Wireless Provisioning Services (WPS)

Applies To: Windows Server 2003 with SP1

What does Wireless Provisioning Services do?

An increasing number of users are accessing the Internet through a growing number of public wireless networks, or wireless fidelity (Wi-Fi) hotspots. Using Wireless Provisioning Services (WPS) provides wireless users with a consistent experience and seamless connectivity to public Wi-Fi hotspots through automatic provisioning of the client and seamless roaming. WPS enables Wireless Internet Service Providers (WISPs) to use a standards-based and integrated platform to provide Wi-Fi hotspots with enhanced security that are easy to use and manage. In addition, WPS enables enterprises to easily provide guest access with enhanced security to private wireless networks.

With WPS, WISPs and enterprises can send provisioning and configuration information to mobile clients as they connect to the Internet or the corporate network. This in turn allows seamless, automatic and secure configuration of mobile clients, enabling a uniform sign-up experience in the enterprise and across different public network providers and hotspot locations.

Who does this feature apply to?

Wireless Provisioning Services is designed for three types of organizations:

  • Hotspot Service Provider (HSP)

    HSPs deploy wireless access points in public places, such as shopping malls and airports, but HSPs are not Internet Service Providers (ISPs). Instead, the HSP contracts with one or more ISPs, and offers users one or more service plans to choose from when they want to establish an account for Internet access.

  • Wireless Internet Service Provider (WISP)

    WISPS are ISPs that either deploy Wi-Fi hotspots in public places or outsource Wi-Fi hotspot services to an HSP.

  • Enterprise

    Enterprises can use WPS technology to provide managed guest access on their networks.

What new functionality is added to this feature in Windows Server 2003 Service Pack 1?

Wireless Provisioning Services

Detailed description

Wireless Provisioning Services is an extension to the existing wireless services and user interfaces within Windows XP and Windows Server 2003. It builds on the wireless features already in Windows, such as Wireless Zero Configuration, and the wireless security features, such as Protected Extensible Authentication Protocol (PEAP) and Wi-Fi Protected Access (WPA). WPS also includes modifications to Windows Server 2003. The Windows Server 2003 Internet Authentication Service (IAS) component was modified to include guest authentication of the clients in the provisioning process.

WPS includes a provisioning service component that allows for Wireless Internet Service Providers (WISPs) and enterprises to send provisioning and configuration information to a mobile client that is trying to connect to the Internet or the corporate network. By using Wireless Provisioning Services, WISPs can offer services at multiple network locations and use multiple network names (service set identifiers, or SSIDs). After users have signed up to a WISP in one location or are preprovisioned and have downloaded the provisioning information, they can automatically connect to the Internet on subsequent occasions using the network provided by the WISP in their different hotspot locations. The Wireless Zero Configuration (WZC) service will automatically choose the correct network belonging to the WISP based on the provisioning files supplied. WSP also enables automatic and seamless roaming between different providers.

Further, when WPS is used the client computer automatically keeps the provisioning information stored on the client computer up to date. This allows the provider to change the network settings, add new locations, and so on, without disrupting the service or having users reconfigure their systems.

When a user connects his computer to a WISP and establishes an account for the first time, the following four stages occur:

  • The computer discovers the WISP network at a Wi-Fi hotspot.

  • The user is authenticated using a guest account and the computer is connected to the Wi-Fi network.

  • The mobile client is provisioned and the user establishes an account with the WISP.

  • The user is authenticated on the Wi-Fi network using the new user account credentials.

Each of these stages is discussed in detail in the following scenario.

A user arrives at a Wi-Fi hotspot with a portable computer running Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1 and Wireless Provisioning Services. When the computer comes within range of the WISP access point beacon the following occurs:

  1. The Wireless Zero Configuration (WZC) service on the client computer detects the beacon information from the access point, which is enabled with a broadcast service set identifier (SSID). The SSID is equivalent to the network name.

  2. The user is informed by Windows that a wireless network is available. The user views information in Windows, including the network’s friendly name. In this example, the user possesses a promotion code to use for account establishment, and proceeds by clicking Connect. This causes the WPS client to connect the user’s computer to the wireless network using a guest account with limited privileges.

When the guest account is authenticated by the Wi-Fi network, the following occurs:

  1. WZC uses 802.1x and Protected Extensible Authentication Protocol (PEAP) to connect and authenticate as guest to the WISP network through the access point, automatically passing a blank user name and password to the WISP Internet Authentication Service (IAS) server (IAS is also known as the Microsoft RADIUS server). The access point is connected to a gateway device that allows traffic from the client to pass to the provisioning services in the network to complete the sign-up process, but blocks the client from accessing the Internet.

  2. The IAS server (or RADIUS server) is the PEAP authenticator and Transport Layer Security (TLS) endpoint for users who connect as guest. The TLS tunnel is created between the client and the IAS server. All subsequent messages between client and server pass through this tunnel, which traverses the access point and the gateway device.

  3. Server authentication is performed when the IAS server verifies its identity to the client computer using a certificate that contains the Server Authentication purpose in Enhanced Key Usage (EKU) extensions. This certificate is issued by a public trusted root certification authority (CA) that the client computer trusts.

  4. The IAS server authenticates and authorizes the user as Guest. In the Access-Accept message that the IAS server sends to the client is a container with a URL to the provisioning information. This URL provides the Wireless Provisioning Services engine running on the client, with the location of the XML master file.

When the client is provisioned and the user creates an account, the following occurs:

  1. On the client computer, the Wireless Provisioning Services downloads the XML master file and sub-files from the provisioning server. The master file contains pointers to XML subfiles that control the client’s progress through the process. When the XML sign-up schema is downloaded, the sign-up wizard is launched on the client to allow the user to create and pay for an account with the WISP.

  2. Using the sign-up wizard on the client computer, the user steps through the process of signing up for an account. The user enters the promotion code as well as personal data such as name, address, and credit card number. The data entered by the user is converted by the Wireless Provisioning Services client into an XML document.

  3. The XML document containing the user’s sign-up data is sent to the Web application on the WISP provisioning server.

  4. The Web application checks the promotion code entered by the user against the promotion code database (for example, a SQL Server database). If the promotion code is valid, the Web application continues processing the user’s data.

  5. The Web application processes the user’s payment information. Once payment is verified and sign-up information is completed successfully, the Web application reads the domain and security group information from the promotion code database and creates a user account in identity services (such as Active Directory) and adds the account to the security group. The Web application also enters the new user name in the promotion code database.

  6. An XML document containing the new account credentials is sent from the WISP provisioning server to the Wireless Provisioning Services client on the client computer. The client computer uses the credentials to configure WZC and 802.1x under the name of the WISP. The connection is re-initiated with the new user account password-based credentials (user name and password).

The re-initiated connection process is as follows:

  1. The Wireless Zero Configuration (WZC) service on the client computer restarts the association to the SSID for the WISP.

  2. WZC finds the correct 802.11 profile which was downloaded with the other WISP information in the XML master file. WZC reassociates with the access point using the correct profile.

  3. WZC uses 802.1x to start the authentication process using a combination of the Protected Extensible Authentication Protocol and the Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) using the new account credentials passed to 802.1x by the Wireless Provisioning Services client.

  4. As the client starts the authentication process with PEAP-MSCHAPv2 authentication, a TLS channel is created between the user’s client computer and the WISP IAS server.

  5. In the second stage of PEAP-MSCHAPv2 authentication, the WISP IAS server authenticates and authorizes the connection request against the new account in the user accounts database (for example, Active Directory). The IAS server sends an Access-Accept message to the access point. Included in the Access-Accept message are attributes that specify the user can now get access to the Internet.

  6. The access point instructs the gateway device to assign the client to the logical segment network with access to the Internet.

Why is this change important?

Wireless Provisioning Services makes it easier to use wireless hotspots without compromising security. WPS, with Windows Server 2003 Service Pack 1, and Microsoft IAS (also known as a RADIUS server), allows users’ computers to more easily discover, connect and roam between wireless hotspots with enhanced security.

  • The current connection model for WISP signup and use is not secured. Most Wi-Fi hotspots are configured for open authentication and without data encryption. Users are generally required to launch a Web browser to initially sign-up to the WISP service and for subsequent logins. WSP mitigates this threat by adding encryption and authentication to the communications between the client and the wireless network.

  • Browser redirection-based deployment has many usability issues. Users may not even know they have to launch their browser to get connected. Another example of what can happen is when the browser is set to use proxy settings to access the Internet and the user is connected directly to the corporate network. In this case, browser redirection does not work and the user would have to know to disable the proxy settings to connect to the hotspot. This can cause costly support calls to the WISP or the enterprise helpdesk.

  • Browser based deployment is vulnerable to man-in-the-middle attacks, for example, by a malicious front-end server using a rogue access point. Users queried by this access point might unknowingly be giving away personal identification and credit card information. By eliminating the need for a Web login WSP reduces the vulnerability of WISP users to this type of attack.

  • Without additional hotspot client software users cannot easily detect hotspots and do not have a unified mechanism to sign-up to them. It is not easy for users to find out information about the WISP or search for the hotspot locations for that WISP. If users sign-up at one hotspot, they are not necessarily configured to automatically use the other hotspots. In addition, there is no standard mechanism to keep their provisioning and configuration information up-to-date.

  • Add-on hotspot client software can help the user access that specific WISP’s network. However, add-on software can also conflict with the wireless services native to the operating system or client software from other providers, potentially causing interoperability problems, even instability of the system as they all attempt to control the wireless settings of the entire system. Updates to the WISP configuration usually require updates to the client software. For these reasons, many corporate IT departments are reluctant to deploy third party hotspot client software to their users.

  • There is no standardized mechanism across WISPs to process user sign-ups and update their configurations. As a result, the user experience is fragmented and automatic and seamless roaming across providers can be difficult.

Wireless Network Registration Wizard

Detailed description

The Wireless Network Registration Wizard provides the user interface to sign-up for a wireless hotspot and guides the user through the provisioning process. The wizard builds content from provisioning information (XML files) provided by the WISP. The provisioning information can be dynamically downloaded or preinstalled on the client system. Preinstallation can be provided by an OEM for new systems, by the IT department within an organization, or from a WISP Web site. The WISP owns and creates the provisioning information and drives the users’ sign-up and provisioning experience. The following example presents a simple Wireless Network Registration Wizard experience where the user has prepaid for an access code. The XML schema and wizard are flexible and can enable more complex sign-up experiences.

First, the user can either right-click the wireless network icon in the notification area and then click View Available Wireless Networks, or the user can respond to the notification message in the notification area that indicates availability of a new wireless network in range. When Choose a wireless network appears, the user selects a new wireless network and places that network on the preferred networks list.

The user then selects a network name (an SSID) and clicks Connect to connect to the wireless network. With a WPS-based Wi-Fi hotspot, the client detects that there is more provisioning information in form of XML files that is available about the network and the provider. It then confirms with the user whether the provisioning information should be downloaded. With a non-WPS network, the experience would be the same as with Windows XP today: either the users are prompted for a security key when connecting to a secure network or the users are warned that the network they are trying to connect to is unsecured, and they are asked if they still want to connect to it.

After the download is complete, the Wireless Network Registration Wizard automatically launches and guides the user through the sign-in process. The first screen displays a customized logo (or banner) and content from the provider.

The subsequent screens may include selecting a subscription plan, entering credit card information, personal information and so on. In this example there is just one plan and the user is asked to enter a prepaid or promotional code to get access to the network. Next, Wi-Fi Hotspot Deployment displays information about the selected plan, such as the terms of the service agreement and privacy statement.

On the last screen, the wizard asks the users for their connectivity preferences for this connection. These default preferences can be set by the provider but can be overridden by the user. For example, if the users select a monthly subscription with unlimited data, they probably want to always connect to the network automatically whenever in range. If the users choose a "pay-as-you-go" plan, they probably want to control when to connect and choose a manual connection option as their preference.

The second option determines whether the client keeps the provisioning information automatically up to date. For example, if the provider adds new network names, adds new locations, or changes the network or security settings, the client can automatically update the information without any user interaction required while connected to the network.

On subsequent visits to hotspots made available by the provider or by their roaming partners in the same or different locations, if automatic connection is selected, all the user has to do is to turn the mobile computer back on or resume operations from standby, and the user is automatically connected. When connected, instead of showing a cryptic network name or SSID in the Choose wireless network dialog box (which opens from the View Available Wireless Networks notification window), a friendly name of the provider will be shown, along with a logo of the provider.

From this dialog box, users can also search for available hotspot locations or view the help and support information provided by the WISP. Both the help and hotspot location information is downloaded as part of the provisioning information. The location information can be searched and viewed online or offline.

What existing functionality is changing in Windows Server 2003 Service Pack 1?

The wireless user interface has changed – a new View Available Wireless Networks dialog box will replace the existing dialog box.

Do I need to change my code to work with Windows Server 2003 Service Pack 1?

Wireless Provisioning Service does not require any changes to existing applications. There are two new APIs with WPS. One of the new APIs provides for adding to and queries through the XML data on the computer. This API can be used to preprovision the client from the WISP Web site by the user (using a standalone application), by OEMs, or IT departments.

Additional Resources

For more information about WPS, see

  1. Deploying Wireless Provisioning Services (WPS) Technology, available in Word format on the Microsoft Download Center, at https://go.microsoft.com/fwlink/?LinkId=203315.

  2. Using the Wireless Provisioning Services (WPS) Technology Authoring Tool, available in Word format on the Microsoft Download Center, at https://go.microsoft.com/fwlink/?LinkId=203316.