3

I've got 300+ win7 clients I need to deploy WPA2 Personal PSK on. I can use a GPO to deploy the SSID information on the clients which is good but not the PSK. Is there a clean/easy way to script it so the PSK can be entered on the machines?

If possible I don't want to give the PSK to the end users.

Robert
  • 434
  • 3
  • 6
  • 15
  • You understand that since they have physical access to the machines with the PSK setup that a knowledgeable person will be able to retrieve the key from the machine? – Zoredache Mar 12 '10 at 20:32
  • Yes, you have a good point. This isn't the best way to go but it's a step up from open or WEP. I'd like to do WPA2 Enterprise but I don't have the time/resources to sink into upgradeing to that just yet. – Robert Mar 15 '10 at 16:40
  • What GPO did you use to deploy the SSID? – askvictor Jul 20 '10 at 02:43
  • Computer > Policies > Security Settings > Wireless Network – Robert Jul 23 '10 at 17:04
  • netsh wlan export profile key=clear see http://superuser.com/questions/133097/netsh-wlan-add-profile-not-importing-encrypted-passphrase – mavhc Aug 31 '11 at 21:18

2 Answers2

6

If you preinstall a shared key on 300+ machines in the hands of users, don't expect it to remain a secret for long.

Even if you don't want to do per-user authentication, you'd be better off going with WPA2-Enterprise (WPA2 with 802.1X authentication) and using EAP-TLS and per-machine certificates. That way, even if someone does manage to export/extract the private key that goes with their machine's TLS cert, you can revoke and re-key that one machine without having to re-key your entire fleet.

Spiff
  • 2,578
  • 17
  • 20
  • I agree it's not as secure as I'd like it to be. Better than WEP or Open though. The majoriy of my customer base has difficulty figuring out how to print so I agree it's not the best I think it'll hold till I can upgrade to WPA2-Enterprise. I would do it now but I just don't have the time resources just yet. – Robert Mar 15 '10 at 16:43
  • You've already got an AD domain. You can roll out a RADIUS server on a Windows Server machine and start using WPA-2 w/ PEAP pretty easily and roll out everything necessary to configure the client computers via GPO. – Evan Anderson Mar 22 '10 at 21:50
1

(Apologies if this is me being dense)

If you did find a way to deploy the key, surely you would break wireless connectivity for your users since you find yourself in a catch-22 situation.

Example
Old WPA key is abc (which the laptops already have stored). Your script deploys the new key 123. Wireless is now broken because the laptop now thinks the key is 123 but your access points know it is still abc.

Conversely, you change your access points so the key is now 123, but your laptops still believe it to be abc, thus they cannot connect to get group policy settings, to be deployed this new key.

You also have the problem, which has already been pointed out that the key can very easily be obtained. I personally have used such programs before as a favour to one of our employees who got a new laptop, didn't know their home wireless password but had it on their old laptop.

Ben Pilbrow
  • 12,041
  • 5
  • 36
  • 57
  • Yes, the key can be dumped, but it's better than not having any key or WEP. I'm transitioning from one SSID with key 'abc' to a different SSID with the key '123'. Beyond that if we needed to we could use wired to enforece the laptop's key to what the wireless is. My biggest issue is fiugring out how to deploy the key - the rest of the wireless profile I can do - just not deploy the key. – Robert Mar 15 '10 at 16:51