Introduction
Implementing WPA2-Enterprise security with 802.1X authentication currently provides the best possible security for Wi-Fi connections. However, in addition to running an authentication server, you must be concerned about the relatively complex client configuration. Though, as we’ll discuss, there are solutions to help distribute and configure the wireless settings of clients.
Use Group Policy for Domain Users
If you’re working on a domain network with Windows Server and Active Directory, you can push network profiles to domain-joined computers using Group Policy. You can specify wireless settings for clients running Windows 7, Windows Vista, Windows XP, Windows Server 2008 R2, or Windows Server 2008.
If your domain controllers are running Windows Server 2003 or Windows Server 2003 R2, the Active Directory schema must be extended to add the wireless GPO support. Then to specify the wireless settings, bring up the Microsoft Management Console (MMC), open a Group Policy snap-in, and navigate to Computer Configuration>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Policies.
If your domain controllers are running Windows Server 2008 or 2008 R2, use the Group Policy Management Console (GPMC) and navigate to Computer Configuration>Policies>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Policies.
Once you’re at the Wireless Network (IEEE 802.11) Policies in either Windows Server editions, you can create a preferred network entry with the desired Wi-Fi and 802.1X settings.
Use Netsh for Domain or Non-Domain Users
If you’d like to configure the wireless settings of non-domain clients or if you don’t implement Active Directory and Group Policy, you can use the Netsh command line tool for clients running Windows Vista and later. You can run the commands locally on each machine or remotely via the same network by specifying their Windows credentials. You can manually type the commands; or to help automate the process, you can use them in batch files or login scripts.
The Netsh tool doesn’t let you directly configure wireless settings, but you can export an existing wireless profile and import it into other computers. Thus you first need to configure the network settings on at least one client by creating a profile for the Wi-Fi network. You can either manually create the profile via the Network and Sharing Center or just connect to the wireless network and save the connection.
You can get the wireless network profile details with the following command:
netshwlan show all
Now you can export the desired profile, using the profile name as listed by the previous command:
netshwlan export profile name=YOUR_PROFILE_NAME
Finally, you can import the profile locally, using the filename of the XML file it exported:
netshwlan add profile filename=”FILENAME.xml”
Also you can import to a remote computer on the same network:
netshwlan add profile filename=”FILENAME.xml” –r COMPUTER_NAME -u DOMAIN\USERNAME-p PASSWORD
Use Third-Party Commercial Solutions
You may want to look into a third-party solution to help distribute your network settings to clients. For example, if you aren’t running a Windows Server, you also have Mac OS X or Linux machines, or the majority of end-users bring their own clients (such as on a campus network). XpressConnect from Cloudpath Networks and Quick1X from Avenda Systems are two third-party options. They can help configure Windows, Mac, and Linux machines. They both also support iPhones, iPads, and iPod Touch, and XpressConnect supports Androids as well.
As an administrator you’d login to their web-based admin console, enter your network settings and preferences, and it’d create a customized and branded wizard for end-users. You could then download the wizard and distribute to users, such as via a captive portal, webpage, CD, or flash drive. Then end-users simply run the wizard on their computer or mobile device and it will automatically configure the network settings for them.
Use a Free and Open Third-Party Solution
Another third-party solution you may consider is the SU1X 802.1X Configuration Deployment Tool developed by Gareth Ayres at Swansea University, in association with Loughborough University. It can help configure clients running Windows XP (SP3), Vista, and Windows 7, and also supports iPhones. It’s similar to the XpressConnect and Quick1X solutions we discussed. Though you have to manually prepare the end-user wizard, it’s not too difficult.
To prepare the end-user wizard you start by editing the config.ini file to customize and brand the interface and define functionality settings. Next you run the getprofile.exe program to capture your network and authentication settings from a computer already setup with your Wi-Fi network. It exports them as XML files, just like you can do with the Netsh command-line tool. Then you can package the required files together and distribute to end users. Finally, the end-users simply run the su1x-setup.exe program and it auto configures their Windows computer with your settings.
Use iPhone Configuration Utility for Apple Devices
If you have iOS devices—iPhones, iPads, or iPod Touchs—or Mac OS Lion machines on the network, you may want to use the iPhone Configuration Utility (iPCU) to help distribute the wireless settings to them. Apple offers the utility for both Windows and Mac OS X.
You can use the iPCU to create, encrypt, maintain, and install XML-based configuration profiles. In addition to Wi-Fi settings, these profiles can contain device security policies, VPN configuration, MS Exchange and email settings, and digital certificates. You can create profiles for specific users, groups, or a profile for all. You can either install the profiles directly from the computer running the iPCU or distribute the .mobile config. file via other means.
Use BlackBerry Enterprise Server for BlackBerry Devices
If you have the BlackBerry Enterprise Server or the free BlackBerry Enterprise Server Express running on your network, you can use it to distribute Wi-Fi profiles, and VPN profiles, and IT policy rules to the BlackBerry devices it manages. Once you define the Wi-Fi settings on the BlackBerry server, you can push them to the BlackBerry devices by resending the IT policy.
If you currently don’t run a BlackBerry Server, consider installing it on a Windows Server, Windows Small Business Server, or an IBM Lotus Domino server. End-users can then also access your Exchange or Lotus Domino services via the cell and Wi-Fi networks. This enables them to wirelessly access and synchronize their email, calendar, and contacts. Additionally, they could remotely download, view and edit files stored on your network.
Summary
We discussed a couple different solutions to help distribute and configure the wireless network settings to clients on a WPA2-Enterprise network. The best option depends upon your particular environment.
If most of your clients are on a Windows domain, you’d probably want to stick with using Group Policy. Then consider a third-party solution for configuring mobile devices.
If you don’t run a domain network with Windows Server or end-users bring their own devices, consider using a third-party solution. The free SU1X 802.1X Configuration Deployment Tool supports Windows and iOS clients. XpressConnect and Quick1X support Windows, Mac, Linux, iOS, and (for XpressConnect only) Android.
