The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) update for Windows XP with Service Pack 2 is available

The Wi-Fi Protected Access 2 (WPA2)/Wireless Provisioning Services Information Element (WPS IE) Update for computers that are running Microsoft Windows XP with Service Pack 2 (SP2) is available. This update enhances the Windows XP wireless client software with support for the new Wi-Fi Alliance certification for wireless security. The update also makes it easier to connect to secure public spaces that are equipped with wireless Internet access. These locations are otherwise known as "Wi-Fi hotspots."

Important information about this update

This update is superseded by the update in Microsoft Knowledge Base article 917021. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

WPA2

WPA2 is a product certification that is available through the Wi-Fi Alliance. WPA2 certifies that wireless equipment is compatible with the IEEE 802.11i standard. The WPA2 product certification formally replaces Wired Equivalent Privacy (WEP) and the other security features of the original IEEE 802.11 standard. The goal of WPA2 certification is to support the additional mandatory security features of the IEEE 802.11i standard that are not already included for products that support WPA.

The WPA2/WPS IE Update supports the following features of WPA2:

• WPA2 Enterprise using IEEE 802.1X authentication and WPA2 Personal using a preshared key (PSK).
• The Advanced Encryption Standard (AES) using the Counter Mode-Cipher Block Chaining (CBC)-Message Authentication Code (MAC) Protocol (CCMP) that provides data confidentiality, data origin authentication, and data integrity for wireless frames.
• The optional use of Pairwise Master Key (PMK) caching and opportunistic PMK caching. In PMK caching, wireless clients and wireless access points cache the results of 802.1X authentications. Therefore, access is much faster when a wireless client roams back to a wireless access point to which the client already authenticated.
• The optional use of preauthentication. In preauthentication, a WPA2 wireless client can perform an 802.1X authentication with other wireless access points in its range when it is still connected to its current wireless access point.

You must use the WPA2/WPS IE Update together with the following:

• Wireless access points that support WPA2.
• Wireless network adaptors that support WPA2.
• Windows XP wireless network adaptor drivers that support the passing of WPA2 capabilities to Windows Wireless Auto Configuration.

The WPA2/WPS IE Update modifies the following dialog boxes:

• When you are connected to a WPA2 capable wireless network, the type of network is displayed as WPA2 in the Choose A Wireless Network dialog box.
• On the Association tab for the properties of a wireless network, the Network Authentication list has the following additional options:
  • WPA2 - for WPA2 Enterprise
  • WPA2-PSK - for WPA2 Personal

Note These options are not present if the wireless network adaptor driver does not support WPA2.

For more information about WPA2 security features, see the "Wi-Fi Protected Access 2 (WPA2) Overview" topic at the following Microsoft Web site:

Registry values that control preauthentication and PMK caching

The following registry entries in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global subkey control the behavior of preauthentication and PMK caching for the WPA2/WPS IE Update:

• PMKCacheMode
• PMKCacheTTL
• PMKCacheSize
• PreAuthMode
• PreAuthThrottle

PMKCacheMode

PMKCacheTTL

PMKCacheSize

PreAuthMode

PreAuthThrottle

Note Changes to any one or more of these registry entry values do not take effect until the next time that you restart the wireless service or the next time that you restart the computer.

Wireless Provisioning Services Information Element (WPS IE)

Wireless Internet service providers (WISPs) first offered wireless access to the Internet without security. This prevented customers from having to configure wireless security settings. Because wireless security has become more important, WISPs want to move to secure public Wi-Fi networks. During the migration, WISPs must be able to support both nonsecure and secure wireless access to the Internet. To be cost effective during migration, WISPs must be able to support and advertise two different logical wireless networks that have two different wireless network names, and that use a single physical network infrastructure.

Note Wireless network names are also known as Service Set Identifiers (SSIDs).

Some wireless access points that are available today can advertise multiple SSIDs and support multiple logical network configurations at the same time. However, because of hardware limitations, the vast majority of the wireless access points that are deployed today in public Wi-Fi hotspots only permit one SSID to be included in the broadcast Beacon and Probe Response frames. This behavior effectively hides secondary SSIDs from wireless client computers. Therefore, it is much more difficult for you to discover and connect to public Wi-Fi network names that you have not previously connected to. Without wireless AP support to advertise multiple SSIDs in broadcast Beacon and Probe Response frames, the additional wireless networks must either be implemented by using an additional set of physical wireless access points, or users must manually configure their wireless clients by using the names of hidden SSIDs. The implementation of an additional set of wireless access points is not cost effective for WISPs. The manual configuration of wireless clients is difficult for customers, and does not scale to a large WISP network.

The WPS IE is a newly defined 802.11 information element that solves the hidden SSID problem for WISPs. The WPS IE also provides a way for wireless access points to advertise additional SSIDs in the broadcast Beacon and Probe Request frames. The WPS IE includes the SSID and additional details, such as:

• Whether IEEE 802.1X authentication is required.
• Whether the wireless network can provide provisioning information to the wireless client.

The WPS IE must be included in the broadcast Beacon and Probe Request frames, and must be recognized and processed by wireless client computers. Frequently, you can add WPS IE support to wireless access points through a firmware update. Therefore, you typically do not have to replace existing wireless access points or install additional ones. Verify with your wireless AP vendor documentation or your vendor's Web site to determine whether a firmware update for your wireless AP is available. For a Windows XP with SP2-based wireless client, you must install the WPA2/WPS IE Update.

When you install the WPA2/WPS IE Update on wireless client computers that are running Windows XP with SP2, the wireless components of Windows XP recognize the WPS IE in the broadcast Beacon or Probe Response frames. This functionality makes the previously hidden SSIDs visible to the user in the Choose A Wireless Network dialog box. Windows XP-based wireless client computers without the WPA2/WPS IE Update installed do not recognize the WPS IE and do not display the hidden SSIDs.

To successfully deploy support for the WPS IE, you must have the following:

• Wireless access points that support the configuration of additional SSIDs and their advertisement with the WPS IE. For example, Cisco has released firmware updates for its wireless access points to support the new WPS IE. For information, visit the following Cisco Web site:
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_bulletin0900aecd801b83b0_ps6087_Products_Bulletin.html (http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/prod_bulletin0900aecd801b83b0_ps6087_Products_Bulletin.html)
• Wireless client computers that are running Windows XP with SP2 and the WPA2/WPS IE Update.

After the update is deployed, the use of the WPS IE provides the following benefits:

• Enables easy and cost-effective migration from nonsecure public Wi-Fi hotspot wireless connections to secure public Wi-Fi hotspot wireless connections. The secure public Wi-Fi hotspots must use 802.1X authentication, encryption, and Wireless Provisioning Services (WPS) to provision wireless settings, using the same set of wireless access points.
• Lets wireless users easily discover and choose whether they want nonsecured or secured wireless connections. Additionally, wireless users can quickly configure wireless settings.

For more information about WPS, see the "Deploying Wireless Provisioning Services (WPS) Technology" white paper. To download the white paper, visit the following Microsoft Web site:

Additional changes in the WPA2/WPS IE Update

The following changes are also included in the WPA2/WPS IE Update:

• Windows XP now prompts you to validate whether you want to create a nonsecured preferred wireless network. Nonsecured is defined as an Open system authenticated connection that does not use encryption to help protect data. Additionally, when connected to a nonsecured wireless network, the wireless network is displayed with the label Unsecured. These changes were added to make sure that you are aware that you are connecting to a wireless network that is susceptible to security attacks.
• The Choose A Wireless Network dialog box in Windows XP with SP2 merged infrastructure and ad-hoc networks by using the same wireless network name so that only one appeared in the list of available networks. This issue has been corrected. With the update installed, the Choose A Wireless Network dialog box now displays both types of wireless networks in the available networks list as separate entries.
• The static provisioning interface API for Wireless Provisioning Services (WPS) has been updated so that you can specify WPA2 as an authentication method. For more information about this API, visit the following Microsoft Web site:
  http://msdn2.microsoft.com/en-us/library/ms940173.aspx (http://msdn2.microsoft.com/en-us/library/ms940173.aspx)
• Previously, there was a one-minute connection delay when you started the computer if you connected to a WPS-provisioned wireless network. This issue has been corrected.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.