211Authenticationconfiguration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/
ieee80211AuthenticationThe mandatory element ieee80211Authentication forms the container for configuring the type of association used between SSC and the access point. No element values are specified.
Next item: "Choosing the WEP Association".
Step 2
The following example illustrates the distribution package XML for the WEP keySettings element and its child elements. The order of the child elements is restricted to that shown.
Example 2-13 WEP keySettings
<keySettings><wep><wepAscii40 encrypt="true">aaaaa</wepAscii40><ieee80211Authentication><shared/></ieee80211Authentication></wep></keySettings>Choosing the WEP Association
Specify one of the following WEP association modes:
•
•
open
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep/
ieee80211Authentication/openconfiguration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/
ieee80211Authentication/openThe existence of the optional element open specifies the 802.11 open association mode. In SSC a shared-key network using open association is a legacy "Static WEP" network. It is an empty element with no value.
This element has a required boolean attribute, encrypt, which has a fixed value of True. It indicates that this element needs to be (or has been) encrypted by the postprocess sscPackageProcess utility.
shared
Schema path:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep/ieee80211Authentication/shared
The existence of the optional element shared specifies the 802.11 shared association mode. In SSC a shared-key network using shared association is a legacy "Shared WEP" network. It is an empty element with no value.
The following example illustrates the distribution package XML for the two choices for the ieee80211Authentication element.
Example 2-14
<ieee80211Authentication><shared/></ieee80211Authentication><ieee80211Authentication><open/></ieee80211Authentication>Choosing the WEP Key Format
Specify one of the following key formats and lengths for the network:
•
•
•
•
wepAscii40
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep/
wepAscii40configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wep/
wepAscii40The optional element wepAscii40 specifies ASCII format and a 40-bit key length.
This element has a required boolean attribute, encrypt, which has a fixed value of True. It indicates that this element needs to be (or has been) encrypted by the postprocess sscPackageProcess utility.
Restriction: the value must be five printable, ASCII characters long.
wepAscii128
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep/
wepAscii128configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wep/
wepAscii128The optional element wepAscii128 specifies ASCII format and a 128-bit key length.
This element has a required boolean attribute, encrypt, which has a fixed value of True. It indicates that this element needs to be (or has been) encrypted by the postprocess sscPackageProcess utility.
Restriction: the value must be thirteen printable, ASCII characters long.
wepHex40
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep/
wepHex40configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wep/
wepHex40The optional element wepHex40 specifies Hex format and a 40-bit key length.
This element has a required boolean attribute, encrypt, which has a fixed value of True. It indicates that this element needs to be (or has been) encrypted by the postprocess sscPackageProcess utility.
Restriction: the value must be ten Hex characters long.
wepHex128
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wep/
wepHex128configuration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wep/
wepHex128The optional element wepHex128 specifies Hex format and a 128-bit key length.
This element has a required boolean attribute, encrypt, which has a fixed value of True. It indicates that this element needs to be (or has been) encrypted by the postprocess sscPackageProcess utility.
Restriction: the value must be twenty six Hex characters long.
The following example illustrates the distribution package XML for the four choices for the wep child elements.
Example 2-15 wep choices
<wepAscii40 encrypt="true">aaaaa</wepAscii40><wepAscii128 encrypt="true">aaaaaaaaaaaaa</wepAscii128><wepHex40 encrypt="true">AAAAAAAAAA</wepHex40><wepHex128 encrypt="true">ABCDEFABCDEFABCDEFABCDEFAB</wepHex128>Configuring a WPA/WPA2 Shared-key
Follow these steps to configure a Wi-Fi, WPA/WPA2 shared-key network.
Step 1
encryption
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wpa/
encryptionconfiguration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wpa/
encryptionconfiguration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wpa2/
encryptionconfiguration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wpa2/
encryptionThe mandatory element encryption specifies the data encryption scheme.
The element has the following values:
•
•
Step 2
key
Schema paths:
configuration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wpa/
keyconfiguration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wpa/
keyconfiguration/networks/wifiNetwork/sharedKeyNetwork/machineConnection/keySettings/wpa2/
keyconfiguration/networks/wifiNetwork/sharedKeyNetwork/userConnection/keySettings/wep/wpa2/
keyThe mandatory element key forms the container for configuring the format of the WPA or WPA2 key. No element values are specified.
Next item: "Choosing the WPA/WPA2 Key Format".
The following example illustrates the distribution package XML for the WPA/WPA2 keySettings element and its child elements. The order of the child elements is restricted to that shown.
Example 2-16 WPA keySettings
