Ease 802.1X Deployments With the SU1X Configuration Tool
When implementing a WPA or WPA2 Enterprise encrypted network with 802.1X authentication, you'll probably find it difficult to configure the client computers. This is especially true when end users bring their own devices.
End users usually must manually configure the network and authentication settings before connecting to WPA/WPA2-Enterprise networks. If they make mistakes or directions aren't carefully followed, it can be very irritating for users and IT staff alike. However, network administrators can help by creating and distributing a client configuration wizard that sets up the connection for them.
The SU1X 802.1X Configuration Deployment Tool is one free solution that you can use to create a client configuration wizard for Windows XP/Vista/7. It's an open source project developed by Gareth Ayres at Swansea University in association with Loughborough University.
In this tutorial, we'll discuss configuring and using SU1X version 106. Let's get started!
How the tool works
Once you download SU1X, extract the zip file. You'll find the files to create and deploy the client wizard in the su1x-both-v106bin directory.
The config.ini file is where you'll configure the interface and functionality settings. You run the getprofile.exe program to capture your network and authentication settings from a computer already setup with your Wi-Fi network. Once everything is configured, the su1x-setup.exe program can be ran by end users to setup their client computer.
Configuring settings in the config.ini file
Here's a summary of the settings in the config.ini file, organized by the sections:
- [su1x]: Here are some configuration options you'll want to change:
- startText: Message displayed in the status box of the client wizard.
- title: Text displayed in the title bar of the client wizard window.
- username: Example of the username, which is filled in the username field of the client wizard.
- [print]: Enabled by default, shows a Printing tab on the client wizard. End users can hit the Setup Printer button to add networked printers to their computer that you specify in this config file. A Remove Printer button is also displayed.
- [support]: Enabled by default, shows a Help tab on the client wizard. Users can hit the Start Checks button to run tests and output the findings to a dump file.
- SSID: Change this to your network name, so the getprofile.exe program knows which network settings to capture.
- [images]: Contains the filenames of the images displayed in the client wizard, which we'll discuss later.
- [remove]: By default this is disabled. When enabled, removes the network profiles of the SSIDs you specify from the end user's computer. This is useful if you plan to set up an SSID on your network with a captive portal designed just for hosting the client wizard and setting up the end users. You can set the wizard to remove this setup SSID from the end user's computer while the wizard configures them for the operational SSID. This can also help in cases where there is another wireless network nearby causing problems.
- [certs]: By default this is enabled to install a Certificate Authority (CA ) to the client when the client wizard is ran. This is useful if you use a self-signed certificate for your RADIUS server rather than if you have purchased a certificate from a CA that's automatically recognized by operating systems, such as VeriSign or GoDaddy. Be sure to disable this if not needed or rename with your
Capturing the network and authentication settings
You'll need to manually configure at least one computer with the network and authentication settings and verify you can successfully connect to the desired Wi-Fi network. Then you can run the getprofile.exe program from the Bin directory and click the Capture button to begin.
Note: Be sure to set the settings just like you want them on the clients. For security reasons, you should validate the RADIUS server's certificate, specify the server to connect to, and do not prompt user to authorize new servers.
You should see a summary of some of the settings it has captured. Close the window to continue. Then it should say that it has completed and created the Profile.xml file.
Now you must change the filename Profile.xml to the filename for that specific Windows version:
- exported.xml - Default or Windows XP SP3 profile
- exported-wpa.xml - Backup default or Windows XP SP3 profile
- exported-7.xml - Windows Vista and 7 specific profile
- exported-7-wpa.xml - Backup Windows Vista and 7 specific profile
- exported-sp2.xml - Windows XP SP2 specific profile (as there are some issues with this SP)
- exported-soh.xml - Default profile used if NAP/SoH is enabled
If you have varying Windows versions, you should complete this process for each profile type above. The idea is to have a specific configuration for Windows versions that contain unique settings.
The backup profiles are optional. They are useful if the first profile, for example, is set to WPA2 and the client only supports WPA. In this case, you could set the backup profile to WPA only. Keep in mind, the config.ini file is set by default to automatically try the backup default or Windows XP SP3 profile, but not the backup Windows Vista and 7 specific profile.
When capturing from multiple computers, you'll probably want to move the entire su1x-both-v106 directory to a flash drive or share and access the directory via the network. This is because you need at least the getprofile.exe and config.ini files when capturing the profiles.
Change images for branding
The client wizard end users will run includes images you can change for branding reasons. These are located in the su1x-both-v106binimages directory. Here are the images you'll probably want to change:
- jrs-header.jpg: This is the banner image displayed on the top of the client wizard, which you should replace with your organization's logo or some title image for the network. If desired, you could simply delete this file and the space will be blank on the client wizard.
- bubble1.jpg: This is shown to the user in the wizard so they see what the first bubble looks like after attempting to connect from XP. You'll want to replace it with a shot that contains your network name.
- bubble-connected-xp.jpg: This is a screen shot of the second bubble in XP, shown after successfully connected. You'll also want to replace it with a shot that contains your network name.
- bubble-vista.jpg: This is the bubble shown in Vista after attempting to connect. Again, you want to customize with your network name.
Simply delete the existing images you want to replace and give the new one the same filename, or change the filenames in the config.ini file.
The splash image that can be displayed at the end of the client wizard is disabled by default. If you enable it, the default filename is big.jpg; an example image isn't included.
You might notice another image named lis-header.jpg. This looks like it has been included accidentally and can be deleted or ignored.
Including the RADIUS server's CA certificate
If you specified installation of a CA certificate onto the clients, you need to delete the default certificate (CamfordCA.der) and copy yours into the Bin directory. Be sure the correct filename for your certificate is entered in the certs section of the config.ini file.
Packaging for distribution
Once you're done configuring the client wizard, you can package the following required files into an installer or self-extracting zip file, or otherwise distribute:
- su1x-setup.exe (if desired, you can rename this)
- images (folder)
- (your required profiles ending in xml)
- (CA certificate file)
Running the wizard on clients
The end user must extract the files (if needed) and then run the su1x-setup.exe program. Then they can hit the Start Setup button. It will detect the Windows version and import the network profile. Once the configuration is done it will attempt to connect and will display instructions on a popup window.
Eric Geier is the founder and CEO of NoWiresSecurity, which helps businesses easily protect their Wi-Fi with enterprise-level encryption by offering an outsourced RADIUS/802.1X authentication service. He is also the author of many networking and computing books, for brands such as For Dummies and Cisco Press.