Wi-Fi Authentication Tests Overview (Windows Embedded CE 6.0)
1/6/2010
To validate that a Wi-Fi station can connect to the appropriate access point (AP) through each valid combination of authentication and encryption protocols, you must test all of these connections. In addition, you must test to ensure that a Windows Embedded CE powered device does not connect**to any AP for which the device is not configured.
The Wi-Fi Authentication Tests requires three servers: the AP Control server, the Remote Authentication Dial-in User Service (RADIUS) server (commonly known as the Authentication Authorization Accounting (AAA) server), and the Dynamic Host Control Protocol (DHCP) server. You can choose to install all of these servers on the same computer, or you can install them on separate computers. The following illustration shows an example of a test network configuration.
The AP Control server handles access point configuration requests from the device that is being tested and updates the APs to the required security modes. This server must run both the UDP and TCP Echo services to allow the device to verify a wireless connection.
The RADIUS server stores a list of clients, that is, the access points which connect to it. This list must include each access point that the device supports. The list entry for each access point client also contains a secret pass phrase the clients use to communicate with the RADIUS server. Enter a pass phrase for each access point, and then configure the keys for the corresponding APs so that they can be authenticated by the RADIUS server during EAPOL key processing. If the RADIUS server is also the authentication server, which is usually the case, this server must have two special user accounts: one for Transport Layer Security (TLS) Extensible Authentication Protocol (EAP) authentication, and one for the Protected Extensible Authentication Protocol (PEAP). The tests default to the following credentials for these accounts:
TLS authentication
- User name: eaptls
- Password: eaptls
- Domain: wince
PEAP authentication
- User name: eappeap
- Password: eappeap
- Domain: wince
The DHCP server provides a framework for passing configuration data to devices in a TCP/IP network, which eliminates the problems associated with manual configuration. When a DHCP server receives a request, the server automatically assigns an IP address from a pool of addresses, as well as assigning the address mask, the default gateway, the DNS server, the domain name, the WINS server (if used), and so on, to the device or computer that made the request.
The Wi-Fi Authentication tests run a variety of authentication and encryption methods to validate Wi-Fi functionality for a device, as shown in the table that follows.
General authentication methods
Authentication method | Description |
---|---|
Open |
All associations are accepted. |
Shared |
All associations are accepted, but the client must use WEP encryption. |
WPA |
Wi-Fi Protected Access. Requires EAP authentication. |
WPA-PSK |
WPA with a pre-shared key (PSK). |
WPA2 |
Wi-Fi Protected Access 2. Requires EAP authentication. |
WPA2-PSK |
WPA2 with PSK. |
EAP authentication methods
- Transport Layer Security (TLS)
- Message Digest 5 (MD5)
- Protected Extensible Authentication Protocol (PEAP)
Encryption methods
- Unencrypted (Clear Text)
- Wired Equivalent Privacy (WEP)
- Temporal Key Integrity Protocol (TKIP)
- Advanced Encryption Standard (AES)
For each combination of authentication and encryption protocols, the test performs the following steps:
- Connects with an AP control server by using a fixed-configuration access point.
- Requests the AP control server to configure an access point with a given authentication, encryption, and key.
- Disconnects from the fixed-configuration access point.
- Configures the device being tested to the so that it will connect to the access point that was configured in step 2 with the specified SSID, authentication method, encryption method, and key being tested.
- Waits for a fixed interval for the connection to be established.
- Sends a large number of ICMP pings through the newly-connected Wi-Fi link and checks for an equal number of replies.
- Sends a large number of UDP echoes, and checks for lost or corrupted replies.
- Sends a large number of TCP echoes, and checks for lost or corrupted.
- Disconnects the wireless adapter.
The Wi-Fi Authentication Test is implemented as a Tux DLL. It can be started and configured remotely by using either CETK or Platform Builder , or locally by using a command script.
See Also
Tasks
Establishing the Correct Test Environment for Wi-Fi Authentication Tests