TLS Settings

This page lets you edit basic wireless authentication settings. TLS channel is established in all WAP protocols (PEAP, EAP-TLS, etc), and is required for successful authentication.

Enable TLS. This option enables or disables the ability of ClearBox to authenticate Wi-Fi network users. As enabling TLS requires a server certificate to be installed on the machine, it should be disabled when ClearBox is used for wired authentication only.

Select Certificate. In order to provide trusted network security services to wireless clients, ClearBox must be able to cryptographically identify itself to clients. ClearBox server sends them its digital certificate during the client login procedure. This server certificate is mandatory in Wi-Fi networks.

Click the button to select a server certificate from one of the installed ones. ClearBox uses 'Personal' certificates from the local machine store (as opposed to a current user store). If the list of available certificates is empty, you should install any. Using Certificates Wizard is recommended for it.

Don't check server certificate validity. ClearBox may use a server certificate even Windows treats it as invalid. We don't recommend to use this option.

Allow resumption of TLS sessions. When a user first authenticates with either PEAP or EAP-TLS, a fair amount of intensive computation is performed both on the client PC and on ClearBox Server. Private keys must be used to encrypt or sign data, signatures on certificates must be validated, password credentials must be checked, and so on.

However, once a user is authenticated, any subsequent authentications to the same ClearBox Server can be accelerated based on secret information developed during the first authentication. This is called session resumption. Turning this option on enables caching TLS sessions on the server side (by default, ClearBox stores last 256 sessions).

We recommend to enable session resumption as it speeds up client subsequent authentication (which can happen fairly frequently in wireless networking) and puts less load on ClearBox Server.

NOTE, that PEAP session resumption requires enabling it explicitly on the 'Allowed protocols' dialog on a realm authentication page.

Cipher suites. The TLS protocol that underlies PEAP and EAP-TLS is capable of using a variety of cryptographic techniques for authentication and data privacy between client and ClearBox Server. Each of these techniques is called a cipher suite. At the start of the authentication, client and server must agree on which cipher suite to use.

All cipher suites that ClearBox Server is capable of using are shown in the Cipher suites list. A check mark appears next to each cipher suite that is enabled. To enable or disable a cipher suite, simply check or uncheck the box.

Cipher suites that are used by ClearBox Server depend on the server certificate installed. If the certificate uses RSA, then only RSA algorithms are used.

EAP-TLS Specific Settings

These settings are used for EAP-TLS authentication only, when each user should prove his identity to the server with his digital certificate. There are several options how the server can validate a client certificate.

Check certificate revocation list. Certificate revocation list (CRL) is a list of certificates (their serial numbers) which have been revoked, are no longer valid (say, its private key has been compromised), and should not be relied on by any system user. If the option is set, ClearBox verifies if a client certificate is revoked or not. So, a user may be rejected even if he presents his certificate, as it has become invalid.

NOTE, that when CRL checking is turned on, it's your responsibility to renew CRL file with Certificates Wizard. Every 60 days CRL expires, and without the new file any requests will be rejected.

Depth of certificates in a chain during the verification. A user is certificate is issued by some certificate authority which certificate in turn may be issued by some upper level organization, forming a certificate chain. ClearBox may verify only client certificate itself (depth=0) or follow the chain up to the root certificate, which takes some processing time but ensures higher security. Default value is 2, i.e. validate the client certificate and two upper certificates.

Required certificate issuer. Each certificate has its issuer, typically some root CA. If this parameter is not empty, ClearBox will accept certificates only from this issuer. The issuer name is specified in distinguished-name format, for example: /C=FR/ST=na/L=Paris/O=MyCompany/CN=ClearBox Server Root CA.