How WPS technology works for the enterprise

The following example describes how the components of a WPS network for the enterprise interact during the connection and account creation process for a new user.

When a new user connects and establishes an account, the following four basic stages occur:

The user discovers the network at a Wi-Fi hotspot

The user authenticates as guest

The client is provisioned and the user establishes an account

The user is authenticated using the new account credentials

In the next section we will look at these stages in more detail.

1.  The user discovers the network at a Wi-Fi hotspot

When a user arrives at the Wi-Fi hotspot with a portable computer running Windows XP Home Edition with SP2, Windows XP Tablet PC Edition with SP2, or Windows XP Professional with SP2, the computer comes within range of the access point beacon.

Wireless auto configuration on the client computer detects the beacon information from the access point, which is enabled with broadcast Secure Set Identifier (SSID). The SSID is equivalent to the network name.

The user is informed by Windows XP that a wireless network is available. In this example, the user is employed by a business partner of the enterprise, and is provided by the enterprise with a promotion code to use for account establishment. The user proceeds by clicking Connect.

2.  The user authenticates as guest

Wireless Auto Configuration uses 802.1X and PEAP guest authentication to connect to the enterprise perimeter network through the access point, automatically passing a null user name and a blank password to the IAS proxy, which forwards the message to the IAS server. The access point is connected to a VLAN-aware gateway device that allows traffic from the client to pass through the Network Resource VLAN, but blocks the client from access to the Internet VLAN.

The IAS server is the PEAP authenticator and TLS endpoint for users who connect as guest. The TLS tunnel is created between the client and the IAS server. All subsequent messages between client and server pass through this tunnel, which traverses the access point, the gateway device, and the IAS proxy.

Server authentication is performed when the IAS server verifies its identity to the client computer using a certificate that contains the Server Authentication purpose in Enhanced Key Usage (EKU) extensions. This certificate is issued by a public trusted root CA that the client computer trusts.

The IAS server authenticates and authorizes the customer as guest. In the Access-Challenge message that the IAS server sends to the client is a URL PEAP-TLV message. The URL PEAP-TLV contains the URL of the provisioning server. This URL provides the client with the location of the XML master file.

The client computer receives an IP address lease from the DHCP server. The address is from a public IP address range configured in a scope on the DHCP server. In addition to the IP address, the client receives DHCP options, such as DNS server IP address.

3.  The client is provisioned and the user creates an account

The XML master file on the provisioning server contains pointers to the XML subfiles. The client downloads the XML master file and subfiles. When the XML sign-up schema is downloaded, the sign-up wizard is started on the client to allow the user to create an account.

Using the sign-up wizard on the client computer, the user steps through the process of signing up for an account. The customer enters the promotion code as well as personal data such as name, employer, and job title. The data entered by the user is converted into an XML document.

The XML document containing the user's sign-up data is sent to the XML-forwarder Web application on the provisioning server.

The XML-forwarder Web application on the provisioning server sends the XML document to the account processing application on the account processing server.

The account processing application checks the promotion code entered by the user against the promotion code database on the SQL server. If the promotion code is valid, the account processing Web application continues processing the user's data.

The account processing Web application reads the domain and security group information from the promotion code database on the SQL server. The account processing application creates a user account in Active Directory and adds the account to the security group. The application also enters the new user name in the promotion code database.

An XML document containing the new account credentials is sent from the account processing server to the XML-forwarder application on the provisioning server; the XML-forwarder application passes the XML document to the client computer. The client computer uses the credentials to configure wireless auto configuration and 802.1X under the name of the enterprise.

4.  The user is authenticated using the new account credentials

Wireless auto configuration restarts the association to the SSID for the enterprise WLAN.

Wireless auto configuration finds the correct 802.11 profile which was downloaded with the other network information. Wireless auto configuration re-associates with the access point using the correct profile.

802.1X restarts the authentication process using PEAP-MS-CHAP v2 and the new account credentials.

As the client starts the authentication process with PEAP-MS-CHAP v2 authentication, a TLS channel is created between the customer's client computer and the enterprise IAS server.

In the second stage of PEAP-MS-CHAP v2 authentication, the IAS server authenticates and authorizes the connection request against the new account in the Active Directory user accounts database. The IAS server sends an Access-Accept message to the access point. Included in the Access-Accept message are attributes that specify which VLAN the customer can access.

The access point instructs the gateway device to assign the client to the Internet VLAN rather than the Network Resource VLAN.

The gateway device switches the client to the Internet VLAN, and the customer is provided with access to the Internet.