Wireless Networking with Windows Vista in a Domain Environment

By Zubair Alexander

Date: Dec 8, 2006

Return to the article

Zubair Alexander discusses various methods for joining a Windows Vista wireless network client to an Active Directory domain, and addresses some of the security issues involved.

Everyone wants wireless. Due to security, speed, and bandwidth issues, the use of wireless network devices has been rather limited in the past, but with the emergence of newer technologies and protocols, wireless devices—including wireless network PCs—are becoming more popular.

Windows Vista makes wireless networking better, easier, and safer, which will result in an increase in the number of wireless PCs, both at home and in the workplace. In this article, I’ll discuss various methods for joining a wireless network client to an Active Directory domain. I’ll also address some of the security issues. When it comes to wireless clients, security is a high priority, especially in a domain environment where your corporate data needs to be protected properly.

NOTE

Windows Vista is the primary client for the next version of Windows Server, codenamed "Longhorn" Server. This article focuses on wireless networking as it pertains to Windows Vista and Longhorn Server, because several new features in Windows Vista are designed to work with Longhorn Server.

First, let’s consider the concept of "bootstrap wireless profile" in Windows Vista. Then we’ll look at several security considerations and examine in more detail the methods for joining the domain.

Bootstrap Wireless Profile

The bootstrap wireless profile is a temporary wireless profile that doesn’t validate the certificate of the Remote Authentication Dial-in User Service (RADIUS) server.

NOTE

Microsoft’s implementation of the RADIUS server is called Internet Authentication Server (IAS) in Windows Server 2003. In Longhorn Server, the name has been changed to Network Policy Server (NPS).

Once the client has joined the domain, a new wireless profile is used to validate the credentials of the RADIUS server. More on this topic later, but for now let’s see how your wireless clients can join the domain.

Users have the following two options for joining a wireless client to the domain:

To configure a bootstrap wireless profile in Windows Vista, follow this procedure:

  1. In Control Panel, open the Network & Sharing Center.
  2. Under Tasks, click Set up a network or connection.
  3. Under the Choose a connection option, select Manually connect to a wireless network. Click Next.
  4. Configure the wireless network with network name, security type, and encryption type (WEP, TKIP, or AES), as shown in Figure 1. Then click Next.
    Figure 1

    Figure 1 Configuring a bootstrap wireless profile.

  5. Click Change connection settings.
  6. On the Security tab, under Choose a network authentication method, make sure that Protected EAP (PEAP) is selected.
  7. Click Settings and uncheck the box Validate server certificate. Leave the authentication method set to the default option Secured password (EAP-MSCHAP v2), as shown in Figure 2.
    Figure 2

    Figure 2 Configuring protected EAP properties.

  8. Click OK a couple of times and then click Close to close all the dialog boxes.

Security Considerations

The IEEE 802.1X authentication standard ensures that only authenticated users or devices are permitted on a wireless network. It also ensures the security of data. The default authentication method for 802.1X-authenticated wireless connections is EAP-Transport Layer Security (TLS) in Windows Server 2003 and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAP v2) in Windows Longhorn Server and Windows Vista.

EAP-TLS requires a public key infrastructure (PKI) to manage and issue computer certificates. Although EAP-TLS is a highly secure authentication method, Microsoft realized that most companies don’t want to deal with the complexities of computer certificates. They would rather use their existing Active Directory authentication method, which relies on an account and a password. Therefore, starting with Windows Vista and Longhorn Server, Microsoft has changed the default EAP authentication method for wireless connections to EAP-MSCHAP v2, because this authentication method only requires computer certificates on the RADUIS servers.

NOTE

Keep in mind that whether you use EAP-TLS or EAP-MSCHAP v2, during the authentication process the wireless client must validate a computer certificate sent by the RADIUS server. This is the default behavior; although you could change this behavior, Microsoft strongly recommends that you don’t.

As I stated earlier, whether you use EAP-TLS or EAP-MSCHAP v2 method for authentication, you have to deal with the certificates. The only question is which Certificate Authority (CA) issued the certificates for your RADIUS server. You can use a PKI solution from a third party, such as a commercial solution from Thawte, or deploy your own PKI infrastructure using certificate services and Active Directory.

If you’re using a commercial certificate, most likely the root CA certificate for the RADIUS server’s computer is already installed on the wireless client. In this scenario, the client already has the computer certificate for the RADIUS server, so it doesn’t really matter whether the client has joined the Active Directory domain; the client easily will be able to authenticate with the RADIUS server. However, if you’re using your own private certificate server, the wireless client that hasn’t yet joined the domain won’t have the computer certificate for the RADIUS server, and therefore won’t be able to validate the RADIUS server’s computer certificate. Once the client successfully joins the domain, the root CA certificate of the RADIUS server’s computer will be installed automatically on the wireless client.

Manual Method

As mentioned earlier, end users can use a couple of methods to establish a secure wireless connection and then join their wireless clients to the domain: They can do it manually, or with an XML file. To configure a bootstrap wireless profile manually, you can use the following procedure:

  1. Log onto the network, using a local account. At this point, you haven’t joined the Active Directory domain, so you can’t use your domain account.
  2. Use the procedure described in the "Bootstrap Wireless Profile" section to configure your bootstrap wireless profile.
  3. When prompted, provide the domain account and password to connect to the wireless network.
  4. Now that you’ve established a connection to the network, go to Control Panel, open System, and click Advanced system settings. When prompted by User Account Control, click Continue, or provide credentials as necessary.
  5. Click the Computer Name tab.
  6. Click Change.
  7. Click the Domain button and enter the name of the domain that you want to join (for example, SeattlePro.com), as shown in Figure 3.
    Figure 3

    Figure 3 Joining Windows Vista client to the domain.

  8. Click OK and then provide your domain name and the password that will allow you to join the domain.
  9. Restart your computer to complete the process.

XML File Method

Another method for a user to join the domain is to configure a bootstrap wireless profile for the wireless client by utilizing an XML file and script provided by the network administrator. Similar to that of the manual method, the goal of this method is to establish a network connection and then join the wireless client to the domain.

The administrator can configure another Windows Vista computer with a bootstrap wireless profile that uses EAP-MSCHAP v2, while ensuring that the validation of the RADIUS server certificate has been disabled (refer to Figure 2). The profile can be extracted to an XML file by using a netsh wlan command similar to the following:

netsh wlan export profile name=xml_profile_name folder=profile_location interface=connection_name

where xml_profile_name is the name of the bootstrap wireless profile, profile_location is the path to which you want the file copied, and connection_name is the name of the wireless connection that you want to use. (Use quotes if the names contain spaces.)

Here’s an example:

netsh wlan export profile name=SeattlePro folder=c:\profiles

When you use this command, the exported profile will be called interface name-profile name.xml, such as Wireless Network Connection-SeattlePro.xml. This is just one example; you can customize the netsh wlan command if you want. Type help within the netsh prompt for more options.

The administrator can also create a script file containing a netsh command similar to the following:

netsh wlan add profile filename=xml_profile_name interface=connection_name

where xml_profile_name is the name of the bootstrap wireless profile and connection_name is the name of the wireless connection to use.

For our example, we’ll use the following command for the script:

netsh wlan add profile filename="Wireless Network Connection-SeattlePro.xml" interface="wireless network connection"

The administrator can provide the user with both the script and the extracted XML file that contains the bootstrap wireless profile.

The user can use the following method to join the domain:

  1. Obtain the XML file and the script from the administrator.
  2. Log onto the computer locally. At this point, you haven’t joined the Active Directory domain, so you can’t use your domain account.
  3. Run the script to add the bootstrap wireless profile to your computer.
  4. When prompted, provide the domain account and password to connect to the wireless network.
  5. Now that you’ve established a connection to the network, go to Control Panel, open System, and click Advanced system settings. When prompted by User Account Control, click Continue, or provide credentials as necessary.
  6. Click the Computer Name tab.
  7. Click Change.
  8. Click the Domain button and enter the name of the domain that you want to join (for example, SeattlePro.com).
  9. Click OK and then provide your domain name and the password that will allow you to join the domain.
  10. Restart your computer to complete the process.

In addition to the methods described above, as a network administrator or member of the Help Desk staff you can also join wireless clients to the domain on the client’s behalf and configure what’s known as a single sign-on (SSO) bootstrap wireless profile. You can join the user’s computer to the domain before handing the computer over to the user by using a wired Ethernet connection. You can either use group policies or the netsh wlan options to configure SSO profiles on wireless clients. You should configure the bootstrap wireless profile that uses PEAP-MSCHAP v2, while ensuring that the validation of the RADIUS server certificate has been disabled (refer to Figure 2). You should also ensure that SSO is enabled.

NOTE

SSO is necessary because, even though the computer has joined the domain, the user has never logged on. SSO gives the user the ability to use the same username and password to establish a connection to the wireless network and then log onto the domain. All subsequent logons can use the cached credentials.

Conclusion

Because Windows Vista is the primary client for Longhorn Server, several new features in Windows Vista are designed to work only with Longhorn Server. The bootstrap wireless profile in Windows Vista can be used by users to join an Active Directory domain.

Microsoft has changed the default authentication method for 802.1X-authenticated wireless connections from EAP-TLS in Windows Server 2003 to PEAP-MS-CHAP v2 in Windows Longhorn Server and Windows Vista. Both of these authentication methods involve certificates, so you need to know the pros and cons of using a commercial certificate versus your own PKI infrastructure and how it can affect wireless network clients.