Introduction (Deploying Wireless Provisioning Services (WPS) Technology)

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By using Wireless Provisioning Services (WPS) technology, your organization can offer wireless access in any location where you provide connectivity with Wi-Fi hotspots to new and existing customers that have computers running Windows XP with Service Pack 2 (SP2).

Wi-Fi means “wireless fidelity” and is the IEEE 802.11 technical standard for short range wireless data transmissions. Wi-Fi hotspots are areas where you deploy one or more wireless access points. WPS technology allows new customers without a previously established account to securely connect to your network at the Wi-Fi hotspot location, create and pay for an account, and access the Internet.

One of the key challenges of deploying wireless technologies in public places is providing customers with the correct network configuration for their computers. Many customers are unaccustomed to manually configuring network settings, and might forego use of public wireless networks due to the difficulty of these configurations. In addition, erroneous configurations can prevent customers from connecting successfully.

With WPS technology, your customers do not need any knowledge of network technology, and they do not need to manually configure their computers or join a domain to connect to your network. During the account-creation process, customers’ computers are automatically and transparently supplied — or provisioned — with all configuration necessary for them to successfully access your network and services.

WPS technology allows you to provide your customers with the following account-creation and computer configuration options:

  • Customers can create their account and automatically provision their computer over the Internet in advance of arrival at your Wi-Fi hotspot locations.

  • Customers who arrive at your Wi-Fi hotspots without previously creating an account and provisioning their computers can spontaneously connect, provision their computer, create an account, and access the Internet through your Wi-Fi hotspot.

WPS technology is deployed by using the following:

  • One or more computers running Windows Server 2003 with Service Pack 1 (SP1) and later, and Internet Authentication Service (IAS). If you use a RADIUS server other than IAS in Windows Server 2003 with SP1, you need to verify with your RADIUS server vendor whether their servers support WPS. A royalty-free license that covers WPS protocol implementation is available for RADIUS and other server vendors through the Published Protocols and Royalty-Free License site on MSDN at https://go.microsoft.com/fwlink/?LinkId=33674.

  • One or more computers running Windows XP Home Edition with SP2; Windows XP Professional with SP2; or Windows XP Tablet PC Edition with SP2.

  • Additional servers on your network. For example, these servers include a provisioning server, a DHCP server, and a domain controller with a user accounts database. Depending on the deployment method you choose, you might need additional servers as described in this paper.

  • Network access servers and other network hardware. This hardware includes wireless access points, routers, and other devices.

  • One or more custom applications or databases that you design. For example, a Web application running on an HTTPS-enabled Web server that passes customer data from the customer to the provisioning server.

These hardware and software components of WPS technology are deployable by three types of organizations with two different methods used to provide customers with the ability to create and pay for an account before obtaining access to the Internet. The following introductory sections describe these organizations and methods, and further introduce the key components of WPS technology.

Who can use WPS technology

WPS technology is designed for use by three types of organizations:

  • Hotspot service providers (HSPs). HSPs deploy wireless access points in public places, such as shopping malls and airports, but HSPs are not Internet service providers (ISPs). Instead, the HSP contracts with one or more ISPs, and offers customers one or more service plans to choose from when they want to establish an account for Internet access.

  • Wireless Internet service provider (WISPs). WISPs are ISPs that either deploy Wi-Fi hotspots in public places or outsource Wi-Fi hotspot services to an HSP.

  • Enterprises. Enterprises can use WPS technology to provide managed guest access on their networks. The WISP scenarios in this paper apply to enterprises as well as WISPs.

Key WPS components

The following section introduces key WPS client and server components.

WPS technology in Windows XP with SP2

Wireless Provisioning Services technology is included in Service Pack 2 for Windows XP. WPS enables a wireless client computer running Windows XP Home Edition with SP2, Windows XP Tablet PC Edition with SP2, or Windows XP Professional with SP2, to connect to and download network configuration information from a provisioning server. After the Windows XP with SP2 client has obtained network configuration information, it automatically configures the connection to your network.

Windows XP with SP2 WPS technology consists of the following two components:

  • Network Provisioning Service. The Network Provisioning Service automatically downloads XML configuration files from provisioning servers. Users and administrators do not need to configure the Network Provisioning Service because the service automatically configures itself.

  • Wireless Zero Configuration service. The Wireless Zero Configuration service in Windows XP with SP2 has new WPS technology capabilities. Wireless Zero Configuration, also called Wireless Auto Configuration in this paper, interacts with the Network Provisioning Service and IEEE 802.1X authentication on the client computer to provide WPS functionality. Users and administrators do not need to configure the Wireless Auto Configuration service because the service automatically configures itself.

In all uses of WPS technology, computer configuration is performed in the background and is transparent to users, with no client computer configuration needed by administrators.

WPS technology on Windows XP with SP2 also supplies your customers with a sign-up wizard that allows them to create an Internet access account. The wizard passes the customer’s personal data, such as credit card information, over a secure connection to a custom application that processes the information and creates the user account on your network.

The provisioning server

A provisioning server is a computer running Internet Information Services (IIS) or a third-party Web server that maintains a collection of information files that are used to configure client computers during the connection and account sign-up process. These information files are created using Extensible Markup Language (XML) and WPS XML schemas, and are stored on the provisioning server. The provisioning server supplies the XML files to clients when client computers request provisioning information from the provisioning server.

There are multiple XML schemas for WPS that allow you to create XML data files to define network configuration and other parameters for client computers connecting to your network. Using WPS XML data files, you can customize and define the sign-up experience users will have when connecting to your network by using the sign-up wizard included in Windows XP with SP2. In addition to the network and security settings, this includes branding information (such as your company logo), location information (where your Wi-Fi hotspots are located), plan offering (types of accounts your customers can purchase), and Help content to assist your customers when they need additional information.

There are two methods you can use to create and configure your XML master file and subfiles:

  • Use the WPS Authoring Tool to create a WPS project and publish your XML master file and subfiles to the provisioning server. The WPS Authoring Tool has a graphical user interface and is designed to assist you in accurately producing and managing a collection of XML files for your WPS solution. Using the WPS Authoring Tool to create your XML data files is recommended, as it is based on the XML schema and allows you to validate your XML files against the XML schema before using the XML files in a production environment. Download the WPS Authoring Tool at https://go.microsoft.com/fwlink/?LinkId=40535.

  • Use the XML schema to manually create your XML master file and subfiles. After you have created these files, you can enter information specific to your network and deployment parameters. For example, where the location of the provisioning server is required, you can provide an HTTPS URL. In another example, you might need to enter your domain name in several places; you can examine the schemas and example files and determine where to insert your domain name.

For more information, see “XML Schemas” later in this document.

In some scenarios depicted in this paper, the provisioning server maintains an account processing application in addition to storing and providing clients with XML configuration files. Other scenarios place the account processing application on a dedicated server. The account processing application is a Web application that you create based on your business model and the requirements of WPS technology.

The account processing application, whether installed on the provisioning server or a dedicated server, processes XML documents sent from client computers when customers create an Internet access account. The XML documents passed from client to server contain data provided by the customer, such as the customer name, address, and credit card information. When promotion codes are used, these codes are also passed to the account processing application from the client in an XML document. The account processing application processes all of the data provided by the client, and performs the appropriate action. For example, the account processing application can verify promotion codes against a Microsoft® SQL Server™ 2000 database, create a user account in an Active Directory® directory service user accounts database, and perform financial functions such as verify credit card information and charge the customer’s credit card.

The IAS server

Internet Authentication Service (IAS) is the Microsoft implementation of Remote Authentication Dial-In User Service (RADIUS) server and proxy. IAS in Windows Server 2003 with SP1 is a component of all WPS scenarios depicted in this paper. In some scenarios, an IAS proxy is also required.

Key WPS processes

The following section introduces key processes that occur during the provisioning of clients and the network connection process that allows your customers to create an account.

Pre-provisioning the client computer

Pre-provisioning occurs when client computers are provisioned before arriving at a Wi-Fi hotspot. There are three possible methods for pre-provisioning a client computer:

  • Computer original equipment manufacturers (OEMs) pre-provision clients. OEMs can include promotional offers for WISP connectivity with the sale of their computers. This allows purchasers of the OEM’s products to arrive at the Wi-Fi hotspot for the advertised WISP with their computer already configured.

  • The Information Technology (IT) department at an organization pre-provisions clients. Before supplying employees with new computers, the IT department can pre-provision the client for employees.

  • Customers connect to the WISP and pre-provision their computer. WISP customers have the option of creating their account and downloading network configuration information before arriving at the location where they will wirelessly access the Internet through your network. For example, a customer preparing for a business trip might establish an account online and download network configuration files before leaving their office or home.

Provisioning the client computer

Client computers are provisioned with your network configuration at a Wi-Fi hotspot.

When new customers connect at a Wi-Fi hotspot, IAS sends a packet containing the location of the provisioning server to Windows XP on the client computer. Windows XP then downloads network configuration information from your provisioning server, and the client computer is automatically configured to access your network.

Phased network access

Phased network access occurs when a new customer arrives at your Wi-Fi hotspot with a computer running Windows XP with SP2. Phased network access consists of the following two stages:

  1. Customers are allowed to connect to your network and authenticate as guest to establish an account. While the customer is connected as guest, they do not have access to the Internet. During this first connection phase, customers can create and pay for a new account. When the account is established, guest access is terminated by WPS.

  2. Customers are automatically reauthenticated with the newly established account credentials. When the customer is authenticated and authorized with new account credentials, they are provided with access to both your network and to the Internet.

Phased network access is accomplished by temporarily isolating the client computer from the rest of your network using either a virtual local area network (VLAN)-aware gateway device (for example, an access controller or a VLAN-aware router or switch) or IP filters applied to the connection by IAS and wireless access points that provide this capability.

Client isolation is necessary to provide security and to prevent users from accessing the Internet through your network without first establishing a paid account.

When new customers first connect to your network, they are allowed access to your provisioning server and any other necessary network resources (such as your DHCP server), but their access to the Internet is blocked. After they create and pay for an account and reauthenticate with the new account credentials, they are allowed access to the Internet.

If you have deployed IP filters to isolate client computers from the Internet during the first connection phase, customers are granted Internet access upon reauthentication because the IP filters are not applied to the connection. If you have deployed VLANs to isolate client computers from the Internet during the first connection phase, customers are granted Internet access upon reauthentication because they are placed on a VLAN that provides access to the Internet.

Scenarios overview

The method that you use to isolate client computers affects the hardware and software configuration of your network. In the first section of this paper, the following scenarios are depicted:

  • WPS technology for a WISP with VLANs. This scenario depicts a WISP network using VLANs for client isolation, and is recommended for WISPs and HSPs deploying WPS technology.

  • WPS technology for the Enterprise. This scenario depicts a secure WISP network using VLANs for client isolation, and is recommended for enterprises deploying WPS technology. This scenario is similar to the first scenario, however it includes a perimeter network between the Wi-Fi hotspots and the enterprise local area network (LAN).

In the last two sections of this paper, two untested beta scenarios using IP filters for client computer isolation are presented in overview:

  • A WISP using IP filters for client isolation

  • An HSP using IP filters for client isolation