Easily Configure WPA-Enterprise/802.1X with the SU1X Configuration Tool

Ease 802.1X Deployments With the SU1X Configuration Tool

By Eric Geier (NoWiresSecurity Founder & CEO) - originally published on EnterpriseNetworkingPlanet

When implementing a WPA or WPA2 Enterprise encrypted network with 802.1X authentication, you'll probably find it difficult to configure the client computers. This is especially true when end users bring their own devices.

End users usually must manually configure the network and authentication settings before connecting to WPA/WPA2-Enterprise networks. If they make mistakes or directions aren't carefully followed, it can be very irritating for users and IT staff alike. However, network administrators can help by creating and distributing a client configuration wizard that sets up the connection for them.

The SU1X 802.1X Configuration Deployment Tool is one free solution that you can use to create a client configuration wizard for Windows XP/Vista/7. It's an open source project developed by Gareth Ayres at Swansea University in association with Loughborough University.

In this tutorial, we'll discuss configuring and using SU1X version 106. Let's get started!

How the tool works

Once you download SU1X, extract the zip file. You'll find the files to create and deploy the client wizard in the su1x-both-v106bin directory.

The config.ini file is where you'll configure the interface and functionality settings. You run the getprofile.exe program to capture your network and authentication settings from a computer already setup with your Wi-Fi network. Once everything is configured, the su1x-setup.exe program can be ran by end users to setup their client computer.

Configuring settings in the config.ini file

Here's a summary of the settings in the config.ini file, organized by the sections:

[su1x]: Here are some configuration options you'll want to change:
- startText: Message displayed in the status box of the client wizard.
- title: Text displayed in the title bar of the client wizard window.
- username: Example of the username, which is filled in the username field of the client wizard.
[print]: Enabled by default, shows a Printing tab on the client wizard. End users can hit the Setup Printer button to add networked printers to their computer that you specify in this config file. A Remove Printer button is also displayed.
[support]: Enabled by default, shows a Help tab on the client wizard. Users can hit the Start Checks button to run tests and output the findings to a dump file.
[getprofile]
- SSID: Change this to your network name, so the getprofile.exe program knows which network settings to capture.
[images]: Contains the filenames of the images displayed in the client wizard, which we'll discuss later.
[remove]: By default this is disabled. When enabled, removes the network profiles of the SSIDs you specify from the end user's computer. This is useful if you plan to set up an SSID on your network with a captive portal designed just for hosting the client wizard and setting up the end users. You can set the wizard to remove this setup SSID from the end user's computer while the wizard configures them for the operational SSID. This can also help in cases where there is another wireless network nearby causing problems.
[certs]: By default this is enabled to install a Certificate Authority (CA ) to the client when the client wizard is ran. This is useful if you use a self-signed certificate for your RADIUS server rather than if you have purchased a certificate from a CA that's automatically recognized by operating systems, such as VeriSign or GoDaddy. Be sure to disable this if not needed or rename with your

Capturing the network and authentication settings

You'll need to manually configure at least one computer with the network and authentication settings and verify you can successfully connect to the desired Wi-Fi network. Then you can run the getprofile.exe program from the Bin directory and click the Capture button to begin.

Note: Be sure to set the settings just like you want them on the clients. For security reasons, you should validate the RADIUS server's certificate, specify the server to connect to, and do not prompt user to authorize new servers.

You should see a summary of some of the settings it has captured. Close the window to continue. Then it should say that it has completed and created the Profile.xml file.

Now you must change the filename Profile.xml to the filename for that specific Windows version:

exported.xml - Default or Windows XP SP3 profile
exported-wpa.xml - Backup default or Windows XP SP3 profile
exported-7.xml - Windows Vista and 7 specific profile
exported-7-wpa.xml - Backup Windows Vista and 7 specific profile
exported-sp2.xml - Windows XP SP2 specific profile (as there are some issues with this SP)
exported-soh.xml - Default profile used if NAP/SoH is enabled

If you have varying Windows versions, you should complete this process for each profile type above. The idea is to have a specific configuration for Windows versions that contain unique settings.

The backup profiles are optional. They are useful if the first profile, for example, is set to WPA2 and the client only supports WPA. In this case, you could set the backup profile to WPA only. Keep in mind, the config.ini file is set by default to automatically try the backup default or Windows XP SP3 profile, but not the backup Windows Vista and 7 specific profile.

When capturing from multiple computers, you'll probably want to move the entire su1x-both-v106 directory to a flash drive or share and access the directory via the network. This is because you need at least the getprofile.exe and config.ini files when capturing the profiles.