Thursday, October 21, 2010

Windows 7 Supplicant Round-Up

The wireless network supplicant was completely re-written in Windows Vista, and significantly updated in Windows 7. It now offers a broader set of enterprise class features than previous generations of native supplicants built into the operating system. It is now called "WLAN AutoConfig" replacing the previous generation "Wireless Zero Config (WZC)" service on Windows XP.

New / Updated Features
New and updated features added in the Windows 7 WLAN AutoConfig software include:
- Better integration and control from the Windows notification area
- Better wireless network profile and preference management
- Global versus current-user profile creation and management
- Better Group Policy integration for administrative control
- Better authentication mode control (machine or user account; Vista required manual XML profile editing and re-import)
- Single sign-on support
- Broader EAP protocol support, including:
  • PEAPv2 support (inner/outer crypto-binding, anonymous outer identity)
  • Cisco LEAP support (... but you shouldn't be using this protocol)
  • Cisco PEAPv1 support (EAP-GTC inner method)
  • Cisco EAP-FAST support
  • EAP-AKA, EAP-SIM, and EAP-TTLS support

- Better PMK caching control (Vista required group policy or local registry hacks to change defaults)
- FIPS compliance support
- WLAN Hosted Networks (virtualization)
- Better network recognition upon re-connect, including DHCP Network Hint
- Intel / Cisco E2E feature integration (when using a supported Intel adapter)

Supplicant Deployment Considerations
However, choice is (almost) never a bad thing, and some organizations may prefer to stick with a 3rd party supplicant for various reasons. Those reasons may include bad experience with legacy WZC service (gun-shy), consistency of the user experience, preventing re-training of users on how to connect/disconnect and configure wireless profiles, specific features requirements only found in certain software supplicants, performance characteristics, corporate policy control features, or ease of deployment and management with existing administrative tool sets.

Here are some considerations and options when evaluating supplicants for use in your environment:
- Windows Compatibility
- Authentication Protocol Support (EAP flavors)
- Security Controls for Administrative Lock-Down
- VPN Software Integration (auto-launch, etc.)
- Roaming Performance (support for CCKM, OKC, and eventually Fast BSS Transistion)
- Cost / Licensing (especially for a large user base)
- IPv6 support

Windows Compatibility
You can check compatibility of various software packages in the Windows 7 Compatibility Center. This website lists products that have passed Microsoft testing requirements to verify compatibility. Other software packages may run on Windows 7 which are not listed on this website but have not been submitted or passed Microsoft testing (use at your own risk).

Windows 7 Supplicant Round-up
Here is a quick list of the most common enterprise and open-source wireless supplicants, noting which ones currently support Windows 7.

- Windows 7 Native Supplicant
- Intel PROSet - Full support for Win7
- Juniper Odyssey Access Client - No support for Win7
- Open1X Supplicant - Support in the development release only
- Cisco Aironet Desktop Utility - No support for Win7
- Cisco Secure Services Client - No support for Win7
- Cisco AnyConnect Client - Full support for Win7
- Secure W2 Client - Full support for Win7
- Lenovo ThinkVantage Access Connections - Full Support for Win7 (see here)
- Broadcom WLAN Utility - Compatible versions exist, check your OEM for support
- Atheros WLAN Utility - Compatible versions exist, check your OEM for support

I'll leave it up to you to evaluate the features most important for your environment and to draw your own conclusions as to which one makes the most sense for your organization.

But I will say, based on my own experience, the Windows 7 native supplicant is a much improved product over the legacy WZC. Because it is bundled with the OS and offers tight integration with Group Policy controls, give it a shot and see if it meets your needs before spending money on another solution.

Cheers,
-Andrew

* Updated 2011/04/05 to add the Cisco AnyConnect client to the list based on reader feedback.

4 comments:

  1. This is good tells me that Win7 will support cisco PEAP GTC. What I can't figure is how to enable this selection when setting up my profile as all I get to choose is MS PEAP or MS smart card or other cert. There must be a backend to enable...just haven't got lucky yet, can you turn it around?

    Thanks
    Peter

    ReplyDelete
  2. Hi Peter,
    Microsoft has made it confusing to configure PEAPv1 (EAP-GTC) in Windows 7. You actually have to select "Microsoft: Protected EAP (PEAP)" as the authentication method. Then configure PEAP Settings and select "Smart Card or other certificate" in the dropdown box.

    Marketing spin seemed to make its way into the product.

    Also, notice that Microsoft doesn't support simple username and password inside EAP-GTC, since they want you to use EAP-MSCHAPv2 using PEAPv0 instead.

    Andrew

    ReplyDelete
  3. Hi Andrew,

    I would like to add Anyconnect 3.0 to your list.
    It contains the NAM (Network Access Manager) component, which is basically the new Cisco Secure Services Client (CSSC). It supports a lot of authentication methods, runs on Win7 and is for free!

    Stefan

    ReplyDelete
  4. Hi Stefan,
    Thanks for the feedback. I have added the AnyConnect client to the supplicant list. I will have to check out that package.

    Andrew

    ReplyDelete