Auto-connect to WLAN from Windows XP

I'm rolling out a small group of wireless PCs. I have used one
system as a test bed to make sure everything works. In general, there's
no problem, but there seems to be some behavior which is odd to me. The
client is using a D-Link DWL-G122 wireless USB adapter and we're also using
a D-Link DI-524 router. When I login with an admin. account, the system
automatically connects to the router, no problem. When I login with a
normal user account, I have to manually select the WLAN (SSID) to which I
want to connect. If I allow the client to auto-connect with the normal
user account, it invariably chooses the wrong WLAN (SSID) and I can't get it
out of the authenticating state. The WLAN selection gives me the option to
disconnect from the wrong WLAN, but this doesn't seem to be functional
during the authentication stage. Once I re-configure the system to disable
auto-connect in the normal user's account and re-login, the desired WLAN
can be manually selected and connected, but this seems awkward to me.

In general, I'd like to have the client PC _always_ connected to
the desired WLAN, rather than connecting at login and disconnecting at
logout. If I can't achieve this, is there some way to provide the same
functionality of auto-connecting under a normal user's account?

For a little more background, the client PC is running Windows XP
SP2 and the SSID in which it should reside is not broadcast. The SSID
that gets chosen incorrectly is broadcast.

Thanks,
Mike
--
Michael T. Davis | Systems Specialist: CBE,MSE
E-mail: (E-Mail Removed) | Departmental Networking/Computing
-or- DAVISM+@osu.edu | The Ohio State University
http://www.ecr6.ohio-state.edu/~davism/ | 197 Watts, (614) 292-6928

What's the reason you are not broadcasting the SSID? It sounds like if you
do that, the problem may be fixed. If you are doing this for security
reasons, it is not really a secure way of protecting your wireless network.
You should be using WPA-PSK or WPA-RADIUS. Forget about MAC filtering and
hiding the SSID. Those things can be discovered very quickly.

Jeff


"Michael T. Davis" <(E-Mail Removed)> wrote in message
news:ciagsn$hv8$(E-Mail Removed)...
> I'm rolling out a small group of wireless PCs. I have used one
> system as a test bed to make sure everything works. In general, there's
> no problem, but there seems to be some behavior which is odd to me. The
> client is using a D-Link DWL-G122 wireless USB adapter and we're also
> using
> a D-Link DI-524 router. When I login with an admin. account, the system
> automatically connects to the router, no problem. When I login with a
> normal user account, I have to manually select the WLAN (SSID) to which I
> want to connect. If I allow the client to auto-connect with the normal
> user account, it invariably chooses the wrong WLAN (SSID) and I can't get
> it
> out of the authenticating state. The WLAN selection gives me the option
> to
> disconnect from the wrong WLAN, but this doesn't seem to be functional
> during the authentication stage. Once I re-configure the system to
> disable
> auto-connect in the normal user's account and re-login, the desired WLAN
> can be manually selected and connected, but this seems awkward to me.
>
> In general, I'd like to have the client PC _always_ connected to
> the desired WLAN, rather than connecting at login and disconnecting at
> logout. If I can't achieve this, is there some way to provide the same
> functionality of auto-connecting under a normal user's account?
>
> For a little more background, the client PC is running Windows XP
> SP2 and the SSID in which it should reside is not broadcast. The SSID
> that gets chosen incorrectly is broadcast.
>
> Thanks,
> Mike
> --
> Michael T. Davis | Systems Specialist: CBE,MSE
> E-mail: (E-Mail Removed) | Departmental
> Networking/Computing
> -or- DAVISM+@osu.edu | The Ohio State University
> http://www.ecr6.ohio-state.edu/~davism/ | 197 Watts, (614) 292-6928

In article <WD42d.47$(E-Mail Removed)>, "Jeff Durham"
<(E-Mail Removed)> writes:

>What's the reason you are not broadcasting the SSID? It sounds like if you
>do that, the problem may be fixed. If you are doing this for security
>reasons, it is not really a secure way of protecting your wireless network.
>You should be using WPA-PSK or WPA-RADIUS. Forget about MAC filtering and
>hiding the SSID. Those things can be discovered very quickly.

The purpose of hiding the SSID is to prevent confusion for the
end-users. Officially, there are two WLANs to which they can connect for
generalized network access. This particular setup (a third WLAN) is only
going to serve a select few systems in one room, so we'd like to be able
to "force" connection to this "private" WLAN for the select systems that
will be accessing it and hide it from the rest, if at all possible.

>
>Jeff
>
>[...]
>

Regards,
Mike
--
Michael T. Davis | Systems Specialist: CBE,MSE
E-mail: (E-Mail Removed) | Departmental Networking/Computing
-or- DAVISM+@osu.edu | The Ohio State University
http://www.ecr6.ohio-state.edu/~davism/ | 197 Watts, (614) 292-6928

Microsoft recommends always broadcasting the SSID. If you do not, you will
experience issues which might be like the one you are having.

Jeff


"Michael T. Davis" <(E-Mail Removed)> wrote in message
news:ciccvi$nod$(E-Mail Removed)...
>
> In article <WD42d.47$(E-Mail Removed)>, "Jeff Durham"
> <(E-Mail Removed)> writes:
>
>>What's the reason you are not broadcasting the SSID? It sounds like if
>>you
>>do that, the problem may be fixed. If you are doing this for security
>>reasons, it is not really a secure way of protecting your wireless
>>network.
>>You should be using WPA-PSK or WPA-RADIUS. Forget about MAC filtering and
>>hiding the SSID. Those things can be discovered very quickly.
>
> The purpose of hiding the SSID is to prevent confusion for the
> end-users. Officially, there are two WLANs to which they can connect for
> generalized network access. This particular setup (a third WLAN) is only
> going to serve a select few systems in one room, so we'd like to be able
> to "force" connection to this "private" WLAN for the select systems that
> will be accessing it and hide it from the rest, if at all possible.
>
>>
>>Jeff
>>
>>[...]
>>
>
> Regards,
> Mike
> --
> Michael T. Davis | Systems Specialist: CBE,MSE
> E-mail: (E-Mail Removed) | Departmental
> Networking/Computing
> -or- DAVISM+@osu.edu | The Ohio State University
> http://www.ecr6.ohio-state.edu/~davism/ | 197 Watts, (614) 292-6928

On Fri, 17 Sep 2004 02:24:13 GMT, in alt.internet.wireless , "Jeff Durham"
<(E-Mail Removed)> wrote:

>Microsoft recommends always broadcasting the SSID.

Yes. but then MS are idiots when it comes to security.

> If you do not, you will
>experience issues which might be like the one you are having.

Maybe. I don't. Just ensure you have typed in the SSID into the adapter
config for each wireless connection, bearing in mind that each AP is a
separate connection, and hence you can use different config for each one.
..

--
Mark McIntyre
CLC FAQ <http://www.eskimo.com/~scs/C-faq/top.html>
CLC readme: <http://www.ungerhu.com/jxh/clc.welcome.txt>


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

The reason they recommend broadcasting the SSID is for two reasons:
- Windows XP (at least prior to SP2) does not work well without it. It can
cause the kind of problems described in the original post

- Not broadcasting the SSID is not security. It is only security by
obscurity. Same goes for MAC address filtering. Both of these will keep
out the casual user, but anyone serious can get by these in a matter of
minutes. Your best defense is WEP at a minimal (which will also keep away
the casual user), but WPA-PSK or WPA-RADIUS is much better.

Jeff

"Mark McIntyre" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Fri, 17 Sep 2004 02:24:13 GMT, in alt.internet.wireless , "Jeff Durham"
> <(E-Mail Removed)> wrote:
>
>>Microsoft recommends always broadcasting the SSID.
>
> Yes. but then MS are idiots when it comes to security.
>
>> If you do not, you will
>>experience issues which might be like the one you are having.
>
> Maybe. I don't. Just ensure you have typed in the SSID into the adapter
> config for each wireless connection, bearing in mind that each AP is a
> separate connection, and hence you can use different config for each one.
> .
>
> --
> Mark McIntyre
> CLC FAQ <http://www.eskimo.com/~scs/C-faq/top.html>
> CLC readme: <http://www.ungerhu.com/jxh/clc.welcome.txt>
>
>
> ----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet
> News==----
> http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000
> Newsgroups
> ---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption
> =---

On Sat, 18 Sep 2004 12:49:46 GMT, in alt.internet.wireless , "Jeff Durham"
<(E-Mail Removed)> wrote:

>The reason they recommend broadcasting the SSID is for two reasons:
>- Windows XP (at least prior to SP2) does not work well without it. It can
>cause the kind of problems described in the original post

Bugs in their OS is no excuse !
>
>- Not broadcasting the SSID is not security. It is only security by
>obscurity.

Hm. I understand what you mean but you're wrong, and most security experts
would agree. Hiding the gate is still a security measure.

>Same goes for MAC address filtering. Both of these will keep
>out the casual user, but anyone serious can get by these in a matter of
>minutes.

With the right kit. And capturing MACs is not a matter of minutes.

>Your best defense is WEP at a minimal (which will also keep away
>the casual user), but WPA-PSK or WPA-RADIUS is much better.

Absolutely agreed.

--
Mark McIntyre
CLC FAQ <http://www.eskimo.com/~scs/C-faq/top.html>
CLC readme: <http://www.ungerhu.com/jxh/clc.welcome.txt>


----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

On Sat, 18 Sep 2004 23:20:31 +0100, Mark McIntyre spoketh

>On Sat, 18 Sep 2004 12:49:46 GMT, in alt.internet.wireless , "Jeff Durham"
><(E-Mail Removed)> wrote:
>
>>The reason they recommend broadcasting the SSID is for two reasons:
>>- Windows XP (at least prior to SP2) does not work well without it. It can
>>cause the kind of problems described in the original post
>
>Bugs in their OS is no excuse !

Never had any problems with XP (SP1 or SP2) connecting to a wlan without
the SSID being broadcast...

>>
>>- Not broadcasting the SSID is not security. It is only security by
>>obscurity.
>
>Hm. I understand what you mean but you're wrong, and most security experts
>would agree. Hiding the gate is still a security measure.

Painting the car black to make it blend in with the driveway doesn't
offer much in the way of security, and the insurance company wouldn't
give you a discount for it. Broadcasting the SSID or not doesn't make a
whole lot of difference either...

>
>>Same goes for MAC address filtering. Both of these will keep
>>out the casual user, but anyone serious can get by these in a matter of
>>minutes.
>
>With the right kit. And capturing MACs is not a matter of minutes.

Yes, it is. Since the MAC address is included in every ethernet frame
being broadcast by every active transmitter, all you need is packet
capturing tool that work with wireless networks and your OS of choice. A
quick google search should be enough to find one. If it takes you more
than two minutes to identify the MAC addresses, you're doing something
wrong...

>
>>Your best defense is WEP at a minimal (which will also keep away
>>the casual user), but WPA-PSK or WPA-RADIUS is much better.
>
>Absolutely agreed.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

On Sun, 19 Sep 2004 16:55:04 -0400, in alt.internet.wireless , Lars M.
Hansen <(E-Mail Removed)> wrote:

>On Sat, 18 Sep 2004 23:20:31 +0100, Mark McIntyre spoketh
>
>>Hm. I understand what you mean but you're wrong, and most security experts
>>would agree. Hiding the gate is still a security measure.
>
>Painting the car black to make it blend in with the driveway doesn't
>offer much in the way of security, and the insurance company wouldn't
>give you a discount for it.

Parking it out of sight does tho. The lads with the crowbars know you have
one, but if they can't see it, they probably won't bother with you.

>Broadcasting the SSID or not doesn't make a
>whole lot of difference either...

*shrug*. IMHO its one of a series of measures you should be taking, none of
which on its own will deter any but the most casual thief, but which, put
together, make it just too much bother except for someone who knows exactly
what they're after,and knows you have it.

>>With the right kit. And capturing MACs is not a matter of minutes.
>
>Yes, it is. Since the MAC address is included in every ethernet frame
>being broadcast by every active transmitter, all you need is packet
>capturing tool that work with wireless networks and your OS of choice.

And of course, a wireless device broadcasting packets. Which the vast
majority of devices don't, at least not continuously. There was a recent
article on this in one of the security magazines, I forget which one, which
showed it was certainly possible but far from as quick as you might think
except on corporate networks.

--
Mark McIntyre
CLC FAQ <http://www.eskimo.com/~scs/C-faq/top.html>
CLC readme: <http://www.ungerhu.com/jxh/clc.welcome.txt>


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeed.com The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---

On Sun, 19 Sep 2004 23:59:52 +0100, Mark McIntyre spoketh

>>
>>Yes, it is. Since the MAC address is included in every ethernet frame
>>being broadcast by every active transmitter, all you need is packet
>>capturing tool that work with wireless networks and your OS of choice.
>
>And of course, a wireless device broadcasting packets. Which the vast
>majority of devices don't, at least not continuously. There was a recent
>article on this in one of the security magazines, I forget which one, which
>showed it was certainly possible but far from as quick as you might think
>except on corporate networks.

Yes, that would be a requirement. If no data is being transmitted from
the AP to a specific client, then there would be no MAC addresses to
pick up...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)