The SU1X 802.1X Configuration Deployment Tool

Download as PDFDownload as PDF

Updated 1/11/2021

This page contains archive material only - the SU1X tool was combined into CAT and should no longer be seen as a standalone solution.

Configuring Windows supplicant software is not technically a difficult task, even with the additional complication of including details about an institutional RADIUS server certificate or certificate distribution. However users are generally students and staff who don’t have much knowledge about or interest in wireless networks or login mechanisms. For such users, configuring devices properly for use on 802.1X networks can be difficult. Due to the nature of the many different configuration options, step by step instruction guides, even with screen-shots, can be quite daunting for the average user who does not wish to know about wireless ciphers; username including realm; domain blank; roaming identity; authentication type: EAP TTLS/PAP, EAP TTLS/MSCHAP, PEAP/MSCHAPv2; RADIUS server certificate validation; RADIUS server name.

A major step has now been taken towards solving at least this latter problem of wide scale deployment of 802.1X configuration on Windows devices. Janet is pleased to have supported the development of the open source SU1X 802.1X Configuration Deployment Tool developed by Gareth Ayres at Swansea University in association with Loughborough University.

The SU1X Tool is now for available for general use by network managers and can be freely downloaded, complete with comprehensive documentation.

The zip file contains a package including: two executables su1x-setup.exe and getprofile.exe; readme file; User Guide; Case Study.

The Case study and User Guide are also available here:

SU1X Tool Features:

  • Capture of configuration details of operational reference client on network
  • Independent configuration of any 802.1X settings prior to distribution
  • Configuration of automatic or manual proxy server settings for IE and Firefox
  • Removal of first time connection 'setup' SSID and up to 2 further legacy profiles
  • Automatic connection of Secure SSID
  • Popup with instructions and hints on how to connect and fill in username
  • Support for Windows XP (SP3), Vista, Windows 7
  • Server certificate installation
  • WPA2 support check: Tool tries to apply a profile (WPA2 profile) and if client adapter does not support profile (no WPA2 support) will apply a fall back profile (WPA/TKIP)
  • Tool checks for third part supplicants and if found alerts users
  • Sets Windows supplicant to automatic and starts it

Version 081, complete with documentation and case study was released in Jan 2010. An updated version, 104 was released on 25/06/2010 and included the following:

  • Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
  • Can set EAP credentials without additional user interaction (avoids tooltip bubble)
  • Installation of a certificate (silent)
  • Checks for WPA2 compatibility and falls back to a WPA profile
  • Third party supplicant check
  • SSID removal and priority setting
  • Support tab: (checks: adapter, wzc service, profile presence, IP)
  • Outputs check results to user with tooltip and/or to file
  • Printer tab to add/remove networked printer

A further updated version of SU1X (v.106) was released on 14/09/2010. The update comprises mainly bug fixes, but also adds a few additional features (notably code to turn on NAP/SoH) and improves operation with Vista and Windows 7:

  • Added code to turn on NAP/SoH
  • Added text to describe username and password text fields
  • Added tick box to show password
  • Added JRS logo/banner
  • Amended proxy code for IE to fix problem with Chinese laptops (provided by Adrian Simmons, York St Johns)
  • Added Windows Vista/Win7 specific xml file to allow optional capture of separate profiles for Win7 and XP. (XP needs blob in xml which is not mandatory in Vista/Win7. This allows more config options in Win7 profile)
  • Debugs to file when checks turned on
  • Added manifest to code to remove UAC/PAC errors/warnings in Vista/Win7

Nb. The tool cannot provide the solution to third party supplicant configuration deployment in 802.1X environments where PEAP/MSCHAPv2 is not an acceptable EAP method and consequently where the Windows built in supplicant is not used. In these cases, where third party supplicant software like SecureW2 or Xsupplicant is used, network managers should investigate commercial products such as Cloudpath’s XpressConnect.

How the tool works

There are two stages to using SU1X, firstly the Windows 802.1X configuration details of a reference machine are captured and the application customized for the individual institution. The second stage is the distribution of the settings together with the setup utility and the final execution of the utility, which configures the client device with identical settings to the reference device.

SU1X thus comprises two distinct applications: 1. The wireless settings capture tool, getprofile.exe 2. The deployable configuration setup tool, su1x-setup.exe

The capture tool is run on a machine that has been manually configured for use on the (wireless) network, and which is fully functional. The capture tool captures the configuration settings and saves them to an XML file, profile.xml. This file is subsequently distributed with the client setup utility.

The setup tool is completely customisable by editing the INI file which is also distributed with the XML file and client setup utility. There are key options which need to be set in this config.ini file – particularly relating to the installation of your RADIUS server certificate. In addition, a number of logo and picture files that are used during the execution of the utility can be replaced to suit an individual institution’s branding together with the text displayed by the setup utility. This allows each organisation to customise the tool to match their own look and feel.

The next step is to package the setup utility, the XML file, the edited config.ini file, certificate manager and certificate file into a self extracting zip file ready for distribution.

The packaged tool can then be distributed to any Windows XP (SP3), Vista or Windows 7 user. There are numerous ways of doing this including by USB memory stick or by a download link on a website.

One option is for users who do not yet have devices configured for 802.1X authentication to be able to connect to a completely open wireless network with a captive portal instruction page. The page could inform users how to start registration to use network services and how to achieve 802.1X configuration by clicking on the SU1X setup download button.

At Swansea, of example, the tool was provided as a download upon successful registration through an open setup wireless network. The tool then dissociated the user from the setup network and connected them to their secure network.

For users, having clicked to download the setup zip file, the self-extracting file places the required files into a folder on their devices. All they then have to do is to run the su1x-setup utility and click the ‘Install’ button in the dialogue box. 802.1X configuration is then automatic. It performs a number of checks (eg detecting operating system type) and applies the settings in the XML file.

Once the configuration is complete, a dialogue window will appear informing the user that the configuration was successful. This dialogue window also contains the final instructions regarding the wireless connection bubble that appears in the System Tray once the device has associated with the institution’s wireless network – i.e. what to enter in the login credentials box.

The tool takes around 20 seconds to run and configure a machine. Although a little time is required for network managers to become familiar with the tool, to capture the settings for the various Windows platforms in use on their network and to decide on the distribution mechanism, the payback is potentially immense.

The alternatives to use of SU1X are: Expecting users to try to set up their machines themselves by following instructions you publish on your wireless network/802.1X information web page IT Support setting up devices on behalf of users. Use of a commercial deployment tool like Cloudpath’s XpressConnect

Use of SU1X saves significant time over manual configuration as well as ensuring that the configuration is carried out accurately - ultimately requiring less support from IT Support staff.

For further information please download the case study, user guide and executable software from the sourceforge.net web site given above or visit www.ja.net/roaming and follow the link to SU1X.

Background

Janet is pleased to have supported the development of the open source SU1X 802.1X Configuration Deployment Tool developed by Gareth Ayres at Swansea University in association with Loughbough University

In recent years there has been a significant increase in the deployment and use of IEEE 802.1X at academic institutions. This comes as no surprise considering the intrinsic security of the standard and the growth in wireless networking. To date, however, difficulties in configuring client network software (supplicant) have acted on as a brake on its universal adoption. Such configuration, whether for wireless or wired connection, requires certain parameters to be set, which is not always simple or straightforward, particularly for inexperienced users.

Janet is pleased to announce the release of the SU1X 802.1X Windows Configuration Deployment Tool which solves the problem of how to correctly configure large numbers of users’ Windows devices on enterprise networks.

The growth in implementation of 802.1X on enterprise networks has been driven largely by the requirement to provide secure wireless networking to staff and students and to log user authentication. Securing wireless networks properly requires the use of WPA/WPA2 Enterprise and 802.1X – the older captive portal type of system has significant security vulnerabilities, allowing usernames and passwords to be intercepted with comparative ease. Captive portal systems may also have performance limitations if all user traffic must pass though the device - which would also be a single point of failure.

IEEE 802.1X, whilst most often associated with wireless network provision, can be extended across the whole wired and wireless network to provide a more scalable and secure authentication and accounting mechanism than alternative methods. It also allows an institution to participate in the eduroam federation, enabling users to enjoy authenticated network access at any participating organisation without the need for guest network account administration.

Whilst the implementation and use of 802.1X has been growing, its implementation remains a major undertaking requiring careful planning. 802.1X represents a fundamental change to the way users access the network - with the consequence that the network access software on user devices, (aka supplicant), whether for wireless or wired connection, requires certain parameters to be configured. Such configuration is not always simple or straightforward, particularly for inexperienced users.

This problem has been increased by the limited capabilities of the Microsoft Windows software in this area. Windows, prior to Windows 7, required a careful multi-step configuration and importantly only supported the PEAP/MSCHAPv2 EAP method as well as having other limitations. (Windows 7 is still limited to PEAP/MSCHAPv2). For many institutions this has meant that third party supplicant software must be installed on users’ devices to support alternative EAP methods (necessitated by the institutional user database) or to take advantage of better features.

The result is that careful management will be required to achieve a successful 802.1X deployment at a large institution, involving either a) the roll out of third party 802.1X supplicant software and its configuration or, b) (in 802.1X environments where PEAP/MSCHAPv2 is the acceptable EAP method), the configuration of the built-in Windows supplicant software on users’ devices.

Any problems, comments or suggestions regarding this page, please e-mail the eduroam service manager.