Win10... where are my wireless settings

Started by wintermute000, November 06, 2015, 11:47:10 PM

Previous topic - Next topic

wintermute000

Major WTF - doing some wireless testing and you can't edit the specific parameters of a wifi network once known. Not even one you've manually created (e.g. with assorted 802.1x settings, certs etc). If you want to fiddle with the fancy settings, the only place you can get to them is upon creation. After you create it, if you want to change anything, you have to delete and then re-create it. And of course you also have to hop between the god awful new metro settings app and the old dialogs (no more known SSID networks in "networks and connections" control panel, let alone right click edit properties....).


I can live with the lazy interface split (c'mon its the second freakin iteration counting Win8) but WTF is with not letting us edit the settings?!??! or even SEE the goddamned settings - is it WEP? WPA2 enterprise? WHO KNOWS? Its the automagic age of the iphone user!!! RANT RANT RANT


And yes of course I know for a 802.1x deployment you'd be normally pushing out via group policy but come on!


As a side note, if anyone's gotten USER certs (not machine - I got that working) working between Win10 and Win2012R2 acting as NPS (bleeding edge woohoo) then let me know, because the cryptic 'error number 22' event logs (thanks MS) aren't cutting it. Yes I have all the correct certs (CA, GP pushes out client cert signed by CA to client, I can see the cert in the client's user store). Hence the fiddling around with specific wifi settings. The user cert NPS profile is identical to the working machine cert profile except its checking for user membership in a group, not machine membership (its still authenticating off 'smart card' with the NPS cert selected - and yes its signed by the CA and yes the user cert is signed by same CA, checked the numbers, and once again works with machine certs so I do suspect is got to do with Win10 and getting it to present the user cert correctly).


As this is a lab environment its actually quicker for me to edit the GP then gpupdate the client than delete the WLAN in the client and manually create it all over again... but suffice to say I just cannot get it to work if I select user certificate. machine certificate, no problem.


Final un-related rant, don't you love it when work puts a technical area you have not much interest in, in your learning/development KPI... hence the above shenanigans

deanwebb

Win 10 with user certs would get to a RADIUS-In Progress state and get stuck there all the time on my network. Had to delete and recreate the profile.

My guess is that MSFT decided to make the features of their crappy wired dot1x supplicant more generally available in the wireless environment.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Thanks. did you ever get user certs working at all? what about machine certs? The latter worked for me without any manual profile setup - just selected the SSID and the NPS saw the machine cert attempt come in immediately.

The user certs is doing something as I do get prompted for the PW but like I said the MS logs are pathetic and the WLC just sees an auth reject.

In your experience, for a 802.1x enterprise deployment, have you ever had a client insist on user certs (outside of defence I guess and that would entail smart cards as well?) or is it normally just machine certs that are loaded onto the SOE on domain join? Is it possible to do both?

deanwebb

Machine certs worked perfectly. I think Win10 is part of SkyNet, and is planning on a future without human users...  :'( :eek:

The user certs we have are ones that do not require a sign-in, so if the profile is set to "both", there's a random chance that a user cert can get offered up during initial auth or - more irritatingly - during re-auth, which sends it suddenly to limbo. All of our iDevices use a user cert, and they exhibit a similar issue, although the underlying mechanism of the issue is different with them.

We use tokens for other, more sensitive logons, but for hopping on wireless, we just wanted a cert that didn't need a login that could be offered up during the boot process, before a user interacts with the OS. Domain join certs were the way to go there... except the profile MUST specify machine only. And that's how we build our devices and push our wireless profiles.

Except... there are some software packages that we deploy that actually *change* those settings. :doh: We don't know which packages, but they are out there, and they wreak havoc.

Back to the issue... it's a client issue, as reading the traces shows that the authenticator sends its first request, the supplicant responds and the channel is established; the authenticator then sends the next request for the tunnel protocol (EAP-TLS) and the supplicant never responds to that. RADIUS is working fine everyone else, so it's not the authenticator or anything on the back-end. The clients just freeze and stay in a RADIUS-In Progress state.

I don't recall the iDevice solution, but I know on Windows, it was "delete and recreate the profile" for Win 7, 8, 8.1, and 10.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

And I just tried banging around on my Win10 box to change settings. Such things are not done from the GUI in the way they were done in Win7 days, it seems.

https://www.youtube.com/watch?v=tCiGpKLIYBs This guy shares our pain. Executive version of the video is that he's got a utility, Wifi8, that allows viewing of the profile and export/import of XML. Although he does not show the export/import business, that's where the connection type choice between machine, user, or both would be specified. Command-line will also still allow for export and import of XML. Control Panel is 100% useless, as is anything else in the Windows GUI.

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Can you let me know where you find these logs/traces? I've just been looking in event viewer on the nps

deanwebb

This was a trace on the traffic between the client and the WLC, I think we got it off the AP-WLC ethernet line.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Nerm

At the rate M$ is going it won't be long and we will be using powershell to edit Word documents. On Win10 you damn near have to use powershell to change any network related settings that aren't IP, SM, or DNS.

wintermute000


deanwebb

Actually, MSDN is really good at publishing useful powershell snippets. I know some other guys that can help out here, possibly, so I'll invoke them and see if they do respond...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

AnthonyC

Quote from: Nerm on November 09, 2015, 07:08:06 AM
At the rate M$ is going it won't be long and we will be using powershell to edit Word documents. On Win10 you damn near have to use powershell to change any network related settings that aren't IP, SM, or DNS.

Actually I've been testing out Powershell lately (already installed in Win10) and I have to say it is pretty good.  And you can install VIM and invoke it within Powershell.  Babun + Powershell makes Windows a pretty good combo.
"It can also be argued that DNA is nothing more than a program designed to preserve itself. Life has become more complex in the overwhelming sea of information. And life, when organized into species, relies upon genes to be its memory system."

NetworkGroover

Quote from: AnthonyC on December 06, 2015, 10:09:39 PM
Quote from: Nerm on November 09, 2015, 07:08:06 AM
At the rate M$ is going it won't be long and we will be using powershell to edit Word documents. On Win10 you damn near have to use powershell to change any network related settings that aren't IP, SM, or DNS.

Actually I've been testing out Powershell lately (already installed in Win10) and I have to say it is pretty good.  And you can install VIM and invoke it within Powershell.  Babun + Powershell makes Windows a pretty good combo.

I dunno anything about it, but I remember my mentor who was a SysAdmin at a job YEARS ago (6 years plus?), mastered it and LOVED it.  I remember him and his French accent: "Oh, Steven *makes "pfauh" sound effect*, Powershell is just lovely, *raises fingers to lips in a kissing motion*, just lovely".  It was pretty badarse... there was only a crew of four of us (more like two, but whatever :P ) with over a thousand users and he figured out using Powershell how to completely automate just about everything in Active Directory.  Perfect example of working smarter not harder.
Engineer by day, DJ by night, family first always

Dieselboy

Windows 10 is windows 7 with extras. Hard to find the legacy stuff that's for sure. I bet the next Windows version will have the legacy stuff removed completely, then you wont be able to use the computer for network work.


Dieselboy

Quote from: Nerm on November 09, 2015, 07:08:06 AM
At the rate M$ is going it won't be long and we will be using powershell to edit Word documents. On Win10 you damn near have to use powershell to change any network related settings that aren't IP, SM, or DNS.

I've not encountered this yet, but then again I'm not in the field any more.
Never used powershell for anything other than Windows server.