Wireless Provisioning Services (WPS)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Wireless Provisioning Services (WPS)

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 2 years ago.

  • Author
  • #2232


    Applies To:Windows Server 2003 with SP1
    What does Wireless Provisioning Services do?
    An increasing number of users areaccessing theInternet through a growing number of public wireless networks, or wireless
    fidelity (Wi-Fi) hotspots. Using Wireless Provisioning Services (WPS) provides wireless users with a consistentexperienceand
    seamless connectivity to public Wi-Fi hotspots through automatic provisioning of theclientand seamless roaming.WPS
    enables Wireless InternetService Providers (WISPs) to usea standards-based and integrated platform to provide Wi-Fi
    hotspots with enhanced security thatareeasy to useand manage. In addition,WPS enables enterprises to easily provide guest
    access with enhanced security to private wireless networks.
    With WPS,WISPs and enterprises can send provisioning and configuration information to mobileclients as they connect to the
    Internet or thecorporate network.This in turn allows seamless,automaticand secureconfiguration of mobileclients,enabling
    a uniform sign-up experiencein theenterpriseand across different public network providers and hotspot locations.
    Who does this feature apply to?
    Wireless Provisioning Services is designed for threetypes of organizations:
    HotspotService Provider (HSP)
    HSPs deploy wireless access points in public places, such as shopping malls and airports, but HSPs are not Internet
    Service Providers (ISPs). Instead, the HSP contracts with one or moreISPs,and offers users one or moreservice plans to
    choosefrom when they want to establish an account for Internetaccess.
    Wireless InternetService Provider (WISP)
    WISPS areISPs thateither deploy Wi-Fi hotspots in public places or outsource Wi-Fi hotspot services to an HSP.
    Enterprises can use WPS technology to provide managed guestaccess on their networks.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Wireless Provisioning Services
    Detailed description
    Wireless Provisioning Services is an extension to theexisting wireless services and user interfaces within Windows XP and
    Windows Server 2003. It builds on the wireless features already in Windows, such as Wireless Zero Configuration,and the
    wireless security features, such as Protected Extensible Authentication Protocol (PEAP) and Wi-Fi Protected Access (WPA).WPS
    also includes modifications to Windows Server 2003.The Windows Server 2003 Internet Authentication Service(IAS)
    component was modified to include guestauthentication of theclients in the provisioning process.
    WPS includes a provisioning servicecomponent thatallows for Wireless InternetService Providers (WISPs) and enterprises to
    send provisioning and configuration information to a mobileclient that is trying to connect to theInternet or thecorporate
    network. By using Wireless Provisioning Services,WISPs can offer services at multiple network locations and use multiple
    network names (serviceset identifiers, or SSIDs). After users havesigned up to a WISP in onelocation or are preprovisioned
    and have downloaded the provisioning information, they can automatically connect to theInternet on subsequent occasions
    using the network provided by the WISP in their different hotspot locations.The Wireless Zero Configuration (WZC) service
    will automatically choosethecorrect network belonging to the WISP based on the provisioning files supplied.WSP also
    enables automaticand seamless roaming between different providers.
    Further, when WPS is used theclient computer automatically keeps the provisioning information stored on theclient computer
    up to date.This allows the provider to changethe network settings,add new locations,and so on, without disrupting the
    service or having users reconfiguretheir systems.
    When a user connects his computer to a WISP and establishes an account for thefirst time, thefollowing four stages occur:
    Thecomputer discovers the WISP network ata Wi-Fi hotspot.
    The user is authenticated using a guestaccountand thecomputer is connected to the Wi-Fi network.
    The mobileclient is provisioned and the user establishes an account with the WISP.
    The user is authenticated on the Wi-Fi network using the new user account credentials.
    Each of thesestages is discussed in detail in thefollowing scenario.
    A user arrives ata Wi-Fi hotspot with a portablecomputer running Windows XP with Service Pack 2 or Windows Server 2003
    with Service Pack 1 and Wireless Provisioning Services.When thecomputer comes within range of the WISP access point
    beacon thefollowing occurs:
    1. The Wireless Zero Configuration (WZC) service on theclient computer detects the beacon information from theaccess
    point, which is enabled with a broadcast serviceset identifier (SSID).TheSSID is equivalent to the network name.
    2. The user is informed by Windows thata wireless network is available.The user views information in Windows, including
    the network’s friendly name. In this example, the user possesses a promotion codeto usefor accountestablishment,and
    proceeds by clicking Connect.This causes the WPS client to connect the user’s computer to the wireless network using a
    guestaccount with limited privileges.
    When the guestaccount is authenticated by the Wi-Fi network, thefollowing occurs:
    1. WZC uses 802.1xand Protected Extensible Authentication Protocol (PEAP) to connectand authenticateas guest to the
    WISP network through theaccess point,automatically passing a blank user nameand password to the WISP Internet
    Authentication Service(IAS) server (IAS is also known as the Microsoft RADIUS server).Theaccess point is connected to a
    gateway devicethatallows traffic from theclient to pass to the provisioning services in the network to completethesignup
    process, but blocks theclient from accessing theInternet.
    2. TheIAS server (or RADIUS server) is the PEAP authenticator and Transport Layer Security (TLS) endpoint for users who
    connectas guest.TheTLS tunnel is created between theclientand theIAS server. All subsequent messages between
    clientand server pass through this tunnel, which traverses theaccess pointand the gateway device.
    3. Server authentication is performed when theIAS server verifies its identity to theclient computer using a certificatethat
    contains theServer Authentication purposein Enhanced Key Usage(EKU) extensions.This certificateis issued by a public
    trusted root certification authority (CA) that theclient computer trusts.
    4. TheIAS server authenticates and authorizes the user as Guest. In the Access-Accept messagethat theIAS server sends to
    theclient is a container with a URL to the provisioning information.This URL provides the Wireless Provisioning Services
    enginerunning on theclient, with thelocation of the XML master file.
    When theclient is provisioned and the user creates an account, thefollowing occurs:
    1. On theclient computer, the Wireless Provisioning Services downloads the XML master fileand sub-files from the
    provisioning server.The master filecontains pointers to XML subfiles that control theclient’s progress through the
    process.When the XML sign-up schema is downloaded, thesign-up wizard is launched on theclient to allow the user to
    createand pay for an account with the WISP.
    2. Using thesign-up wizard on theclient computer, the user steps through the process of signing up for an account.The
    user enters the promotion codeas well as personal data such as name,address,and credit card number.The data
    entered by the user is converted by the Wireless Provisioning Services client into an XML document.
    3. The XML document containing the user’s sign-up data is sent to the Web application on the WISP provisioning server.
    4. The Web application checks the promotion codeentered by the user against the promotion code database(for example,
    aSQL Server database). If the promotion codeis valid, the Web application continues processing the user’s data.
    5. The Web application processes the user’s payment information. Once payment is verified and sign-up information is
    completed successfully, the Web application reads the domain and security group information from the promotion code
    databaseand creates a user account in identity services (such as Active Directory) and adds theaccount to thesecurity
    group.The Web application also enters the new user namein the promotion code database.
    6. An XML document containing the new account credentials is sent from the WISP provisioning server to the Wireless
    Provisioning Services client on theclient computer.Theclient computer uses thecredentials to configure WZC and
    802.1x under the name of the WISP.Theconnection is re-initiated with the new user account password-based credentials
    (user nameand password).
    There-initiated connection process is as follows:
    1. The Wireless Zero Configuration (WZC) service on theclient computer restarts theassociation to theSSID for the WISP.
    2. WZC finds thecorrect 802.11 profile which was downloaded with the other WISP information in the XML master file.
    WZC reassociates with theaccess point using thecorrect profile.
    3. WZC uses 802.1x to start theauthentication process using a combination of the Protected Extensible Authentication
    Protocol and the Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) using the new
    account credentials passed to 802.1x by the Wireless Provisioning Services client.
    4. As theclient starts theauthentication process with PEAP-MSCHAPv2 authentication,aTLS channel is created between the
    user’s client computer and the WISP IAS server.
    5. In thesecond stage of PEAP-MSCHAPv2 authentication, the WISP IAS server authenticates and authorizes theconnection
    requestagainst the new account in the user accounts database(for example, Active Directory).TheIAS server sends an
    Access-Accept messageto theaccess point. Included in the Access-Accept messageareattributes that specify the user
    can now getaccess to theInternet.
    6. Theaccess point instructs the gateway deviceto assign theclient to thelogical segment network with access to the
    Why is this change important?
    Wireless Provisioning Services makes iteasier to use wireless hotspots without compromising security.WPS, with Windows
    Server 2003 Service Pack 1,and Microsoft IAS (also known as a RADIUS server),allows users’ computers to moreeasily
    discover,connectand roam between wireless hotspots with enhanced security.
    Thecurrent connection model for WISP signup and useis not secured. Most Wi-Fi hotspots areconfigured for open
    authentication and without dataencryption. Users are generally required to launch a Web browser to initially sign-up to
    the WISP serviceand for subsequent logins.WSP mitigates this threat by adding encryption and authentication to the
    communications between theclientand the wireless network.
    Browser redirection-based deployment has many usability issues. Users may noteven know they haveto launch their
    browser to get connected. Another example of what can happen is when the browser is set to use proxy settings to
    access theInternetand the user is connected directly to thecorporate network. In this case, browser redirection does not
    work and the user would haveto know to disablethe proxy settings to connect to the hotspot.This can causecostly
    support calls to the WISP or theenterprise helpdesk.
    Browser based deployment is vulnerableto man-in-the-middleattacks, for example, by a malicious front-end server
    using a rogueaccess point. Users queried by this access point might unknowingly be giving away personal identification
    and credit card information. By eliminating the need for a Web login WSP reduces thevulnerability of WISP users to this
    type of attack.
    Withoutadditional hotspot client software users cannoteasily detect hotspots and do not havea unified mechanism to
    sign-up to them. It is noteasy for users to find out information about the WISP or search for the hotspot locations for
    that WISP. If users sign-up at one hotspot, they are not necessarily configured to automatically usethe other hotspots. In
    addition, thereis no standard mechanism to keep their provisioning and configuration information up-to-date.
    Add-on hotspot client softwarecan help the user access that specific WISP’s network. However,add-on softwarecan also
    conflict with the wireless services nativeto the operating system or client softwarefrom other providers, potentially
    causing interoperability problems,even instability of thesystem as they all attempt to control the wireless settings of the
    entiresystem. Updates to the WISP configuration usually require updates to theclient software.For thesereasons, many
    corporateIT departments arereluctant to deploy third party hotspot client softwareto their users.
    Thereis no standardized mechanism across WISPs to process user sign-ups and updatetheir configurations. As a result,
    the user experienceis fragmented and automaticand seamless roaming across providers can be difficult.
    Wireless Network Registration Wizard
    Detailed description
    The Wireless Network Registration Wizard provides the user interfaceto sign-up for a wireless hotspotand guides the user
    through the provisioning process.The wizard builds content from provisioning information (XML files) provided by the WISP.
    The provisioning information can be dynamically downloaded or preinstalled on theclient system. Preinstallation can be
    provided by an OEM for new systems, by theIT department within an organization, or from a WISP Web site.The WISP owns
    and creates the provisioning information and drives the users’ sign-up and provisioning experience.Thefollowing example
    presents a simple Wireless Network Registration Wizard experience wherethe user has prepaid for an access code.The XML
    schema and wizard areflexibleand can enable morecomplex sign-up experiences.
    First, the user can either right-click the wireless network icon in the notification area and then click View Available Wireless
    Networks, or the user can respond to the notification messagein the notification area that indicates availability of a new
    wireless network in range.When Choose a wireless network appears, the user selects a new wireless network and places
    that network on the preferred networks list.
    The user then selects a network name(an SSID) and clicks Connect to connect to the wireless network.With a WPS-based WiFi
    hotspot, theclient detects that thereis more provisioning information in form of XML files that is availableabout the
    network and the provider. It then confirms with the user whether the provisioning information should be downloaded.With a
    non-WPS network, theexperience would bethesameas with Windows XP today:either the users are prompted for a security
    key when connecting to a secure network or the users are warned that the network they aretrying to connect to is unsecured,
    and they areasked if they still want to connect to it.
    After the download is complete, the Wireless Network Registration Wizard automatically launches and guides the user through
    thesign-in process.Thefirst screen displays a customized logo (or banner) and content from the provider.
    Thesubsequent screens may includeselecting a subscription plan,entering credit card information, personal information and
    so on. In this examplethereis just one plan and the user is asked to enter a prepaid or promotional codeto getaccess to the
    network. Next,Wi-Fi Hotspot Deployment displays information about theselected plan, such as theterms of theservice
    agreementand privacy statement.
    On thelast screen, the wizard asks the users for their connectivity preferences for this connection.These default preferences
    can beset by the provider but can be overridden by the user.For example, if the users selecta monthly subscription with
    unlimited data, they probably want to always connect to the network automatically whenever in range. If the users choosea
    “pay-as-you-go” plan, they probably want to control when to connectand choosea manual connection option as their
    Thesecond option determines whether theclientkeeps the provisioning information automatically up to date.For example, if
    the provider adds new network names,adds new locations, or changes the network or security settings, theclient can
    automatically updatetheinformation withoutany user interaction required whileconnected to the network.
    On subsequentvisits to hotspots madeavailable by the provider or by their roaming partners in thesame or different
    locations, if automatic connection is selected,all the user has to do is to turn the mobilecomputer back on or resume
    operations from standby,and the user is automatically connected.When connected, instead of showing a cryptic network
    name or SSID in the Choose wireless network dialog box (which opens from the View Available Wireless Networks
    notification window),a friendly name of the provider will beshown,along with a logo of the provider.
    From this dialog box, users can also search for available hotspot locations or view the help and support information provided
    by the WISP. Both the help and hotspot location information is downloaded as part of the provisioning information.The
    location information can besearched and viewed online or offline.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    The wireless user interface has changed – a new View Available Wireless Networks dialog box will replacetheexisting
    dialog box.
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Wireless Provisioning Service does not requireany changes to existing applications.Therearetwo new APIs with WPS. One of
    the new APIs provides for adding to and queries through the XML data on thecomputer.This API can be used to preprovision
    theclient from the WISP Web site by the user (using a standaloneapplication), by OEMs, or IT departments.
    Additional Resources
    For moreinformation about WPS, see
    1. Deploying Wireless Provisioning Services (WPS) Technology,availablein Word format on the Microsoft Download
    Center,at http://go.microsoft.com/fwlink/?LinkId=203315.
    2. Using the Wireless Provisioning Services (WPS) Technology Authoring Tool,availablein Word format on the Microsoft
    Download Center,at http://go.microsoft.com/fwlink/?LinkId=203316.

You must be logged in to reply to this topic.