Wireless Propagator: When Wi-Fi Clients Meet Infrastructure

If you follow this column regularly you know that I don't cover the software aspect of wireless and mobility very often, but recently when user posted a question about managing client Wi-Fi profiles in a listserv I follow I thought that perhaps some enterprise wireless IT managers and admins might benefit from some of the responses that were posted in regards to that question and in previous threads. Operating a network with a large user base is no small feat, and adding in the wireless component has not made it any easier. This time around I'm not talking about the WLAN infrastructure from vendors such as Aruba, Cisco, and Trapeze, but about all the wireless laptops used by your executives, sales team, and support staff. For some organizations, such as Nokia deployments are even more pervasive: laptops for everyone. Hopefully these devices were properly procured and provisioned such that they're set up the way they need to be. But if a laptop is half way in its three-year lifecycle you may need to push out a configuration to that machine that wasn't part of the initial build. If you have a centralized networking group or can synchronize configuration policies with line-of-business or departmental computing groups there's the chance that you may be able to push out a setting out system wide. But if desktop support is de-centralized you might be out of luck. There's also that unique animal, the community college or state university, which needs to support the diverse computing hardware brought in by students each semester or quarter.

Some organizations have standardized on a wireless supplicant such as those by Juniper (which purchased Funk Software) and Cisco (which purchased Meetinghouse). These have an enterprise management component, but many times replicates what the wireless card's utility/driver already does or what Windows supports natively, making the extra cost hard to swallow.

Even though Microsoft's Wireless Zero Configuration has made it easier than ever for a user to sign on to a wireless network, your wireless network's unique security settings might require check marking a few extra boxes, something that might too easily stymie your users and throw your help desk into a tizzy. The obvious answer is configuration automation and fortunately there are a few tools to help.

If you're a Microsoft shop, which many are, group policies are the key. Microsoft provides excellent group policy support in Windows 2003, which is very well described in this document. Settings include network authentication type (Shared, WPA, or WPA-PSK), encryption (Disabled, WEP, TKIP, or AES), and details about 802.1X configuration. Not running any Windows 2003 Server? Sorry, can't use group policies to apply wireless settings.

So for those that don't have Windows 2003 Server, have a Linux or Novell shop, or perhaps no NOS at all, there are a few options. A Novell partner, Expert Networking Group Limited (ENGL), based in the UK, has a freeware utility called "Zwlancfg". Introduced back in August of 2005, this command-line based program can be run from the logon script or distributed in a batch file. It works on only Windows XP SP2 computers, and can set all the values that Microsoft's group policy does including WEP keys, although that 'security' standard can't be recommended to the enterprise. More information on the program can be found here.For those whose are Aruba shops, the vendor has an internal tool called ArubaWifiCFG that does much of the same thing as zwlancfg, excepts it adds an option to turn machine authentication on, use Windows logon information for credentials, and turn on "Enable Fast Reconnect." You'll need to speak to your Aruba systems engineer to obtain this tool.

Although large organizations aren't likely to deploy Windows Vista this quarter or even next, Microsoft has extended their 'netsh' support to include wireless. Positioned as a lightweight alternative to group policies, it exposes a supported way to access the wireless features of this newest operating system. Besides configuring wireless networks, it also allows administrators to block and hide access to certain networks by populating the 'denied networks' list. It's also possible, for example, to deny all access to adhoc networks. Finally, you can connect and disconnect from wireless networks at the command-line.You can read more here

What about those troublesome 802.1X computer versus user EAP login timing issues that can occur? There's another free tool called XTweak, this time from Enterasys. This program installs itself as a Control Panel object, but you don't necessarily need to install it for everyone. The tool accesses some relatively obscure registry entries, that once modified with this program, can be manually exported and imported into other computers. You can choose between different authentication modes (computer, user, mixed), supplicant modes (if and who initiates EAP messages), and event logs. The program can also clear out cached 802.1X credentials. You can download this program or read more here.

While these tools and tips won't eliminate support calls arriving at your organization's help desk, they are a first start at automating a basic wireless configuration, something we've long learned to take for granted every time we plug in a cable into an Ethernet jack.