Wireless Provisioning Services (WPS)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Wireless Provisioning Services (WPS)

Viewing 0 reply threads
  • Author
    • #2232

      Applies To:Windows Server 2003 with SP1
      What does Wireless Provisioning Services do?
      An increasing number of users areaccessing theInternet through a growing number of public wireless networks, or wireless
      fidelity (Wi-Fi) hotspots. Using Wireless Provisioning Services (WPS) provides wireless users with a consistentexperienceand
      seamless connectivity to public Wi-Fi hotspots through automatic provisioning of theclientand seamless roaming.WPS
      enables Wireless InternetService Providers (WISPs) to usea standards-based and integrated platform to provide Wi-Fi
      hotspots with enhanced security thatareeasy to useand manage. In addition,WPS enables enterprises to easily provide guest
      access with enhanced security to private wireless networks.
      With WPS,WISPs and enterprises can send provisioning and configuration information to mobileclients as they connect to the
      Internet or thecorporate network.This in turn allows seamless,automaticand secureconfiguration of mobileclients,enabling
      a uniform sign-up experiencein theenterpriseand across different public network providers and hotspot locations.
      Who does this feature apply to?
      Wireless Provisioning Services is designed for threetypes of organizations:
      HotspotService Provider (HSP)
      HSPs deploy wireless access points in public places, such as shopping malls and airports, but HSPs are not Internet
      Service Providers (ISPs). Instead, the HSP contracts with one or moreISPs,and offers users one or moreservice plans to
      choosefrom when they want to establish an account for Internetaccess.
      Wireless InternetService Provider (WISP)
      WISPS areISPs thateither deploy Wi-Fi hotspots in public places or outsource Wi-Fi hotspot services to an HSP.
      Enterprises can use WPS technology to provide managed guestaccess on their networks.
      What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
      Wireless Provisioning Services
      Detailed description
      Wireless Provisioning Services is an extension to theexisting wireless services and user interfaces within Windows XP and
      Windows Server 2003. It builds on the wireless features already in Windows, such as Wireless Zero Configuration,and the
      wireless security features, such as Protected Extensible Authentication Protocol (PEAP) and Wi-Fi Protected Access (WPA).WPS
      also includes modifications to Windows Server 2003.The Windows Server 2003 Internet Authentication Service(IAS)
      component was modified to include guestauthentication of theclients in the provisioning process.
      WPS includes a provisioning servicecomponent thatallows for Wireless InternetService Providers (WISPs) and enterprises to
      send provisioning and configuration information to a mobileclient that is trying to connect to theInternet or thecorporate
      network. By using Wireless Provisioning Services,WISPs can offer services at multiple network locations and use multiple
      network names (serviceset identifiers, or SSIDs). After users havesigned up to a WISP in onelocation or are preprovisioned
      and have downloaded the provisioning information, they can automatically connect to theInternet on subsequent occasions
      using the network provided by the WISP in their different hotspot locations.The Wireless Zero Configuration (WZC) service
      will automatically choosethecorrect network belonging to the WISP based on the provisioning files supplied.WSP also
      enables automaticand seamless roaming between different providers.
      Further, when WPS is used theclient computer automatically keeps the provisioning information stored on theclient computer
      up to date.This allows the provider to changethe network settings,add new locations,and so on, without disrupting the
      service or having users reconfiguretheir systems.
      When a user connects his computer to a WISP and establishes an account for thefirst time, thefollowing four stages occur:
      Thecomputer discovers the WISP network ata Wi-Fi hotspot.
      The user is authenticated using a guestaccountand thecomputer is connected to the Wi-Fi network.
      The mobileclient is provisioned and the user establishes an account with the WISP.
      The user is authenticated on the Wi-Fi network using the new user account credentials.
      Each of thesestages is discussed in detail in thefollowing scenario.
      A user arrives ata Wi-Fi hotspot with a portablecomputer running Windows XP with Service Pack 2 or Windows Server 2003
      with Service Pack 1 and Wireless Provisioning Services.When thecomputer comes within range of the WISP access point
      beacon thefollowing occurs:
      1. The Wireless Zero Configuration (WZC) service on theclient computer detects the beacon information from theaccess
      point, which is enabled with a broadcast serviceset identifier (SSID).TheSSID is equivalent to the network name.
      2. The user is informed by Windows thata wireless network is available.The user views information in Windows, including
      the network’s friendly name. In this example, the user possesses a promotion codeto usefor accountestablishment,and
      proceeds by clicking Connect.This causes the WPS client to connect the user’s computer to the wireless network using a
      guestaccount with limited privileges.
      When the guestaccount is authenticated by the Wi-Fi network, thefollowing occurs:
      1. WZC uses 802.1xand Protected Extensible Authentication Protocol (PEAP) to connectand authenticateas guest to the
      WISP network through theaccess point,automatically passing a blank user nameand password to the WISP Internet
      Authentication Service(IAS) server (IAS is also known as the Microsoft RADIUS server).Theaccess point is connected to a
      gateway devicethatallows traffic from theclient to pass to the provisioning services in the network to completethesignup
      process, but blocks theclient from accessing theInternet.
      2. TheIAS server (or RADIUS server) is the PEAP authenticator and Transport Layer Security (TLS) endpoint for users who
      connectas guest.TheTLS tunnel is created between theclientand theIAS server. All subsequent messages between
      clientand server pass through this tunnel, which traverses theaccess pointand the gateway device.
      3. Server authentication is performed when theIAS server verifies its identity to theclient computer using a certificatethat
      contains theServer Authentication purposein Enhanced Key Usage(EKU) extensions.This certificateis issued by a public
      trusted root certification authority (CA) that theclient computer trusts.
      4. TheIAS server authenticates and authorizes the user as Guest. In the Access-Accept messagethat theIAS server sends to
      theclient is a container with a URL to the provisioning information.This URL provides the Wireless Provisioning Services
      enginerunning on theclient, with thelocation of the XML master file.
      When theclient is provisioned and the user creates an account, thefollowing occurs:
      1. On theclient computer, the Wireless Provisioning Services downloads the XML master fileand sub-files from the
      provisioning server.The master filecontains pointers to XML subfiles that control theclient’s progress through the
      process.When the XML sign-up schema is downloaded, thesign-up wizard is launched on theclient to allow the user to
      createand pay for an account with the WISP.
      2. Using thesign-up wizard on theclient computer, the user steps through the process of signing up for an account.The
      user enters the promotion codeas well as personal data such as name,address,and credit card number.The data
      entered by the user is converted by the Wireless Provisioning Services client into an XML document.
      3. The XML document containing the user’s sign-up data is sent to the Web application on the WISP provisioning server.
      4. The Web application checks the promotion codeentered by the user against the promotion code database(for example,
      aSQL Server database). If the promotion codeis valid, the Web application continues processing the user’s data.
      5. The Web application processes the user’s payment information. Once payment is verified and sign-up information is
      completed successfully, the Web application reads the domain and security group information from the promotion code
      databaseand creates a user account in identity services (such as Active Directory) and adds theaccount to thesecurity
      group.The Web application also enters the new user namein the promotion code database.
      6. An XML document containing the new account credentials is sent from the WISP provisioning server to the Wireless
      Provisioning Services client on theclient computer.Theclient computer uses thecredentials to configure WZC and
      802.1x under the name of the WISP.Theconnection is re-initiated with the new user account password-based credentials
      (user nameand password).
      There-initiated connection process is as follows:
      1. The Wireless Zero Configuration (WZC) service on theclient computer restarts theassociation to theSSID for the WISP.
      2. WZC finds thecorrect 802.11 profile which was downloaded with the other WISP information in the XML master file.
      WZC reassociates with theaccess point using thecorrect profile.
      3. WZC uses 802.1x to start theauthentication process using a combination of the Protected Extensible Authentication
      Protocol and the Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) using the new
      account credentials passed to 802.1x by the Wireless Provisioning Services client.
      4. As theclient starts theauthentication process with PEAP-MSCHAPv2 authentication,aTLS channel is created between the
      user’s client computer and the WISP IAS server.
      5. In thesecond stage of PEAP-MSCHAPv2 authentication, the WISP IAS server authenticates and authorizes theconnection
      requestagainst the new account in the user accounts database(for example, Active Directory).TheIAS server sends an
      Access-Accept messageto theaccess point. Included in the Access-Accept messageareattributes that specify the user
      can now getaccess to theInternet.
      6. Theaccess point instructs the gateway deviceto assign theclient to thelogical segment network with access to the
      Why is this change important?
      Wireless Provisioning Services makes iteasier to use wireless hotspots without compromising security.WPS, with Windows
      Server 2003 Service Pack 1,and Microsoft IAS (also known as a RADIUS server),allows users’ computers to moreeasily
      discover,connectand roam between wireless hotspots with enhanced security.
      Thecurrent connection model for WISP signup and useis not secured. Most Wi-Fi hotspots areconfigured for open
      authentication and without dataencryption. Users are generally required to launch a Web browser to initially sign-up to
      the WISP serviceand for subsequent logins.WSP mitigates this threat by adding encryption and authentication to the
      communications between theclientand the wireless network.
      Browser redirection-based deployment has many usability issues. Users may noteven know they haveto launch their
      browser to get connected. Another example of what can happen is when the browser is set to use proxy settings to
      access theInternetand the user is connected directly to thecorporate network. In this case, browser redirection does not
      work and the user would haveto know to disablethe proxy settings to connect to the hotspot.This can causecostly
      support calls to the WISP or theenterprise helpdesk.
      Browser based deployment is vulnerableto man-in-the-middleattacks, for example, by a malicious front-end server
      using a rogueaccess point. Users queried by this access point might unknowingly be giving away personal identification
      and credit card information. By eliminating the need for a Web login WSP reduces thevulnerability of WISP users to this
      type of attack.
      Withoutadditional hotspot client software users cannoteasily detect hotspots and do not havea unified mechanism to
      sign-up to them. It is noteasy for users to find out information about the WISP or search for the hotspot locations for
      that WISP. If users sign-up at one hotspot, they are not necessarily configured to automatically usethe other hotspots. In
      addition, thereis no standard mechanism to keep their provisioning and configuration information up-to-date.
      Add-on hotspot client softwarecan help the user access that specific WISP’s network. However,add-on softwarecan also
      conflict with the wireless services nativeto the operating system or client softwarefrom other providers, potentially
      causing interoperability problems,even instability of thesystem as they all attempt to control the wireless settings of the
      entiresystem. Updates to the WISP configuration usually require updates to theclient software.For thesereasons, many
      corporateIT departments arereluctant to deploy third party hotspot client softwareto their users.
      Thereis no standardized mechanism across WISPs to process user sign-ups and updatetheir configurations. As a result,
      the user experienceis fragmented and automaticand seamless roaming across providers can be difficult.
      Wireless Network Registration Wizard
      Detailed description
      The Wireless Network Registration Wizard provides the user interfaceto sign-up for a wireless hotspotand guides the user
      through the provisioning process.The wizard builds content from provisioning information (XML files) provided by the WISP.
      The provisioning information can be dynamically downloaded or preinstalled on theclient system. Preinstallation can be
      provided by an OEM for new systems, by theIT department within an organization, or from a WISP Web site.The WISP owns
      and creates the provisioning information and drives the users’ sign-up and provisioning experience.Thefollowing example
      presents a simple Wireless Network Registration Wizard experience wherethe user has prepaid for an access code.The XML
      schema and wizard areflexibleand can enable morecomplex sign-up experiences.
      First, the user can either right-click the wireless network icon in the notification area and then click View Available Wireless
      Networks, or the user can respond to the notification messagein the notification area that indicates availability of a new
      wireless network in range.When Choose a wireless network appears, the user selects a new wireless network and places
      that network on the preferred networks list.
      The user then selects a network name(an SSID) and clicks Connect to connect to the wireless network.With a WPS-based WiFi
      hotspot, theclient detects that thereis more provisioning information in form of XML files that is availableabout the
      network and the provider. It then confirms with the user whether the provisioning information should be downloaded.With a
      non-WPS network, theexperience would bethesameas with Windows XP today:either the users are prompted for a security
      key when connecting to a secure network or the users are warned that the network they aretrying to connect to is unsecured,
      and they areasked if they still want to connect to it.
      After the download is complete, the Wireless Network Registration Wizard automatically launches and guides the user through
      thesign-in process.Thefirst screen displays a customized logo (or banner) and content from the provider.
      Thesubsequent screens may includeselecting a subscription plan,entering credit card information, personal information and
      so on. In this examplethereis just one plan and the user is asked to enter a prepaid or promotional codeto getaccess to the
      network. Next,Wi-Fi Hotspot Deployment displays information about theselected plan, such as theterms of theservice
      agreementand privacy statement.
      On thelast screen, the wizard asks the users for their connectivity preferences for this connection.These default preferences
      can beset by the provider but can be overridden by the user.For example, if the users selecta monthly subscription with
      unlimited data, they probably want to always connect to the network automatically whenever in range. If the users choosea
      “pay-as-you-go” plan, they probably want to control when to connectand choosea manual connection option as their
      Thesecond option determines whether theclientkeeps the provisioning information automatically up to date.For example, if
      the provider adds new network names,adds new locations, or changes the network or security settings, theclient can
      automatically updatetheinformation withoutany user interaction required whileconnected to the network.
      On subsequentvisits to hotspots madeavailable by the provider or by their roaming partners in thesame or different
      locations, if automatic connection is selected,all the user has to do is to turn the mobilecomputer back on or resume
      operations from standby,and the user is automatically connected.When connected, instead of showing a cryptic network
      name or SSID in the Choose wireless network dialog box (which opens from the View Available Wireless Networks
      notification window),a friendly name of the provider will beshown,along with a logo of the provider.
      From this dialog box, users can also search for available hotspot locations or view the help and support information provided
      by the WISP. Both the help and hotspot location information is downloaded as part of the provisioning information.The
      location information can besearched and viewed online or offline.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      The wireless user interface has changed – a new View Available Wireless Networks dialog box will replacetheexisting
      dialog box.
      Do I need to change my code to work with Windows Server 2003 Service Pack 1?
      Wireless Provisioning Service does not requireany changes to existing applications.Therearetwo new APIs with WPS. One of
      the new APIs provides for adding to and queries through the XML data on thecomputer.This API can be used to preprovision
      theclient from the WISP Web site by the user (using a standaloneapplication), by OEMs, or IT departments.
      Additional Resources
      For moreinformation about WPS, see
      1. Deploying Wireless Provisioning Services (WPS) Technology,availablein Word format on the Microsoft Download
      Center,at http://go.microsoft.com/fwlink/?LinkId=203315.
      2. Using the Wireless Provisioning Services (WPS) Technology Authoring Tool,availablein Word format on the Microsoft
      Download Center,at http://go.microsoft.com/fwlink/?LinkId=203316.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.