Filter
Top Products
Getting to Know the Extended WES Features 41
Using PEAP Fast Reconnect
When clients connect to an 802.11 wireless network, the authenticated session has an
expiration interval configured by the network administrator to limit the duration of
authenticated sessions. To avoid the requirement for authenticated clients to periodically
re-authenticate and resume a session, you can enable the fast reconnect option.
PEAP supports fast reconnect, as long as each wireless access point is configured as a
client of the same IAS (RADIUS) server. In addition, fast reconnect must be enabled on
both the wireless client and the RADIUS server.
When PEAP fast reconnect is enabled, after the initial PEAP authentication succeeds, the
client and the server cache TLS session keys. When users associate with a new wireless
access point, the client and the server use the cached keys to re-authenticate each other
until the cache has expired. Because the keys are cached, the RADIUS server can quickly
determine that the client connection is a reconnect. This reduces the delay in time
between an authentication request by a client and the response by the RADIUS server. It
also reduces resource requirements for the client and the server.
If the RADIUS server that cached the session keys is not used, full authentication is
required, and the user is again prompted for credentials or a PIN. This can occur in the
following situations:
• The user associates with a new wireless access point that is configured as a client of a
different RADIUS server.
• The user associates with the same wireless access point, but the wireless access point
forwards the authentication request to a different RADIUS server.
In both situations, after the initial authentication with the new RADIUS server succeeds,
the client caches the new TLS session keys. Clients can cache TLS session keys for
multiple RADIUS servers.
Using the Regpersistence Tool to Configure PEAP Wireless Connections
Use the following guidelines:
1. Image the Windows Embedded Standard Client.
2. Add the following three user-specific folders to the File Based Write Filter Exclusion
List:
• \Documents and Settings\<username>\Application Data\Microsoft\Crypto
• \Documents and Settings\<username>\Application Data\Microsoft\Protect
• \Documents and Settings\<username>\Application
Data\Microsoft\SystemCertificates
3. Add the username to the [Profile] section of the NetXClean.ini file.
4. Add the user to the Administrators group.
5. With the Write Filter enabled, configure a wireless connection.
When users log in, they are not prompted for wireless credentials.
Note
When you configure PEAP authentication with the Regpersistence tool, the
thin client must have a corresponding or relative user certificate and server
certificate for authentication. With the Regpersistence tool, the user name
and domain name are saved across reboots; the PEAP authentication
process prompts only for the password to prevent hackers from spoofing
user credentials while users are connected across a WAN.