Abstract

Wired client computers running Microsoft Windows Vista can use a temporary wired profile to obtain connectivity to a secure wired network and join an Active Directory directory service domain. This temporary wired profile, known as a bootstrap wired profile, requires the connecting user to manually specify their domain user account credentials and does not validate the certificate of the Remote Authentication Dial-in User Service (RADIUS) server. After joining the domain, the wired client uses a new wired profile that automatically leverages the credentials of the computer and user account and validates the credentials of the RADIUS server. This article describes two methods of configuring a bootstrap wired network profile. Top of page

Introduction
Typical wired clients need either domain credentials (name/password) or a certificate to perform authentication for secure wired access. To join the domain and receive domain credentials or certificates, wired client computers need a successful connection to the wired network that contains the domain controllers of the domain. To access a secure wired network and join a computer to a domain, the wired client user must manually provide their domain user name and password. Once connected to the wired network, the wired client user can join the computer to the domain. In 802.1X-authenticated wired networks, wired clients need to provide security credentials that are authenticated by a RADIUS server. These credentials could include a username and password (for Protected EAP [PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2]) or certificates (for EAP-Transport Layer Security [TLS]). For either PEAP-MS-CHAP v2 or EAP-TLS, the wired client also validates a computer certificate sent by the RADIUS server during the authentication process. This is the default behavior of the Windows wired client. This behavior can be disabled, but is not recommended in production environments. If the RADIUS server is using computer certificates from a commercial public key infrastructure (PKI), such as VeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is already installed, the wired client can validate the RADIUS server's computer certificate, regardless of whether the wired client has joined the Active Directory domain. If the RADIUS server is using computer certificates from a private PKI that is integrated with Active Directory (such as one that is based on Windows Server 2003 Certificate Services), a wired client that has not yet joined the domain does not have the root CA certificate of the RADIUS server's computer certificate and the authentication process by default will fail. After the wired client has joined the domain, the root CA certificate of the RADIUS server's computer certificate is automatically installed. This article describes methods that configure Windows Vista-based wired clients with a wired profile to perform manual PEAP-MS-CHAP v2 authentication but not validate the RADIUS server's computer certificate. After connecting to the wired network, the wired client computer joins the domain and receives the appropriate root CA certificate. The computer user (manually) or the IT administrator (through Group Policy) can reconfigure or override the wired profile so that PEAP-MS-CHAP v2 authentication validates the RADIUS server's computer certificate and automatically uses domain credentials. If the IT administrator overrides the manually-configured wired profile with Group Policy, the Group Policy-based wired profile must be configured to perform computer authentication (the default behavior). If the computer cannot use its account and credentials to obtain a wired connection, the user will be unable to logon to the computer with their domain credentials because they cannot be validated by a domain controller. Top of page

Methods for Joining a Wired Client to a Domain

This section describes the following methods for joining a wired client to a domain:

User configures their wired computer with a bootstrap wired profile using an Extensible Markup Language (XML) file and joins the domain User manually configures wired computer with bootstrap wired profile and joins the domain

Top of page

User Configures Their Wired Computer with a Bootstrap Wired Profile Using an XML File and Joins the Domain
In this method, the user configures their wired computer with a bootstrap wired profile using an XML file and script that has been configured by an IT administrator. The bootstrap wired profile configured by the XML file allows the user to establish a wired connection and then join the domain. The following are the steps for this method: 1. An IT administrator configures another Windows Vista-based wired computer with a bootstrap wired profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled. 2. The IT administrator exports the bootstrap wired profile to an XML file with the netsh lan export profile command and creates a script file to execute that will automatically add the profile on the user's computer. For the details of configuring the bootstrap wired profile and exporting it to an XML file, see "Appendix A: Configuring a Bootstrap Wired Profile" in this article. 3. The IT administrator distributes the new wired computer, the XML file containing the bootstrap wired profile, and the script file to the user using an appropriate method. The script file contains the netsh lan add profile XML_File_Name Connection_Name command. For example, the XML file can be stored on a USB flash drive with a script for the user to run to add the bootstrap wired profile. 4. 5. 6. The user starts the computer and performs a logon using a local computer account. The user runs the script file to add the bootstrap wired profile. After the script is run, Windows Vista attempts to connect to the wired network and prompts the user for an account name and password. 7. The user types their domain user account name and password and the Windows Vista client computer connects to the wired network. 8. The user joins the computer to the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article. Top of page

User Manually Configures Wired Computer with Bootstrap Profile

In this method, the user manually configures their wired computer with a bootstrap wired profile based on instructions from an IT administrator. The bootstrap wired profile allows the user to establish a wired connection and then join the domain. The following are the steps for this method: 1. The IT administrator distributes to the user the instructions for configuring a bootstrap wired profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled. 2. 3. The user starts the computer and performs a logon using a local computer account. The user executes the steps in the instructions to configure the bootstrap wired profile (see "Appendix A: Configuring a Bootstrap Wired Profile" in this article).

4.

After the bootstrap wired profile is configured, Windows Vista attempts to connect to the wired network and prompts the user for an account name and password.

5.

The user types their domain user account name and password and the Windows Vista client computer connects to the wired network.

6.

The user joins the computer to the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article.

Top of page

Appendix A: Configuring a Bootstrap Wired Profile

To configure a bootstrap wired profile, do the following: 1. 2. 3. 4. 5. 6. 7. 8. 9. From the Windows Vista desktop, click Start, and then click Control Panel. Click System and Maintenance, and then click Administrative Tools. Double-click Services. In the list of services in the contents pane, double-click Wired AutoConfig Service. In Startup type, click Automatic. In Service Status, click Start, and then click OK. Close the Services window. From the Windows Vista desktop, click Start, and then click Control Panel. Click Network and Internet, and then click NetworkCenter. Click Manage network connections.

10. Right-click your LAN connection, click Properties, and then click the Authentication tab. 11. In Choose a network authentication method, click Protected EAP (PEAP), and then click Settings. 12. In the Protected EAP (PEAP) Properties dialog box, clear the Validate server certificate check box. 13. Click OK twice. 14. Close the Network Connections window. To export the settings of this bootstrap wired profile to an XML file, type the following command: netsh lan export profile Folder Connection_Name

Folder is the name of the folder that stores the XML file. You can specify an absolute or relative path, "." for the current folder, or ".." for the parent folder. Connection_Name is the name of the wired adapter for which the wired profile has been configured.

The netsh lan export profile command creates an XML file named after the specified connection. For example, to create an XML file containing the profile of the connection named Local Area Connection and store it in the current folder, you would use the following command: netsh lan export profile . "Local Area Connection" For this example, netsh creates a file in the current folder named "Local Area Connection.xml". Top of page

Appendix B: Joining a Windows Vista client to a Domain

After successfully connecting to the secure wired network, use Control Panel-System and Maintenance-System to do the following: 1. 2. 3. Under Computer name, domain, and workgroup settings, click Change settings. From the System Properties dialog box, click Change. In the Computer Name Changes dialog box, type the computer name in Computer name. Click Domain and type the Active Directory domain name. 4. 5. 6. Click OK. When prompted, type your domain name and password to join the computer to the domain. Restart the computer when prompted.

When computer is restarted, it automatically authenticates to the wired network using the computer's domain account credentials or certificate.

WIRELESS NETWORKING
Abstract
Wireless client computers running Microsoft Windows Vista can use a temporary wireless profile to obtain connectivity to a secure wireless network and join the Active Directory domain. This temporary wireless profile, known as a bootstrap wireless profile, requires the connecting user to manually specify their domain user account credentials and does not validate the certificate of the Remote Authentication Dial-in User Service (RADIUS) server. After joining the domain, the wireless client uses a new wireless profile that automatically leverages the credentials of the computer and user account and validates the credentials of the RADIUS server. This article describes three methods of configuring a bootstrap wireless network profile. Top of page

Introduction
Wireless clients need either domain credentials (name/password) or a certificate to perform authentication for secure wireless access. To join the domain and receive domain credentials or certificates, wireless client computers need a successful connection to the wireless network that contains the domain controllers of the domain. To access a secure wireless network and join a computer to a domain, the wireless client user must manually provide their domain user name and password. Once connected to the wireless network, the wireless client user can join the computer to the domain. In 802.1X-authenticated wireless networks, wireless clients need to provide security credentials that are authenticated by a RADIUS server. These credentials could include a username and password (for Protected EAP [PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2]) or certificates (for EAPTransport Layer Security [TLS]). For either PEAP-MS-CHAP v2 or EAP-TLS, the wireless client also validates a computer certificate sent by the RADIUS server during the authentication process. This is the default behavior of the Windows wireless client. This behavior can be disabled, but is not recommended in production environments. If the RADIUS server is using computer certificates from a commercial public key infrastructure (PKI), such as VeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is already installed on the wireless client, the wireless client can validate the RADIUS server's computer certificate, regardless of whether the wireless client has joined the Active Directory domain. If the RADIUS server is using computer certificates from a private PKI that is integrated with Active Directory (such as one that is based on Windows Server 2003 Certificate Services), a wireless client that has not yet joined the domain does not have the root CA certificate of the RADIUS server's computer certificate and the authentication process by default will fail. After the wireless client has joined the domain, the root CA certificate of the RADIUS server's computer certificate is automatically installed.

This article describes methods that configure Windows Vista-based wireless clients with a wireless profile to perform manual PEAP-MS-CHAP v2 authentication but not validate the RADIUS server's computer certificate. After connecting to the wireless network, the wireless client computer joins the domain and receives the appropriate root CA certificate. The computer user (manually) or the IT administrator (through Group Policy) can reconfigure the wireless profile so that PEAP-MS-CHAP v2 authentication validates the RADIUS server's computer certificate and automatically uses domain credentials. Top of page

Methods for Joining a Wireless Client to a Domain

This section describes the following methods for joining a wireless client to a domain:

IT staff joins a wireless computer to the domain and configures a Single Sign On bootstrap wireless profile User configures their wireless computer with a bootstrap wireless profile using an XML file and joins the domain User manually configures wireless computer with bootstrap wireless profile and joins the domain

IT Staff Joins Wireless Computer to the Domain and Configures a Single Sign On Bootstrap Wireless Profile In this method, an IT administrator joins the wireless computer to the domain before distributing it to the user. When the user starts the computer, the credentials that they manually specify for the user logon are used to both establish a connection to the wireless network and log on to the domain. The following are the steps for this method: 1. An IT administrator joins the new wireless computer to the domain (for example, through an Ethernet connection that does not require IEEE 802.1X authentication) and adds a bootstrap wireless profile to the computer with the following settings:

PEAP-MS-CHAP v2 authentication Validate RADIUS server certificate disabled Single Sign On enabled

Single Sign On is a new feature for Windows Vista wireless clients that performs 802.1X authentication based on the network security configuration during the user logon process. For this bootstrap wireless profile, the IT administrator specifies that Single Sign On perform 802.1X authentication immediately before user logon. 2. 3. The IT administrator distributes the new wireless computer to the user. When the user starts the computer, Windows Vista prompts the user to enter their domain user account name and password. Because Single Sign On is enabled, the computer uses the domain user account credentials to first establish a connection with the wireless network and then log on to the domain. Single Sign On is required for this bootstrap wireless profile because even though the computer is joined to the domain, the user has never logged on to the computer. If the computer does not have a network connection when the user attempts to log on for the first time, the logon will fail because the computer is unable to verify the user account credentials with a domain controller. Therefore, the network connection must be established first. Single Sign On uses the same user account credentials to establish a wireless connection and to log on to the domain. After the user has successfully logged on, subsequent user logons can utilize cached credentials. User Configures Their Wireless Computer with a Bootstrap Wireless Profile Using an XML File and Joins the Domain In this method, the user configures their wireless computer with a bootstrap wireless profile using an XML file and script that has been configured by an IT administrator. The bootstrap wireless profile configured by the XML file allows the user to establish a wireless connection and then join the domain.

The following are the steps for this method: 1. An IT administrator configures another Windows Vista-based wireless computer with a bootstrap wireless profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled. 2. The IT administrator extracts the bootstrap wireless profile to an XML file with the netsh wlan export profile command (see "Appendix A: Configuring a Bootstrap Wireless Profile" in this article) and creates a script file to execute that will automatically add the profile on the user's computer. 3. The IT administrator distributes the new wireless computer, the XML file containing the bootstrap wireless profile, and the script file to the user using an appropriate method. The script file contains the netsh wlan add profile XML_File_Name Connection_Name command. For example, the XML file can be stored on a USB flash drive with a script for the user to run to add the bootstrap wireless profile. 4. 5. 6. The user starts the computer and performs a logon using a local computer account. The user runs the script file to add the bootstrap wireless profile. After the script is run, Windows Vista attempts to connect to the wireless network. Because the settings of the bootstrap wireless profile specify that the user must provide credentials, Windows Vista prompts the user for an account name and password. 7. The user types their domain user account name and password and the Windows Vista client computer connects to the wireless network. 8. The user joins the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article. User Manually Configures Wireless Computer With a Bootstrap Profile and Joins the Domain In this method, the user manually configures their wireless computer with a bootstrap wireless profile based on instructions from an IT administrator. The bootstrap wireless profile allows the user to establish a wireless connection and then join the domain. The following are the steps for this method: 1. The IT administrator distributes to the user the instructions for configuring a bootstrap wireless profile that uses PEAP-MS-CHAP v2 authentication with the validation of the RADIUS server certificate disabled. 2. 3. The user starts the computer and performs a logon using a local computer account. The user executes the steps in the instructions to configure the bootstrap wireless profile (see "Appendix A: Configuring a Bootstrap Wireless Profile" in this article). 4. After the bootstrap wireless profile is configured, Windows Vista attempts to connect to the wireless network. Because the settings of the bootstrap wireless profile specify that the user must provide credentials, Windows Vista prompts the user for an account name and password. 5. The user types their domain user account name and password and the Windows Vista client computer connects to the wireless network. 6. The user joins the Active Directory domain. For more information, see "Appendix B: Joining a Windows Vista client to a Domain" in this article. Top of page

Appendix A: Configuring a Bootstrap Wireless Profile

To configure a bootstrap wireless profile, do the following: 1. From the Connect to a network dialog box, click I don't see what I want to connect to. You can access the Connect to a network dialog box from many locations in Windows Vista, including the following:

2. 3.

From the wireless connection icon in the notification area of the desktop From the Connect/disconnect wireless networks link in Control Panel-Network Connections From the context menu of a wireless network adapter in Control Panel-Network Connections

In the Select a connection option page, click Set up a network. In the Enter information for the wireless network you want to add page, configure the following:

4. 5. 6.

Network name Type the name of the wireless network. Security type Select the method used to authenticate a connection to the wireless network (WEP (802.1x), WPA-Enterprise, or WPA2-Enterprise). Encryption type Select the method used to encrypt data frames sent over the wireless network (WEP, TKIP, or AES).

Click Next. Click Change connection settings. Click the Security tab and select the Protected EAP (PEAP) method under Choose a network authentication method. Click Settings.

7. 8.

In the Protected EAP (PEAP) Properties dialog box, clear the Validate server certificate check box. Click OK twice, and then click Close.

To export the settings of this bootstrap wireless profile to an XML file, type the following command: netsh wlan export profile XML_File_Name Profile_Name Connection_Name

XML_File_Name is the name of the XML file that will store the wireless profile settings. Profile_Name is the name of the wireless profile being exported. Connection_Name is the name of the wireless adapter for which the wireless profile has been configured.

Top of page

Appendix B: Joining a Windows Vista client to a Domain

After successfully connecting to the secure wireless network, use Control Panel-System to do the following: 1. 2. 3. Under Computer name, domain, and workgroup settings, click Change settings. From the System Properties dialog box, click Change. In the Computer Name Changes dialog box, type the computer name in Computer name. Click Domain and type the Active Directory domain name. 4. Click OK.

5. 6.

When prompted, type your domain name and password to join the computer to the domain. Restart the computer when prompted.

When computer is restarted, it automatically authenticates to the wireless network using the computer's domain account credentials or certificate.