How Wireless Network Policies Extension Works
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
How Wireless Network Policies Extension Works
This section discusses how the Wireless Network Policies Extension works.
In this section
Wireless Network Policies Extension Architecture
Wireless Network Policies Extension Protocols
Wireless Network Policies Extension Physical Structure
Network Protocols Used by Wireless Network Policies Extension
Wireless Network Policies Extension Architecture
The Wireless Network Policies Extension consists of two subsystems:
Wireless MMC snap-in
Wireless Client-Side Extension (CSE)
Wireless MMC Snap-in
The Wireless MMC snap-in is the server-side tool used by the administrator to make the wireless Group Policy settings into Group Policy objects (GPOs). The snap-in functionality for the GPO is accessible from Edit on the pop-up menu for the GPO within the Group Policy Management Console (GPMC). The following figure shows the snap-in for the GPO named gpo_Name, and shows the Properties dialog box for the policy named GPfield.
Group Policy Object Editor MMC Snap-in
.gif "Group Policy Object Editor MMC Snap-in")
Wireless Client-Side Extension (CSE)
Gptext.dll, located in the systemroot%\system32 folder on the target, is the Client-Side Extension (CSE) component, which implements the settings made by the administrator on the server using the snap-in. The Wireless Extension downloads these settings from the domain controller to the target and stored in the registry. This must be done over a wired (cable) network initially, due to a certificate services requirement. This initial download cannot be done over a wireless connection. Subsequent Computer Configuration Group Policy settings can be downloaded to a wireless device after the initial download. There is no UI for the CSE on the target.
Wireless CSE settings are stored in a subkey under the following registry key on the target:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
The wireless CSE subkey name is a GUID and the wireless subkey and its values are seen in the figure below. The other GUID subkeys correspond to the other CSEs.
Target Wireless CSE Registry Key and Values
.gif "Target Wireless CSE Registry Key and Values")
Wireless Network Policies Extension Protocols
The figure below shows the conceptual view of wireless network access. The Wireless Network Extension MMC snap-in sits, conceptually, in the Management “box” of infrastructure services. The CSE sits in the Wireless Client “box” of the WLAN Component.
Wireless Network Overview
.gif "Wireless Network Overview")
Components and protocols significant to the Wireless Network Policies Extension are included in the following table:
Wireless Network Policies Extension Components and Protocols
| Component | Description |
|---|---|
IEEE 802.11 |
A shared, wireless local area network standard. |
IEEE 802.1x |
A Port-based Network Access Control standard. |
IEEE 802.11i |
A draft standard that specifies improvements to WLAN networking security. |
Wi-Fi Protected Access (WPA) |
An interim standard, agreed to by wireless vendors, that is used until IEEE 802.11i is ratified. |
wireless Access Point (wireless AP) |
The more general term is Network Access Service (NAS). This is a device defined by the 802.11 standard that bridges the wireless and wired networks. |
Remote Authentication Dial-In User Service (RADIUS) |
Performs authentication and authorization for many types of networks, including wireless. |
Internet Authentication Service (IAS) |
A Microsoft implementation of RADIUS. |
Extensible Authentication Protocol (EAP) |
An authentication protocol used by, and required by the IEEE 802.1x standard. |
Protected Extensible Authentication Protocol (PEAP) |
One of two EAP authentication protocols available in the Wireless extension. Both are supported by Windows XP Service Pack 1. |
EAP-Transport Layer Security (EAP-TLS) |
One of two EAP authentication protocols (PKI-based) supported by Windows XP Service Pack 1. EAP-TLS is the EAP type recommended for certificate-based client authentication. |
Public key infrastructure (PKI) |
PKI is an implementation of public-key cryptography. Public-key cryptography provides data privacy, robust user and computer authentication, and documentation of action taken; all in a distributed security model. |
certificate |
A credential used for authentication. |
Transport Level Security (TLS) |
TLS provides mutual authentication, negotiation, and endpoint key determination. |
Microsoft Challenge-Handshake Authentication Protocol version 2 (MS-CHAP v2) |
An authentication protocol. |
PEAP-EAP-MSCHAP-v2 |
The recommended EAP type for password-based client authentication. |
Wired Equivalent Privacy (WEP) algorithm |
An algorithm on which the IEEE 802.11 WLAN Standard authentication and encryption services are based. |
Wireless Network Policies Extension Physical Structure
The physical structure of the Wireless Network Policies Extension, and how it fits into a wireless infrastructure, is seen in the Wireless Network Overview figure in the Protocols section above. Settings made by the administrator in the server-side snap-in are transferred to the CSE during initial wired connection between target and domain. These settings are transferred based on target (Computer) identity. Many of the settings are stored in the CSE registry key seen in the Target Wireless CSE Registry Key and Values figure, above.
One of the settings stored in a different registry location is the EAP type. This setting is stored in the following registry key on the client, and on the domain controller:
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\[#]
[#] = 13 for Smart Card or other certificate
[#] = 25 for Protected EAP (PEAP)
[#] = 26 for Secured password (EAP-MSCHAP v2)
[#] = 4 for MD-5 Challenge (not configurable via Extension)
On the wireless client (target) at machine startup, all CSEs are managed by the Group Policy Engine (GPE). The GPE stores a list of all GPOs received from the Active Directory. The GPE passes the GPO list into the Wireless CSE.
Group Policy templates (GPTs), the file system portion of Group Policy Settings, are stored in the [%systemroot%\SYSVOL]\sysvol\domainname\policies subfolder of the sysvol tree. The root of each GPT contains a GPT.INI file. Each GPT contains a MACHINE and USER subfolder. Wireless policy is located in the MACHINE subfolder.
The GPT.ini file, stored on the domain controller SYSVOL, contains the GPO version number of the Group Policy template (GPT). The GptTmpl.inf file, stored in the MACHINE\Microsoft\Windows NT\SecEdit folder for each GPO, contains machine GPO settings including Wireless Network Policy Extension settings.
At client machine startup, when Group Policy is finished processing, Winlogon gets the CSE registry information, creates a Userinit process, and passes Userinit the Wireless CSE information. The GPE, running in the same process as Winlogon, calls Userinit; Winlogon doesn’t call Userinit. The Wireless CSE is registered with Winlogon in the registry, as seen in the Target Wireless CSE Registry figure above. Other Wireless Network Group Policy settings are also stored in the registry, and are retrieved and applied at this time.
Windows XP and Windows Server 2003 stores computer and user authentication behavior settings in the AuthMode value in the following registry key:
HKLM\Software\Microsoft\EAPOL\Parameters\General\Global
Valid AuthMode registry values are:
0 for With user authentication
1 for With user re-authentication
2 for Computer only
The following table summarizes the components that interact during target startup.
Physical Structure Components
| Component | Description |
|---|---|
Group Policy Engine |
The Framework that manages and implements the Group Policy settings and configurations, made by the admin, across all Client Side Extensions (CSE). Userenv.dll is the GPE module. The GPE runs in the same process as Winlogon. It is from that process that Userinit is called. The component actually calling Userinit is the GPE, not Winlogon. |
Wireless Client-Side Extension (CSE) |
The Wireless CSE is the central communication point for the GPE, and is contained within gptext.dll located in the %systemroot%\system32 folder. This DLL runs on the client system that is responsible for interpreting and implementing the Group Policy Management Console wireless settings made by the administrator through the wireless snap-in. It also runs on the domain controller to provide the Group Policy Object Editor snap-in. |
WinLogon |
WinLogon is the component that calls the Wireless CSE at machine startup and timed intervals. Winlogon is the only system component that actively interacts with the Group Policy Engine. All CSEs are registered with WinLogon in the registry under the following registry key on both the domain controller and the client machine: HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions Note Direct registry manipulation of CSE behavior is not recommended. Most behavior settings are available for modification in the Group Policy Object Editor. |
Userinit |
Called by the process in which both Winlogon and the GPE are running. |
SYSVOL |
The SYSVOL is the set of folders shared on each domain controller, which store file-system domain information, as compared to registry domain information. Sysvol is one of the locations in which the GPT.INI file is stored. |
Group Policy template (GPT) |
The GPT is part of the GPO, and is the portion of Group Policy Settings stored in the file system and shared between domain controllers. The GPT makes up the majority of the Group Policy settings. Each GPT folder is a subfolder of the Policies folder and has a GUID for a name. |
GPT.INI |
GPT.INI is a file in the GPT root folder that stores the GPO version number of the GPT. The Group Policy Client Side Extensions use this version number to confirm that directory and file components are synchronized correctly. |
ADM (Adm) folder |
The ADM folder stores the System.adm file, among others. |
MACHINE folder |
The Machine folder stores GPO Computer settings files. One of the subfolders is the SecEdit folder. |
SecEdit folder |
The SecEdit folder, a subfolder of the MACHINE folder, stores the GptTmpl.inf file. |
Network Ports Used by Wireless Network Policies Extension
The following table summarizes the network protocols and port numbers used by the Wireless Network Policies Extension.
Port Assignments for Wireless Network Policies Extension
| Task | Port (Protocol) |
|---|---|
Retrieve GPO list |
TCP 398 (LDAP) |
Retrieve Group Policy container |
TCP 398 (LDAP) |
Request Distributed File System (DFS) referral for the Sysvol folder on the domain controller |
TCP 445 (SMB) |
Determine Sysvol DFS replica location for the Sysvol folder on the domain controller |
TCP 445 (SMB) |
Open and read Gpt.ini |
TCP 445 (SMB) |
Open and read Group Policy template settings files |
TCP 445 (SMB) |
Return Group Policy template file |
TCP 445 (SMB) |
RADIUS Messages |
UDP 1812, 1813 |