27 Mar 2011

New Wi-Fi Features in Windows 7

Among enhancements to the Network and Sharing Center, there have been a couple new Wi-Fi features added in Windows 7 and Windows Server 2008 R2. Native support of Wi-Fi Protected Setup (WPS) lets admin and users more easily set up wireless routers or access points and wireless clients. Wireless Hosted Networks let you create virtual Wi-Fi networks. Advanced 802.1X settings give you more control over authentication settings when using the Enterprise mode of WPA or WPA2 security. In this article, we'll discuss each of these features.

Native Support for Wi-Fi Protected Setup (WPS) and Wireless Router Configuration

Wi-Fi Protected Setup (WPS), developed by the Wi-Fi Alliance, helps users quickly and easily configure WPA/WPA2-Personal (PSK)security on wireless routers and clients. Vendors use one or both of two different WPS configuration methods: Personal Information Number (PIN) and Push Button Configuration (PBC).

The PIN method usually consists of entering a wireless adapter's PIN into the web-based control panel of the router. This PIN can be preset and printed on the adapter or displayed and/or customized via the client software.

The Push Button Configuration (PBC) method consists of pressing a button on the wireless router and then pressing a button on the wireless adapter or computer (that supports WPS) within a minute or so. Most wireless adapters don't have physical buttons, but they may have a button on the client software if you've installed it. Similarly, wireless routers will have WPS settings available on the web-based control panel.

The exact workings of WPS can vary among hardware and software vendors. However, generally WPS works like this: It creates a WPA/WPA2 passphrase on the first WPS attempt when the wireless router is still set with the factory default settings. Any clients that participate in the first or future WPS attempts will automatically be configured with the same WPA/WPA2 passphrase. However, if some settings on the wireless router (such as the SSID) are changed from defaults before the first WPS attempt, security may not be enabled by WPS. If WPA/WPA2 security is already set via other methods, WPS will still help configure client devices with the existing WPA/WPA2 passphrase.

Microsoft started introducing its implementation of WPS in Windows Vista under the Windows Connect Now feature. The use of WPS PINs were supported but required you to initially connect via Ethernet. Windows Vista SP2 then added support for Push Button Configuration (PBC). Here we'll discuss the WPS functionality in Windows 7.

Windows 7 supports the PBC method. The first time you try to connect to a wireless router with WPS, Windows 7 prompts you to enter the security key or press the button, such as Figure 1 shows.


Figure 1:
Prompt to enter PSK key or remaindering to push WPS button on the router.

If you press the WPS button on the router, the security setting will automatically be transferred to Windows 7, it will connect, and a profile will be created and stored for future connections to the router.

Windows 7 also supports the PIN method, but not in the normal sense, only when setting up the router for the first time. If Windows 7 detects that the router is using factory default settings when you try to connect, it will prompt you to setup the router, such as Figure 2 shows.


Figure 2:
Prompt to setup a new wireless router.

You can proceed connecting to the unsecure signal or you can setup the router right in Windows 7. If you choose to setup the router, you'll be prompted for the router's PIN (see Figure 3).


Figure 3:
Entering the WPS PIN to setup a new wireless router.

Then you'll be prompted to enter a Network Name (SSID) and optionally customize the security settings, as Figure 4 shows.


Figure 4:
Entering wireless settings.

Once configured, it will display the encryption key to use on older Wi-Fi devices that don't support WPS. If you have Windows XP machines, you can even insert a USB flash drive to copy the configuration onto it.

New Wireless Hosted Networks Feature

Part of an old Microsoft project called Virtual Wi-Fi, the Wireless Hosted Network feature lets you create a virtual wireless router with a supported wireless adapter in Windows 7 or Windows Server 2008 R2.You can even host the virtual wireless network while being connected to a regular wireless network using the same wireless adapter.

You can use a Wireless Hosted Network to setup a temporary Wi-Fi network to securely share files when away from your home or office network. You could also use it to extend or share a wireless or wired network connection. It's basically an enhanced version of ad-hoc networking.

If a supported wireless adapter is detected by Windows 7 or Windows Server 2008 R2, you'll see the Microsoft Virtual Wi-Fi Miniport Adapter on the Network Connections window, such as Figure 5 shows.


Figure 5:
Virtual adapter for Wireless Hosted Networks.

To get started, you'll probably first want to enable Internet Connection Sharing (ICS) to provide an Internet connection on the host network. On the Network Connections window, right-click the network adapter that's connected to the Internet via a regular network and select Properties. Select the Sharing tab, check the Allow other network users to connect through this computer's Internet connection, choose the Hosted Network Connection from the drop-down listbox, and click OK.

Next, configure the hosted network via the Command Prompt:

Netsh wlan set hostednetwork mode=allow ssid=YourVirtualNetworkName  key=YourNetworkPassword

Now start the hosted network:

Netsh wlan start hostednetwork

To stop the hosted network:

netshwlan stop hostednetwork

See Figure 6 for an example of these commands.


Figure 6:
Configuring, starting, and stopping a Wireless Hosted Network.

Wireless Hosted Networks can be useful and interesting for techies, but they also can serve as another security hole on corporate networks that admins should plug. Employees may knowingly or unknowingly create a Wireless Hosted Network, opening uncontrolled wireless access to the corporate network. Though it's secured with WPA2/AES encryption, it's not controlled by the admins. If you're using a Windows Server, you might be able to prevent users from creating Wireless Hosted Networks via the Wireless Network (IEEE 802.11) Policies.

Addition of Advanced 802.1X Settings

Microsoft introduced advanced settings for 802.1X authentication in the Group Policy settings of Windows Vista. Now most of those settings are available on the GUI of Windows 7. They're accessible by clicking the Advanced Settings button on the Security tab on the Wireless Network Properties dialog (see Figure 7) and Authentication tab on the Local Area Connection Properties dialog (see Figure 8)


Figure 7:
Security tab on the Wireless Network Properties dialog.


Figure 8:
Authentication tab on the Local Area Connection Properties dialog.

Figure 9 shows the Advanced Settings dialog.


Figure 9:
Advanced 802.1X Settings dialog.

The first section is where you can specify the authentication mode: User, Computer, or Guest. If you aren't sure, there's also the User or Computer option. When using User authentication, you can click the Save Credentials button to input the username and password. Additionally, you can remove saved credentials by marking the checkbox below.

The second section of the dialog lets you enable and configure single sign-on functionality. If supported by the system and network, configuring these settings eliminates the need to provide separate login credentials. Windows would use the Windows account credentials during the 802.1X authentication.

For wireless connections, you'll also find an 802.11 Settings tab, as Figure 10 shows.


Figure 10:
Advanced Wireless802.1X Settings dialog.

Here you can enable and configure Pairwise Master Key (PMK) caching. This facilitates fast roaming between multiple wireless access points (APs). When enabled and supported by the APs, the APs will share the PMKs among themselves so clients don't have to perform pre or full 802.1X authentication when roaming to another AP—speeding up the roaming process up.

When PMK caching is enabled, you can also enable and configure pre-authentication, in case PMK caching isn't supported by an AP. Pre-authentication eliminates the need for clients to perform full 802.1X authentication when roaming to another AP—also speeding up the roaming process

On this tab you can also enable the Federal Information Processing Standards (FIPS) mode, used by non-military US government agencies and contractors.

No comments:

Post a Comment