Getting to Know the Extended WES Features

41

Using PEAP Fast Reconnect

When clients connect to an 802.11 wireless network, the authenticated session has an expiration interval configured by the network administrator to limit the duration of authenticated sessions. To avoid the requirement for authenticated clients to periodically re-authenticate and resume a session, you can enable the fast reconnect option.

PEAP supports fast reconnect, as long as each wireless access point is configured as a client of the same IAS (RADIUS) server. In addition, fast reconnect must be enabled on both the wireless client and the RADIUS server.

When PEAP fast reconnect is enabled, after the initial PEAP authentication succeeds, the client and the server cache TLS session keys. When users associate with a new wireless access point, the client and the server use the cached keys to re-authenticate each other until the cache has expired. Because the keys are cached, the RADIUS server can quickly determine that the client connection is a reconnect. This reduces the delay in time between an authentication request by a client and the response by the RADIUS server. It also reduces resource requirements for the client and the server.

If the RADIUS server that cached the session keys is not used, full authentication is required, and the user is again prompted for credentials or a PIN. This can occur in the following situations:

The user associates with a new wireless access point that is configured as a client of a different RADIUS server.

The user associates with the same wireless access point, but the wireless access point forwards the authentication request to a different RADIUS server.

In both situations, after the initial authentication with the new RADIUS server succeeds, the client caches the new TLS session keys. Clients can cache TLS session keys for multiple RADIUS servers.

Using the Regpersistence Tool to Configure PEAP Wireless Connections

Use the following guidelines:

1.Image the Windows Embedded Standard Client.

2.Add the following three user-specific folders to the File Based Write Filter Exclusion List:

\Documents and Settings\<username>\Application Data\Microsoft\Crypto

\Documents and Settings\<username>\Application Data\Microsoft\Protect

\Documents and Settings\<username>\Application Data\Microsoft\SystemCertificates

3.Add the username to the [Profile] section of the NetXClean.ini file.

4.Add the user to the Administrators group.

5.With the Write Filter enabled, configure a wireless connection.

When users log in, they are not prompted for wireless credentials.

Note

When you configure PEAP authentication with the Regpersistence tool, the thin client must have a corresponding or relative user certificate and server certificate for authentication. With the Regpersistence tool, the user name and domain name are saved across reboots; the PEAP authentication process prompts only for the password to prevent hackers from spoofing user credentials while users are connected across a WAN.

Page 51
Image 51
Wyse Technology 90955101L manual Using Peap Fast Reconnect