WiFi Authentication Options

[Jared Miniman]

All,

I'm working on a government project and we originally got a requirement to
use PEAP to authenticate devices to a wireless network. The problem is that
these are Windows CE devices, and Microsoft has not released APIs to
communicate with the "Zero Configuration Utility", the little pop-up that
asks you for user name, password, and domain upon finding an AP that is in
your list of preferred APs. So basically, without resorting to a third
party tool, PEAP on a Windows CE device must abide by Microsoft's rules, or
a hack must be used to sniff for messages coming from that Zero Config
window. Ick!

Outside of the various EAP flavors, what security options have you all
discussed for WiFi authentication? Are there any extentions to WEP (like
WPA AES/WPA2) that are considered pretty rock solid and handled properly by
Windows CE/Pocket PC?

--jsm NG*

 

[Paul G. Tobey [eMVP]]

I think that you should be able to use PEAP with OpenNETCF's .Net namespace
classes, if you can't just let the regular WZC interface be used. Are you
restricted to being the front-most and only accessible application?

I guess I don't feel like I understand what the problem is: the OS supports
PEAP (with the Cisco 352 card), OpenNETCF can probably help you associate
with a given SSID, if you need to do that, etc.

WEP works fine. I don't know about rock-solid, at least from a security
perspective, but it works and it stops casual intruders from getting in.

Paul T.

 

[Jared Miniman]

The problem is yes, we must be the front end, and unless we let the MSFT
Zero Config dialog pop up in front of our application (which we refuse), we
must resort to window sniffing to SetText on the various fields (user name,
password, domain) and to hit submit.

As I understand it, at least on a CE device, the ONLY component that
receives these handshake messages is the Zero Config tool, unless you
replace it with a third party product. Which we might have to.

--jsm NG*

 

[Paul G. Tobey [eMVP]]

What version of Windows CE are you targeting? It seems like the story
provided by MS for replacing the various network UIs and the documentation
for EAP has improved a lot with CE 5.

I'll take a look when I have some time, but you might try connecting and
disconnecting via the OpenNETCF API for a couple of limited cases. For
example, maybe before your application takes over each unit is preconfigured
for the list of APs to which it can connect. In that case, you only have to
worry about *reconnecting* to a preferred AP, which shouldn't require as
much user interaction.

If that's not a fair assumption, you can dive in and look at the EAP fields
in some of the WZC structures in native code. I noticed them as I went by
while adding support for enumerating the preferred AP list in the last
couple of days.

Paul T.

 

[Jared Miniman]

Paul,

I'm trying to find an MSDN link that explains how the EAP developer story
has changed with CE 5.0. Do you know of any resources that discuss this?
I'd love to get management *seriously* thinking about going to CE 5.0.

--jsm NG*

 

[Paul G. Tobey [eMVP]]

There are some docs in the Windows CE 5 help (with Platform Builder), that
talk about EAP extensions. It seemed to me that the documentation of what
was going on was substantially bigger in 5 than in 4.2. The 4.2 docs are
pretty much of the glossary type (you click on Wireless Network Client
Configuration and you get one paragraph telling you what they mean by that
and nothing else). I still don't see a 'how to control when/how eap
parameters are entered', but there's a better chance that something is
there, I think.

I'm not aware of a page that talks about what has actually changed in the
docs or about what extra source code might be available for you. However, a
quick search in the 5.0 docs ("replace netui"), shows that there is a lot
more information on replacing, customizing the NetUI component for your
platform, and that's pretty much what you're thinking about. Maybe something
is there which talks about alternate methods of entering EAP parameters.
Those pieces of the 5.0 help are also in MSDN.

Paul T.

Paul,

I'm trying to find an MSDN link that explains how the EAP developer story
has changed with CE 5.0. Do you know of any resources that discuss this?
I'd love to get management *seriously* thinking about going to CE 5.0.

--jsm NG*

What version of Windows CE are you targeting? It seems like the story
provided by MS for replacing the various network UIs and the
documentation for EAP has improved a lot with CE 5.

I'll take a look when I have some time, but you might try connecting and
disconnecting via the OpenNETCF API for a couple of limited cases. For
example, maybe before your application takes over each unit is
preconfigured for the list of APs to which it can connect. In that case,
you only have to worry about *reconnecting* to a preferred AP, which
shouldn't require as much user interaction.

If that's not a fair assumption, you can dive in and look at the EAP
fields in some of the WZC structures in native code. I noticed them as I
went by while adding support for enumerating the preferred AP list in the
last couple of days.

Paul T.

The problem is yes, we must be the front end, and unless we let the MSFT
Zero Config dialog pop up in front of our application (which we refuse),
we must resort to window sniffing to SetText on the various fields (user
name, password, domain) and to hit submit.

As I understand it, at least on a CE device, the ONLY component that
receives these handshake messages is the Zero Config tool, unless you
replace it with a third party product. Which we might have to.

--jsm NG*


"Paul G. Tobey [eMVP]" <ptobey no spam AT no instrument no spam DOT com>
wrote in message I think that you should be able to use PEAP with OpenNETCF's .Net
namespace classes, if you can't just let the regular WZC interface be
used. Are you restricted to being the front-most and only accessible
application?

I guess I don't feel like I understand what the problem is: the OS
supports PEAP (with the Cisco 352 card), OpenNETCF can probably help
you associate with a given SSID, if you need to do that, etc.

WEP works fine. I don't know about rock-solid, at least from a
security perspective, but it works and it stops casual intruders from
getting in.

Paul T.

All,

I'm working on a government project and we originally got a
requirement to use PEAP to authenticate devices to a wireless network.
The problem is that these are Windows CE devices, and Microsoft has
not released APIs to communicate with the "Zero Configuration
Utility", the little pop-up that asks you for user name, password, and
domain upon finding an AP that is in your list of preferred APs. So
basically, without resorting to a third party tool, PEAP on a Windows
CE device must abide by Microsoft's rules, or a hack must be used to
sniff for messages coming from that Zero Config window. Ick!

Outside of the various EAP flavors, what security options have you all
discussed for WiFi authentication? Are there any extentions to WEP
(like WPA AES/WPA2) that are considered pretty rock solid and handled
properly by Windows CE/Pocket PC?

--jsm NG*