Wireless Provisioning Services (WPS)

Applies To:Windows Server 2003 with SP1
What does Wireless Provisioning Services do?
An increasing number of users areaccessing theInternet through a growing number of public wireless networks, or wireless
fidelity (Wi-Fi) hotspots. Using Wireless Provisioning Services (WPS) provides wireless users with a consistentexperienceand
seamless connectivity to public Wi-Fi hotspots through automatic provisioning of theclientand seamless roaming.WPS
enables Wireless InternetService Providers (WISPs) to usea standards-based and integrated platform to provide Wi-Fi
hotspots with enhanced security thatareeasy to useand manage. In addition,WPS enables enterprises to easily provide guest
access with enhanced security to private wireless networks.
With WPS,WISPs and enterprises can send provisioning and configuration information to mobileclients as they connect to the
Internet or thecorporate network.This in turn allows seamless,automaticand secureconfiguration of mobileclients,enabling
a uniform sign-up experiencein theenterpriseand across different public network providers and hotspot locations.
Who does this feature apply to?
Wireless Provisioning Services is designed for threetypes of organizations:
HotspotService Provider (HSP)
HSPs deploy wireless access points in public places, such as shopping malls and airports, but HSPs are not Internet
Service Providers (ISPs). Instead, the HSP contracts with one or moreISPs,and offers users one or moreservice plans to
choosefrom when they want to establish an account for Internetaccess.
Wireless InternetService Provider (WISP)
WISPS areISPs thateither deploy Wi-Fi hotspots in public places or outsource Wi-Fi hotspot services to an HSP.
Enterprise
Enterprises can use WPS technology to provide managed guestaccess on their networks.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Wireless Provisioning Services
Detailed description
Wireless Provisioning Services is an extension to theexisting wireless services and user interfaces within Windows XP and
Windows Server 2003. It builds on the wireless features already in Windows, such as Wireless Zero Configuration,and the
wireless security features, such as Protected Extensible Authentication Protocol (PEAP) and Wi-Fi Protected Access (WPA).WPS
also includes modifications to Windows Server 2003.The Windows Server 2003 Internet Authentication Service(IAS)
component was modified to include guestauthentication of theclients in the provisioning process.
WPS includes a provisioning servicecomponent thatallows for Wireless InternetService Providers (WISPs) and enterprises to
send provisioning and configuration information to a mobileclient that is trying to connect to theInternet or thecorporate
network. By using Wireless Provisioning Services,WISPs can offer services at multiple network locations and use multiple
network names (serviceset identifiers, or SSIDs). After users havesigned up to a WISP in onelocation or are preprovisioned
and have downloaded the provisioning information, they can automatically connect to theInternet on subsequent occasions
using the network provided by the WISP in their different hotspot locations.The Wireless Zero Configuration (WZC) service
will automatically choosethecorrect network belonging to the WISP based on the provisioning files supplied.WSP also
enables automaticand seamless roaming between different providers.
Further, when WPS is used theclient computer automatically keeps the provisioning information stored on theclient computer
up to date.This allows the provider to changethe network settings,add new locations,and so on, without disrupting the
service or having users reconfiguretheir systems.
When a user connects his computer to a WISP and establishes an account for thefirst time, thefollowing four stages occur:
Thecomputer discovers the WISP network ata Wi-Fi hotspot.
The user is authenticated using a guestaccountand thecomputer is connected to the Wi-Fi network.
The mobileclient is provisioned and the user establishes an account with the WISP.
The user is authenticated on the Wi-Fi network using the new user account credentials.
Each of thesestages is discussed in detail in thefollowing scenario.
A user arrives ata Wi-Fi hotspot with a portablecomputer running Windows XP with Service Pack 2 or Windows Server 2003
with Service Pack 1 and Wireless Provisioning Services.When thecomputer comes within range of the WISP access point
beacon thefollowing occurs:
1. The Wireless Zero Configuration (WZC) service on theclient computer detects the beacon information from theaccess
point, which is enabled with a broadcast serviceset identifier (SSID).TheSSID is equivalent to the network name.
2. The user is informed by Windows thata wireless network is available.The user views information in Windows, including
the network’s friendly name. In this example, the user possesses a promotion codeto usefor accountestablishment,and
proceeds by clicking Connect.This causes the WPS client to connect the user’s computer to the wireless network using a
guestaccount with limited privileges.
When the guestaccount is authenticated by the Wi-Fi network, thefollowing occurs:
1. WZC uses 802.1xand Protected Extensible Authentication Protocol (PEAP) to connectand authenticateas guest to the
WISP network through theaccess point,automatically passing a blank user nameand password to the WISP Internet
Authentication Service(IAS) server (IAS is also known as the Microsoft RADIUS server).Theaccess point is connected to a
gateway devicethatallows traffic from theclient to pass to the provisioning services in the network to completethesignup
process, but blocks theclient from accessing theInternet.
2. TheIAS server (or RADIUS server) is the PEAP authenticator and Transport Layer Security (TLS) endpoint for users who
connectas guest.TheTLS tunnel is created between theclientand theIAS server. All subsequent messages between
clientand server pass through this tunnel, which traverses theaccess pointand the gateway device.
3. Server authentication is performed when theIAS server verifies its identity to theclient computer using a certificatethat
contains theServer Authentication purposein Enhanced Key Usage(EKU) extensions.This certificateis issued by a public
trusted root certification authority (CA) that theclient computer trusts.
4. TheIAS server authenticates and authorizes the user as Guest. In the Access-Accept messagethat theIAS server sends to
theclient is a container with a URL to the provisioning information.This URL provides the Wireless Provisioning Services
enginerunning on theclient, with thelocation of the XML master file.
When theclient is provisioned and the user creates an account, thefollowing occurs:
1. On theclient computer, the Wireless Provisioning Services downloads the XML master fileand sub-files from the
provisioning server.The master filecontains pointers to XML subfiles that control theclient’s progress through the
process.When the XML sign-up schema is downloaded, thesign-up wizard is launched on theclient to allow the user to
createand pay for an account with the WISP.
2. Using thesign-up wizard on theclient computer, the user steps through the process of signing up for an account.The
user enters the promotion codeas well as personal data such as name,address,and credit card number.The data
entered by the user is converted by the Wireless Provisioning Services client into an XML document.
3. The XML document containing the user’s sign-up data is sent to the Web application on the WISP provisioning server.
4. The Web application checks the promotion codeentered by the user against the promotion code database(for example,
aSQL Server database). If the promotion codeis valid, the Web application continues processing the user’s data.
5. The Web application processes the user’s payment information. Once payment is verified and sign-up information is
completed successfully, the Web application reads the domain and security group information from the promotion code
databaseand creates a user account in identity services (such as Active Directory) and adds theaccount to thesecurity
group.The Web application also enters the new user namein the promotion code database.
6. An XML document containing the new account credentials is sent from the WISP provisioning server to the Wireless
Provisioning Services client on theclient computer.Theclient computer uses thecredentials to configure WZC and
802.1x under the name of the WISP.Theconnection is re-initiated with the new user account password-based credentials
(user nameand password).
There-initiated connection process is as follows:
1. The Wireless Zero Configuration (WZC) service on theclient computer restarts theassociation to theSSID for the WISP.
2. WZC finds thecorrect 802.11 profile which was downloaded with the other WISP information in the XML master file.
WZC reassociates with theaccess point using thecorrect profile.
3. WZC uses 802.1x to start theauthentication process using a combination of the Protected Extensible Authentication
Protocol and the Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) using the new
account credentials passed to 802.1x by the Wireless Provisioning Services client.
4. As theclient starts theauthentication process with PEAP-MSCHAPv2 authentication,aTLS channel is created between the
user’s client computer and the WISP IAS server.
5. In thesecond stage of PEAP-MSCHAPv2 authentication, the WISP IAS server authenticates and authorizes theconnection
requestagainst the new account in the user accounts database(for example, Active Directory).TheIAS server sends an
Access-Accept messageto theaccess point. Included in the Access-Accept messageareattributes that specify the user
can now getaccess to theInternet.
6. Theaccess point instructs the gateway deviceto assign theclient to thelogical segment network with access to the
Internet.
Why is this change important?
Wireless Provisioning Services makes iteasier to use wireless hotspots without compromising security.WPS, with Windows
Server 2003 Service Pack 1,and Microsoft IAS (also known as a RADIUS server),allows users’ computers to moreeasily
discover,connectand roam between wireless hotspots with enhanced security.
Thecurrent connection model for WISP signup and useis not secured. Most Wi-Fi hotspots areconfigured for open
authentication and without dataencryption. Users are generally required to launch a Web browser to initially sign-up to
the WISP serviceand for subsequent logins.WSP mitigates this threat by adding encryption and authentication to the
communications between theclientand the wireless network.
Browser redirection-based deployment has many usability issues. Users may noteven know they haveto launch their
browser to get connected. Another example of what can happen is when the browser is set to use proxy settings to
access theInternetand the user is connected directly to thecorporate network. In this case, browser redirection does not
work and the user would haveto know to disablethe proxy settings to connect to the hotspot.This can causecostly
support calls to the WISP or theenterprise helpdesk.
Browser based deployment is vulnerableto man-in-the-middleattacks, for example, by a malicious front-end server
using a rogueaccess point. Users queried by this access point might unknowingly be giving away personal identification
and credit card information. By eliminating the need for a Web login WSP reduces thevulnerability of WISP users to this
type of attack.
Withoutadditional hotspot client software users cannoteasily detect hotspots and do not havea unified mechanism to
sign-up to them. It is noteasy for users to find out information about the WISP or search for the hotspot locations for
that WISP. If users sign-up at one hotspot, they are not necessarily configured to automatically usethe other hotspots. In
addition, thereis no standard mechanism to keep their provisioning and configuration information up-to-date.
Add-on hotspot client softwarecan help the user access that specific WISP’s network. However,add-on softwarecan also
conflict with the wireless services nativeto the operating system or client softwarefrom other providers, potentially
causing interoperability problems,even instability of thesystem as they all attempt to control the wireless settings of the
entiresystem. Updates to the WISP configuration usually require updates to theclient software.For thesereasons, many
corporateIT departments arereluctant to deploy third party hotspot client softwareto their users.
Thereis no standardized mechanism across WISPs to process user sign-ups and updatetheir configurations. As a result,
the user experienceis fragmented and automaticand seamless roaming across providers can be difficult.
Wireless Network Registration Wizard
Detailed description
The Wireless Network Registration Wizard provides the user interfaceto sign-up for a wireless hotspotand guides the user
through the provisioning process.The wizard builds content from provisioning information (XML files) provided by the WISP.
The provisioning information can be dynamically downloaded or preinstalled on theclient system. Preinstallation can be
provided by an OEM for new systems, by theIT department within an organization, or from a WISP Web site.The WISP owns
and creates the provisioning information and drives the users’ sign-up and provisioning experience.Thefollowing example
presents a simple Wireless Network Registration Wizard experience wherethe user has prepaid for an access code.The XML
schema and wizard areflexibleand can enable morecomplex sign-up experiences.
First, the user can either right-click the wireless network icon in the notification area and then click View Available Wireless
Networks, or the user can respond to the notification messagein the notification area that indicates availability of a new
wireless network in range.When Choose a wireless network appears, the user selects a new wireless network and places
that network on the preferred networks list.
The user then selects a network name(an SSID) and clicks Connect to connect to the wireless network.With a WPS-based WiFi
hotspot, theclient detects that thereis more provisioning information in form of XML files that is availableabout the
network and the provider. It then confirms with the user whether the provisioning information should be downloaded.With a
non-WPS network, theexperience would bethesameas with Windows XP today:either the users are prompted for a security
key when connecting to a secure network or the users are warned that the network they aretrying to connect to is unsecured,
and they areasked if they still want to connect to it.
After the download is complete, the Wireless Network Registration Wizard automatically launches and guides the user through
thesign-in process.Thefirst screen displays a customized logo (or banner) and content from the provider.
Thesubsequent screens may includeselecting a subscription plan,entering credit card information, personal information and
so on. In this examplethereis just one plan and the user is asked to enter a prepaid or promotional codeto getaccess to the
network. Next,Wi-Fi Hotspot Deployment displays information about theselected plan, such as theterms of theservice
agreementand privacy statement.
On thelast screen, the wizard asks the users for their connectivity preferences for this connection.These default preferences
can beset by the provider but can be overridden by the user.For example, if the users selecta monthly subscription with
unlimited data, they probably want to always connect to the network automatically whenever in range. If the users choosea
“pay-as-you-go” plan, they probably want to control when to connectand choosea manual connection option as their
preference.
Thesecond option determines whether theclientkeeps the provisioning information automatically up to date.For example, if
the provider adds new network names,adds new locations, or changes the network or security settings, theclient can
automatically updatetheinformation withoutany user interaction required whileconnected to the network.
On subsequentvisits to hotspots madeavailable by the provider or by their roaming partners in thesame or different
locations, if automatic connection is selected,all the user has to do is to turn the mobilecomputer back on or resume
operations from standby,and the user is automatically connected.When connected, instead of showing a cryptic network
name or SSID in the Choose wireless network dialog box (which opens from the View Available Wireless Networks
notification window),a friendly name of the provider will beshown,along with a logo of the provider.
From this dialog box, users can also search for available hotspot locations or view the help and support information provided
by the WISP. Both the help and hotspot location information is downloaded as part of the provisioning information.The
location information can besearched and viewed online or offline.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
The wireless user interface has changed – a new View Available Wireless Networks dialog box will replacetheexisting
dialog box.
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Wireless Provisioning Service does not requireany changes to existing applications.Therearetwo new APIs with WPS. One of
the new APIs provides for adding to and queries through the XML data on thecomputer.This API can be used to preprovision
theclient from the WISP Web site by the user (using a standaloneapplication), by OEMs, or IT departments.
Additional Resources
For moreinformation about WPS, see
1. Deploying Wireless Provisioning Services (WPS) Technology,availablein Word format on the Microsoft Download
Center,at http://go.microsoft.com/fwlink/?LinkId=203315.
2. Using the Wireless Provisioning Services (WPS) Technology Authoring Tool,availablein Word format on the Microsoft
Download Center,at http://go.microsoft.com/fwlink/?LinkId=203316.