The Cable Guy - December 2003
Wireless Provisioning Services Overview
Wireless Provisioning Services (WPS) are enhancements that are included in Microsoft Windows XP Service Pack 2 (SP2) and Windows Server 2003 Service Pack 1 (SP1). WPS extends the wireless client software included with Windows XP and the Internet Authentication Service (IAS) included with Windows Server 2003 to allow for a consistent and automated configuration process when connecting to the following:
- Public wireless hotspots that provide access to the Internet.
- Private organization wireless networks that provide guest access to the Internet.
This article describes the infrastructure and process when a wireless client initially connects to a public wireless hotspot that is providing access to the Internet.
When wireless clients connect to a public wireless hotspot, either they are already a customer of the wireless Internet service provider (WISP) or they are not. If they are not, the user of the wireless client is faced with the challenge of performing the following:
- Configuring network settings to connect to the WISP network.
- Providing identification and payment information to the WISP.
- Obtaining connection credentials.
- Reconnecting to the WISP network after valid credentials has been obtained.
WPS is designed to simplify, automate, and standardize initial sign-up and subscription renewal so that the user does not have to perform a different set of steps for each wireless provider to which they want to connect.
Components of a WPS Infrastructure
The set of components needed for WPS is the following:
- WPS-enabled wireless clients
- Wireless access points (APs) that support either virtual local area networks (VLANs) or Internet Protocol (IP) filtering
- Access controller
- Provisioning server
- Active Directory directory service domain controller
- Internet Authentication Service (IAS) server
- Dynamic Host Configuration Protocol (DHCP) server
These components are shown in the following figure.
If your browser does not support inline frames, click here to view on a separate page.
WPS-Enabled Wireless Clients
WPS-enabled wireless clients are computers running Windows XP Home Edition with SP2, Windows XP Professional with SP2, or Windows XP Tablet PC Edition with SP2.
Wireless APs that Support Either VLANs or IP Filtering
The wireless APs that are used for WPS must support either:
With VLANs, the traffic from the wireless client can be tagged with a VLAN ID to identify whether it is authenticated, in which case the traffic is forwarded to the Internet VLAN, or not, in which case the traffic is forwarded to a provisioning resources VLAN that contains the set of servers used for configuring the wireless client. The access controller uses the VLAN ID to determine how to switch the traffic.
As an alternative to VLAN support, the wireless AP must have the ability to filter traffic from individual wireless clients based on the destination IP address or tag traffic for filtering by an access controller. IP filtering allows the wireless AP to confine the traffic of unauthenticated clients to a specific set of resources on the network.
Both IP filtering the use of VLANs provide a way of isolating the traffic of unauthenticated wireless clients to a specific set of servers from which the wireless client is configured and valid connection credentials are obtained.
The support for VLANs or IP filtering is in addition to support for Institute of Electrical and Electronic Engineers (IEEE) 802.1X and Remote Authentication Dial-In User Service (RADIUS).
It is also recommended that wireless APs have virtual AP support, in which a single physical wireless AP can act as if it were multiple wireless APs by broadcasting multiple Service Set Identifiers (SSIDs) with separate security configurations. With virtual AP support, WISPs can easily migrate their existing public hotspots from using the Universal Access Method (UAM), a Web browser-based sign-up process, to WPS.
The wireless AP is configured as a RADIUS client to the IAS server on the WISP network.
The access controller is a device that performs routing and either filtering or VLAN switching for packets coming from and going to the wireless APs. If packet filtering is being used, the access controller uses the tags placed on the frames to perform packet filtering. If VLANs are being used, the access controller uses the VLAN ID of packets coming from the wireless APs to switch the packets to:
A provisioning resources VLAN
The provisioning resources VLAN allows unauthenticated wireless clients access to the DHCP and provisioning servers, allowing them to connect to receive a DHCP configuration, provide identification and payment information, and receive connection credentials to connect as an authenticated wireless client.
An Internet VLAN
The Internet VLAN provides access to the Internet. Only customers who have created and paid for accounts and have authenticated themselves with valid credentials are switched to this VLAN for Internet access.
The IP filters or the specific VLAN ID for the traffic of the unauthenticated (the provisioning resources VLAN) or authenticated (the Internet VLAN) wireless client are provided via vendor-specific RADIUS attributes in the RADIUS Access-Accept message sent from the IAS server.
The provisioning server is configured with the following components:
Secure HyperText Transfer Protocol (HTTPS)-based Web server
A Web server, either Internet Information Services (IIS) or a third-party Web server, must be deployed using HTTPS.
The HTTPS-based Web server is configured with a WPS-based Web application that processes information provided during customer sign-up or subscription renewal. When a customer uses the WPS sign-up wizard on the wireless client to create and pay for a WISP account, the customer types identification and payment information, such as name, address, and credit card information. This information is converted by WPS to an XML document and sent to the provisioning server.
The Web application on the provisioning server must be capable of accepting and processing the XML documents containing the wireless client user information. For example, for new customers, the Web application must dynamically create an account in Active Directory. For subscription renewals, the Web application must dynamically update account and payment information.
XML master and sub-files
The provisioning server maintains the XML master and sub-files that provide the wireless client with all the configuration information needed to access the network, create an account, submit payment information, and ultimately access the Internet. The XML data also contains WISP branding content, WISP hotspot locations, and help information.
Active Directory Domain Controller
An Active Directory domain controller is used to store the user accounts database for active customers. When a customer performs the initial sign-up process, the Web application on the provisioning server creates a new account in Active Directory and adds the user account to the appropriate groups.
Instead of Active Directory, a WISP can use a Lightweight Directory Access Protocol (LDAP)-based database that supports dynamic creation of user accounts.
IAS, the Windows implementation of a RADIUS server and proxy, is used as a RADIUS server to authenticate and authorize users connecting to the WISP network. IAS is configured with remote access policies to allow the following:
- Guest authentication and access to the provisioning resources for wireless clients that do not yet have an account and valid connection credentials.
- Access to the Internet for wireless clients that do have an account and valid connection credentials.
The IAS server must be running Windows Server 2003 with SP1, which includes a new Protected Extensible Authentication Protocol (PEAP) type known as PEAP-Type-Length-Value (TLV). PEAP-TLV is defined in the Internet draft titled "A Container Type for the Extensible Authentication Protocol (EAP)", and provides IAS with the ability to send the location of the provisioning server to wireless client computers in the form of a Uniform Resource Locator (URL). With the URL of the provisioning server, WPS on the wireless clients can download the provisioning XML files and begin the initial sign-up or subscription renewal process.
To provide server-side PEAP authentication to wireless client computers, the IAS server uses a computer certificate, stored in the Local Computer certificate store of the IAS server. The IAS computer certificate contains the Server Authentication purpose in the Enhanced Key Usage property of the certificate and is typically issued by a public, third-party certification authority (CA), such as VeriSign, Inc.
A public, third-party certificate is typically used because in order for the Windows XP wireless client to validate the IAS server certificate, it must have the root CA certificate of the issuing CA of the IAS server computer certificate stored in its Trusted Root Certification Authority certificate store. Windows XP already includes the root CA certificates of many public, third-party certificates in the Trusted Root Certification Authority certificate store.
If you install IAS on the Active Directory domain controller, the computer must have a computer certificate. If the IAS server and the Active Directory domain controller are different computers, only the IAS server needs a computer certificate.
The DHCP server must be able to assign valid IP addresses to the wireless client computers that are connecting either as guests or as authenticated clients that are accessing the Internet.
Example New Account Connection Process
The following example describes the WPS process for a new customer at a Wi-Fi hotspot location. When a new customer connects to a WISP, signs up for a new account, and accesses the Internet, the entire process occurs in the following phases:
- Phase 1: The client discovers the WISP network at a Wi-Fi hotspot.
- Phase 2: The client authenticates as a guest.
- Phase 3: The client is provisioned and a new account is created.
- Phase 4: The client is authenticated using the new account credentials accesses the Internet.
Phase 1: The Client Discovers the WISP Network at a Wi-Fi Hotspot
A customer starts their WPS-capable wireless client within range of a wireless AP at the Wi-Fi hotspot. The wireless network adapter informs Windows XP Wireless Auto Configuration of the existence of the WISP wireless network name, also known as its SSID. Windows XP notifies the customer that a new wireless network is available. The customer views the WISP wireless network information and decides to connect.
Phase 2: The Client Authenticates as a Guest
Because this is a new wireless network, Wireless Auto Configuration uses PEAP-Transport Layer Security (TLS) guest authentication to connect to the WISP network. For PEAP-TLS guest authentication, the wireless client passes a null user name and no certificate to the IAS server.
The IAS server authorizes the new client as a guest. After PEAP-TLS authentication, PEAP-TLV is used to send the URL of the provisioning server to the wireless client. In the final RADIUS Access-Accept message, RADIUS attributes contain either the VLAN ID of the provisioning resource VLAN ID or the set of IP filters used to confine the traffic from the wireless client to the resources needed for provisioning.
The wireless client computer then requests and receives an IP address configuration from the DHCP server.
Phase 3: The Client is Provisioned and a New Account is Created
From the URL received via PEAP-TLV, the wireless client connects to the provisioning server. WPS on the wireless client downloads the XML master file and the appropriate sub files. Based on the information in these files, the WPS sign-up wizard is run, allowing the customer to configure identification and payment information, create an account, and receive valid credentials.
The information configured by the customer is converted by WPS into an XML document, which is sent to the provisioning server. Once payment is verified and sign-up information is completed successfully, the Web application creates a user account in Active Directory (or other LDAP-capable user account database) and adds the account to the appropriate groups.
The provisioning server creates an XML document containing the new account credentials and sends it to WPS on the wireless client computer. WPS stores the wireless network, account, and credential information in a profile.
Phase 4: The Client is Authenticated Using the New Account Credentials and Accesses the Internet
Wireless Auto Configuration disassociates from the wireless AP of the WISP, reassociates, and then attempts authentication. Because there is now a profile that matches the WISP wireless network, Wireless Auto Configuration retrieves the information from the profile and authenticates using PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) and the user account and password credentials stored in the profile.
Based on the valid credentials sent by the wireless client, the IAS server authenticates and authorizes the connection request against the new account in Active Directory. Based on the user account properties and the matching remote access policy settings, the IAS server sends an Access-Accept message to the wireless AP containing either the VLAN ID of the Internet VLAN or a new set of IP filters that allow the wireless client computer to access the Internet.
After the authenticated connection is accepted, the wireless client uses DHCP to request and receive an IP address configuration. After DHCP configuration, the wireless client can access Internet resources.
For More Information
For more information about WPS, consult the following resources:
- Introduction to Deploying Wireless Provisioning Services (WPS) Technology
- Microsoft Wireless Networking Web site
For a list of all The Cable Guy articles, click here.