Deploy WEP/WPA settings via Registry?

[Zoom7000]

I need to connect 50 laptops to a wireless access point with a 26 character WEP key. Is it possible to put the details in a .reg file and deploy this way?

[Owen W Veteran]

I need to connect 50 laptops to a wireless access point with a 26 character WEP key. Is it possible to put the details in a .reg file and deploy this way?

Are said laptops on a domain? I wouldn't use WEP/WPA in this case. It is insecure and not recommended to store the password on the PC's themselves. If you're using a domain, setup a RADIUS server, that way it's server based and automatic.

[Zoom7000]

I agree with you in principle. However, the problem there is that we've already setup 100s of other laptops in this way! We never envisaged a school full of laptops not desktops! So, as nice as it would be to get a RADIUS server setup, at the moment we need to stick to WEP/WPA until we can plan in time to reconfigure the rest!

[+BudMan MVC]

Yeah wep is pretty much pointless. But as pointed out if the boxes are members of a domain -- just use say wpa - enterprise and have the users auth with their own passwords to your wireless network.

windows server comes with IAS

http://www.microsoft.com/downloads/details...;displaylang=en

Windows Server 2003 Internet Authentication Service (IAS) Operations Guide

http://technet.microsoft.com/en-us/network/bb643123.aspx

Internet Authentication Service

Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server and proxy in Windows Server 2003. As a RADIUS server, IAS performs centralized connection authentication, authorization, and accounting for many types of network access, including wireless and virtual private network (VPN) connections. As a RADIUS proxy, IAS forwards authentication and accounting messages to other RADIUS servers.

In Windows Server 2008, IAS has been replaced with Network Policy Server (NPS).

edit: Just because you have setup 100s the wrong way already, does not mean you can not correct the problem now vs just adding more laptops to the problem.

edti2: but to import/export import wireless profiles you can use netsh

here

http://www.kreslavsky.com/2009/05/import-w...p-or-vista.html

Import Wireless Settings Profile on Windows XP or Vista

[Owen W Veteran]

I agree with you in principle. However, the problem there is that we've already setup 100s of other laptops in this way! We never envisaged a school full of laptops not desktops! So, as nice as it would be to get a RADIUS server setup, at the moment we need to stick to WEP/WPA until we can plan in time to reconfigure the rest!

I forsee many security issues with using WEP/WPA and ISA/RADIUS is the best way to go.

I work for a school myself, and we manage around 300 PCs and 200 laptops (1500 Users) and we've deployed RADIUS swiftly and successfully - on both PC's and laptops.

In the long run, it will make it faster for you, and it can be rolled out to the existing laptops straight away without needing interaction through domain policy. There is no reason not to choose this option! All you need to do is set the RADIUS up, apply the appropriate permissions to the groups you already have and then update your GPO's. It's just that simple.

The PC's, when in range will automatically connect and authenticate making your job easier, and security much higher. Security with WEP/WPA being used locally is problematic, as students can retrieve the passwords and use their own mobile devices to run rampant on any device they like, where as with RADIUS this problem does not exist.

edit: Just because you have setup 100s the wrong way already, does not mean you can not correct the problem now vs just adding more laptops to the problem.

edti2: but to import/export import wireless profiles you can use netsh

here

http://www.kreslavsky.com/2009/05/import-w...p-or-vista.html

Import Wireless Settings Profile on Windows XP or Vista

Pretty much, i agree. Don't create a bigger headache for yourself in the longrun

[sc302 Veteran]

You don't want to use WEP in a school enviornment, with potential "hackers" on the network as you stated in a previous post. they can get other users passwords, which can give them access to their documents. and if your teachers and also admin are on wep that is a potential danger to them as well. Get them off wep. that is your new project for August before school starts, forget the imaging thing and buy a solution, you can show that you don't have enough time to invest in it and you can show them that the time you have outweighs the cost and the need. Now you put that in a report to hand to Technology Manager of the school and you will have what you want, I am sure of it.

[Owen W Veteran]

You don't want to use WEP in a school enviornment, with potential "hackers" on the network as you stated in a previous post. they can get other users passwords, which can give them access to their documents. and if your teachers and also admin are on wep that is a potential danger to them as well. Get them off wep. that is your new project for August before school starts, forget the imaging thing and buy a solution, you can show that you don't have enough time to invest in it and you can show them that the cost outweighs the time that you have to spend on it.

Imaging is fine, if you use RADIUS. I agree with everything else, WEP (and even WPA) is dangerous if stored locally and can just let students wreak havoc on your network. Students like doing this too.

[Zoom7000]

OK guys, you have convinced me. I will look up setting up a RADIUS, or as BudMan mentioned, an IAS server. We are running Server 2003 here. One question I wanted to ask in relation to IAS is whether it will clash with our Internet filter proxy in anyway. We have an Internet filter which the PCs are routed through via Internet Explorer's proxy settings (deployed by GPO). Will IAS clash with this or is it entirely separate?

[+BudMan MVC]

No completely different -- has nothing to do with your internet filter.. IAS is microsofts RADIUS server is all.

"Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server"

[Zoom7000]

Thanks, I'll give it a go!

[sc302 Veteran]

Imaging is fine, if you use RADIUS. I agree with everything else, WEP (and even WPA) is dangerous if stored locally and can just let students wreak havoc on your network. Students like doing this too.

He has another issue in the windows section working with patching and imaging. I think getting this resolved is more important. I think he should concentrate on getting this working 100% before investing time in the imaging issue. If it comes down to it he can put a nice little request together showing that this is going to take more time to get right and to purchase a solution that would take care of his imaging issue.

[+BudMan MVC]

You don't really need to purchase anything to do imaging. If he is a windows shop, there are tools from MS to be able to manage deployment of machines, and also maintain their patch levels, etc.

sysprep

http://support.microsoft.com/kb/302577

How to use the Sysprep tool to automate successful deployment of Windows XP

for vista

http://technet.microsoft.com/en-us/library...28WS.10%29.aspx

Windows Vista Deployment Step-by-Step Guide

This document provides instructions for implementing a basic image-based deployment of Microsoft? Windows Vista? operating system.

Patching

http://technet.microsoft.com/en-us/wsus/default.aspx

Microsoft Windows Server Update Services

Sure he can always purchase a solution that could make his life easier, etc. But not having the budget is not always an excuse for making your life easier with the tools that are out there and fully supported, etc.

[sc302 Veteran]

why do I bother sometimes. just about everything that you just wrote was covered in his other post.

[+BudMan MVC]

sc302 what are you talking about? I don't see any other post that gives info on how he could accomplish imaging and patching.. I just provided links to the free resources that are available for this.

Which was a response to your statement

"to purchase a solution that would take care of his imaging issue. "

is there some other thread where he is asking about imaging? If so then yes my responses would be better off in that thread.

edit: I just looked for the OP topics -- and the only thing I see about imaging was a request for him about free imaging software that I responded to back in may.

So Im at a loss to your facepalm?? which was in response to your purchase comment is all.

[sc302 Veteran]

Go into windows section and look in the issue with locking the keyboard and mouse. In there it was covered. I'd post a link but I am driving.

[+BudMan MVC]

Ok I see his post about he is already using wsus and ris.. I had not read that thread, sorry ;) And my links for him (did not know he already used them) and any other user that might find this thread, etc.

Again its was directly related to your purchase suggestion, just pointing out other FREE options is all, etc.

Not sure it was due a facepalm, and btw you should not be texting while driving ;)

[sc302 Veteran]

Lol

[sc302 Veteran]

Sometimes it is better to make your job easier with technology than to make life difficult trying to figure technology out. It may cost more monetarily, but it will take less man hours to deploy and figure out (not in all cases) and end up costing less in the long run (man hours time spent figuring it out vs cost of product and deployment).

Everything has a cost, it just is a matter of how to justify one or the other. Sure you are paying me one way or another, but doing x takes me away from doing y and z.

[+BudMan MVC]

Agree completely! nothing is free ;)

[Zoom7000]

sc302, you are mixing up both my threads! :p

With regards to the keyboard/mouse locking question, it was purely to trial newer advanced methods of imaging. The reason I don't "Ghost/Altris/PING" or any other form of disk image is because of the vast range of different hardware we have. Acer, Dell, HP, Asus etc.

From when I started my job, I learnt how to create unattended installations from MSFN and I amended it to fit RIS installations. I prefer installing from a CD base as opposed to a Sysprep'd disk image for ease of creation and saving disk space. Also, with this method I can have 1 universal image that works on most of the hardware we have.

The reason for exploring the possibility of inital domain admin logon was to allow integration of DriverPacks rather than having to have loads of drivers in $OEM$ folders. For DriverPacks to work correctly, they have a "finisher" mode that runs on first logon via RunOnceEx. Obviously you don't have an initial logon with RIS which is why I was trying to explore the different possibilities (i.e. Locking keyboard and mouse whilst the Administrator account runs all it's scripts.)

As for the deploying of WEP/WPA keys, it was merely to save typing in loads of keys. Obviously a RADIUS server is a much better option and something I wasn't aware of. And also, trying to work around time constraints and also having to set up an IAS server not having done one before will take time reading and planning. However, it is obviously the better option. I have managed to secure my PCs as much as possible. Kids can't run ANY applications other than the ones that I allow (usually in Program Files) and no more portable applications. Yes the WEP is an issue, but it was something I had not got round to sorting out, as yet!

Hope that clears up the confusions!

[sc302 Veteran]

you should really look at the links i provided in your other thread, which allows for imaging across multiple hardware platforms (1 image for a mix of hardware) as well as deploying at a schedule, deploying without intervention at a pc, and patch/install/application management. The only reason that I brought this in here was that installing, configuring, testing, and deploying a radius server is not going to be done in a day. You should take 1 project at a time. I am just trying to help make your admin job easier, but if you like doing things the hard way, trying to figure out every nitpicky detail, so be it.

I have given you a solution in your other thread, you can figure out how to incorporate it as well as trying to figure out how to install and properly configure a microsoft radius server (not as easy as install the option and run with it).

http://www.microsoft.com/downloads/details...;displaylang=en

enjoy and good luck, let us know when you get stuck.

Edited August 20, 2009 by sc302

[agreenbhm]

This is something to keep in mind for setting up IAS. Don't you NEED to have a PKI setup to use RADIUS with Windows? I tried to set RADIUS up at work but it would never authenticate properly, and later I was told I needed a PKI, although I never saw this documented anywhere.

[sc302 Veteran]

read the doc that I posted above your reply. tells you how to set it up, step by step.

[ZZzzzzzZZZZZ]

Only way I know of is if you have identical compyters/laptops, create a image of a system that is connected to your network.

Save the WPA settings and set as automatically

Now copy the cloned image onto the other computers

DONE :)