Configuring Mobile Networking

Glenn Weadock
MDAA, MCAAA, MCT, MCSE, MCSA, MCITP, A+, SECURITY+

[email protected] www.i-sw.com
Topics in This Wireless networking
Module Wireless protocols
Wireless authentication
Bluetooth connectivity
Virtual Private Networks
Deploying network connections
Wireless Networking
Wi-Fi began back in 1999
(Apple called it “AirPort”)
Defined by the 802.11 set of standards for
2.4 and 5GHz frequency bands
Requires secure protocols for
authentication and encryption
Both communicators must use same
protocol
Organizations typically have a WAP
(Wireless Access Point) communicating
with computers, tablets, and/or phones
Wireless connections without a WAP
are called “ad hoc.”
Ad hoc wireless is best for occasional,
informal connections – much like
Bluetooth.
Windows 10/11 Wireless Settings
Settings applet
- Network & Internet > Wi-Fi
- Autoconnection, discoverability,
metering, random hardware addresses,
IP configuration
Control panels
- Network & Sharing Center
- IP configuration, discoverability,
file/printer sharing, adapter options,
wireless network properties
Wireless Choices in “Settings”
Show available networks
Hardware properties
- View only, except IP configuration
- Driver, network channel/band, etc.

Manage known networks

- Connect automatically when in range
- Set as metered (costed) connection
- Network profile (public/private; active
connection only)
Random hardware addresses
Wireless Choices in “Control Panel”

Network and Sharing Center

- Advanced sharing settings
- Adapter settings

The secret buried settings

- R-click adapter & choose “Status”
- Choices: Properties & “Wireless
properties”
- “Wireless properties” has security info
So What’s “Wi-Fi Direct”?

API to let devices communicate without

a WAP
- File transfer, printing, etc.

Similar to ad-hoc wireless except:

- Easier discovery process
- More secure
- Requires compatible adapter (“Microsoft
Wi-Fi Direct Virtual Adapter”)
Wireless Networking Toolkit
NETSH
- netsh wlan export profile …
- netsh wlan add profile…
- netsh wlan set hostednetwork…

POWERSHELL
- Get-NetAdapter …
- Enable-NetAdatper …
- Disable-NetAdapter…
- etc.
Demo

Finding Windows 10 wireless settings

Wireless Protocols
 Wireless Protocols Timeline

1997 2004
WEP WPA2
Part of 802.11 standard 802.11i

2003 2018
WPA WPA3
Interim solution Even better security
 Wireless Protocols Timeline

1997 2004
WEP WPA2
Part of 802.11 standard 802.11i

2003 2018
WPA WPA3
Interim solution Even better security
 Wireless Protocols Timeline

1997 2004
WEP WPA2
Part of 802.11 standard 802.11i

2003 2018
WPA WPA3
Interim solution Even better security
 Wireless Protocols Timeline

1997 2004
WEP WPA2
Part of 802.11 standard 802.11i

2003 2018
WPA WPA3
Interim solution Even better security
 Wired Equivalent Privacy (WEP)

Introduced in 1997
1997
WEP
Used a “stream cipher” called RC4
Part of 802.11 standard
Major weaknesses exposed in 2001
WEP keys could be cracked in < 1 hour
Key had either 64 or 128 bits
 Wi-Fi Protected Access (WPA)

More secure than WEP

Encryption via TKIP
(Temporal Key Integrity Protocol)
2003
WPA New 128-bit key for each packet...
Interim solution
...but same underlying technology
as WEP (RC4)
Not considered secure anymore
 Wi-Fi Protected Access 2 (WPA2)

More secure than WPA...

...but required changes to WAP firmware
2004
WPA2 Encryption via AES
802.11i
(Advanced Encryption Standard)
- Actually, a variant called CCMP
Required since 2006 for certified devices
Pre-Shared Key (PSK) still a vulnerability
Using WPA2 is not a guarantee
of a secure wireless network.
A strong password can help foil
intruders and prevent MITM
attacks.
 Wi-Fi Protected Access 3 (WPA3)

Better password authentication even with

relatively simple passwords
2018
WPA3
- “Simultaneous Authentication of Equals”
Even better security
“Forward secrecy”
- Past communications sessions are
protected against future key hacks
Enterprise version offers 192-bit mode
Changing the Wi-Fi Protocol in Windows 10
Setting the Wi-Fi Protocol on a Wireless Router
OK, so What’s WPS?

“Wi-Fi Protected Setup”

A bit different from the other protocols
Makes life easier (maybe) for users
creating Wi-Fi links

Push buttons on device and WAP within

X minutes to sync the link...
...or use the 8-digit PIN printed on the WAP
 Guess the PIN and you get
the WPA2 Pre-Shared Key.
Security best practices:
turn off WPS (if you can), or
update firmware and change the
PIN.
Wireless Authentication
Authentication very important in
wireless networking
Two basic methods:
- Personal
- Enterprise
WPA2 and WPA3 can be used in
Personal mode with a passphrase
(SOHO or small business)...

...or Enterprise mode

with a RADIUS server
(medium-large company).
RADIUS
Remote Access Dial-In User Service, a client/server
protocol for authenticating, authorizing, and accounting
for remote access users.
Microsoft implements RADIUS via NPS,
Network Policy Server.
RADIUS has nothing to do with circles.
Servers, Clients, and Proxies
RADIUS server
- A central clearinghouse for
authentication, authorization,
and accounting
RADIUS client
- A remote access server that uses the
services of a RADIUS server
RADIUS proxy
- A RADIUS server that forwards access
request messages to other
RADIUS servers
NPS processes RADIUS requests itself
= it’s a RADIUS server

NPS forwards RADIUS requests

= it’s a RADIUS proxy
When to Use a RADIUS Proxy?

Large number of connection requests

- Need load balancing

Contract service provider

- Many customers

Multiforest or multidomain environment

- Need to forward to appropriate forest
or domain
Network Access Server
Any device that responds to a supplicant requesting
network access.
For example, a NAS could be a Windows VPN server,
a WAP, an RDS Gateway, or an 802.1x switch.
 RADIUS client = NAS

Remote access client = remote user

Why Not Just Set Policies on the RAS?

You have many remote access servers

Easier to manage rules in a single location
Easier configuration of new RAS devices
Centralized accounting
A single RADIUS server
can have multiple
RADIUS clients.
Basics of RADIUS Configuration

Firewall rules
- UDP 1645, 1646, 1812, 1813 (or alternates)
- NPS and RAS must use same ports

Communication requires a shared secret

- e.g. password

Must configure RADIUS server & client(s)

Bluetooth Connectivity
“Personal Area Network” (PAN/WPAN)
- Class 3 devices: range up to 1 meter
- Class 2 devices (most common): range
up to 10m
- Class 1 devices: range up to 100m

Two devices can “pair” with no

intervening access point
Multiple devices can communicate over
a single interface
Supported by all popular
operating systems
To “pair” a Bluetooth device, turn it on
and enable Bluetooth discovery on
the mobile computer, which should
“find” the device.
If both connecting devices have a
display, you may need to enter a code
from device 1 into device 2.
Adding a Bluetooth Device on a Windows Tablet
Adding a Bluetooth Device on a Windows Tablet
Adding a Bluetooth Device on a Windows Tablet
Swift Pairing
 Turn Bluetooth on or off
quickly via the Action Center’s
“Quick Tiles”
“Airplane mode” disables all radios.

It’s a handy way to conserve battery

power even if you’re not in the air.
Airplane Mode on a Windows Laptop
Virtual Private Networks
Virtual Private Network (VPN)
A network connection created within another network
(“virtual”) using encryption for security (“private”).
A “remote access VPN” securely joins a remote
computer to a corporate network via a public network.
Three Elements of a VPN

Tunneling/encapsulation
- Repackage data in different format
- Outer wrapping has routing info
- Work around firewall/port issues

Authentication
- Verify one or more parties

Encryption
- For safe passage over unsafe networks
Tunneling (a.k.a. Encapsulation)

Encrypted Encrypted
Data
Data Data

New “wrapper”
with routing
information to
navigate the
intervening
network
Tunneling Protocols in Windows 10/11

PPTP
- Point-to-Point Tunneling Protocol

L2TP/IPsec
- Layer 2 Tunneling Protocol

SSTP
- Secure Socket Tunneling Protocol

IKEv2
- Internet Key Exchange version 2
Client Authentication

VPN server
- With Network Policy Server installed

RADIUS server
- For centralizing authentication &
accounting
Authentication Protocols
PAP
Password Authentication Protocol
Plaintext; old OS’s; not recommended
CHAP
Challenge-Handshake Auth. Protocol
MSCHAPv2
Better. Mutual authentication (2-way)
EAP/PEAP
Extensible Authentication Protocol
Negotiated; flexible; can use certs
VPN Authentication with Certificates

Types:
EAP-TLS
PEAP-TLS
PEAP-MSCHAPv2
Better than passwords
Recommended for L2TP/IPsec
Optional for PPTP
Machine cert required for IKEv2
SSL cert required for SSTP (server)
 IP Addressing

Automatic
- Use internal DHCP server to assign IPs
to remote clients

a.b.c.d Specific pool

- Create designated pool of IPs
Client VPN Configuration Details
VPN Provider (e.g. Windows)
Connection name
Server name or address
VPN type (automatic or specify)
Type of sign-in (username/password,
smartcard, OTP, certificate)
Username/password, if used
Whether to remember sign-in info
App-triggered VPN

For domain or workgroup computers

running Windows 10
Configure via PowerShell
- AddVpnConnectionTriggerApplication

Requires split tunneling (normally off)

- Set-VpnConnection –name <connname>
-AllUserConnection –SplitTunneling
$true
VPN Profiles in Intune and ConfigManager
App-triggered VPN
Network traffic filters
- Limit traffic to specific apps
- Restrict by protocol; source and
destination IP addresses; source and
destination ports
“Always on” VPN
- Triggered by logon or change in network
state
- Exception if trusted network present
Demo

Set up a VPN connection

DirectAccess: Like a VPN but Better

No need for user to create connection

Windows knows if it’s local or not
Always on (when Internet available)
Bidirectional by default
- Client gets updates, GPOs
- “Manage out” option for admins

More detailed access controls

 DirectAccess Components

Public Internet DirectAccess

Windows 10/11 Server Corporate
Connected to Internet (S2012R2+) Network
 DirectAccess Locality
Network
Location
Server

Public Internet
NLS not found
Resolve www.msftncsi.com NLS found
Create tunnel No tunneling
Use NRPT Ignore NRPT
Public or private firewall profile Domain firewall profile
DirectAccess Requirements

AD, DNS
- Wizard builds required GPOs

IPv6 (internal net can be IPv4 with

Server 2012+)
DirectAccess Server (2012+)
Windows 7+ Enterprise
Network Location Server
PKI for full implementation
When to Consider VPN vs. DirectAccess

No IPv6 support in client applications

Need support for Windows 7 clients
where there’s no PKI
Need support for non-Windows clients
Windows edition is not Enterprise
No strong need to specify restricted
resources
New and Improved: “Always On” VPNs
Successor to DirectAccess
- No IPv6 requirement
- Implement via MDM
(VPNv2 CSP, ProfileXML node)
Requirements:
- Windows 10/11 only
- Certification Authority
- NPS (RADIUS) server
- RRAS server
- AD user accounts
“Always On” VPN Authentication
Device Tunnel:
- Supports IKEv2 only
- Device must be domain-joined
- Computer certificate required
- Windows Enterprise/Education only

User Tunnel:
- Supports IKEv2, SSTP
- Device in domain, workgroup,
or Azure AD
- All Windows 10/11 editions
Deploying Network Connections
Types of connection to deploy for users:
- VPN
- Wi-Fi
- (Bluetooth isn’t complex enough)

Methods of deployment:
- Group Policy Preferences
- PowerShell + logon scripts
- Connection Manager
Administration Kit
- WCD and provisioning packages
- Configuration Manager
- Microsoft Intune or other MDM
Group Policy Preferences

Both computer and user configuration

option
Preferences > Control Panel Setting >
Network Options
Automatic
PPTP VPN
L2TP IPsec VPN
PowerShell and/or Logon Scripts

Add-VPNConnection
User Configuration > Policies > Windows
Settings > Scripts (Logon/Logoff)
Connection Manager Administration Kit

CMAK for short

Install via Settings > Apps > Apps &
Features > Manage Optional Features
Creates an EXE
Users can run
Administrators can run against an image
Demo

Creating a VPN profile with CMAK

Windows Configuration Designer

WCD for short

Comes with Windows ADK
“Assessment & Deployment Kit”
PPKG Creates “provisioning packages” (*.ppkg)
Can install against:
Running OS
Image
Installing Configuration Designer (“ICD Lite”)
What Can WCD Do?
Customize certain Windows settings
Add & remove apps (both Store and
desktop)
Distribute VPN and wireless profiles
Install certificates
Create user accounts
Configure domain setup
Upgrade Windows edition
Starting a New WCD Project
Pick a wizard mode or advanced mode
Select project name
Select Windows edition to define settings
universe:
- All Windows
- All Windows desktop
- All Windows mobile, etc.

Import existing project

- Optional, e.g. to use as a template
 WCD runs very slowly in a virtual
machine. Run it on a real computer.

Also, WiFi deployment works better

than VPN deployment, which often fails.
Applying a Provisioning Package

OOBE
- Can apply after first OOBE page
- 5 quick taps on the Windows key

Runtime
- Settings > Accounts >
Access work or school >
Add or remove a provisioning package
- Odd insistence on a flash drive...?
- OR just double-click the PPKG file
Demo

Creating a WiFi profile with WCD

ConfigManager and Microsoft Intune

Microsoft Endpoint Configuration Manager

Traditional network management
Microsoft Intune
Cloud-based network management
Both can create/deploy VPN profiles
Both can deploy non-Microsoft VPNs
Demo

Creating a VPN profile with Intune

Another module done!
Next up:
Configuring Data
Storage