Limit wireless adapter to a single (WEP or WPA secured) network ?

Discussion in 'Wireless Networking' started by =?Utf-8?B?RGVhbg==?=, Aug 21, 2007.

  1. This may sound a bit backwards, but I would like to find out how to limit XP
    to a single wireless network. We do not wish the adapter to connect to, or
    even "find" any other wireless nets, ssid's, or hotspots, when it is not
    connected to ours.
    Thanks !
    Dean
     
    =?Utf-8?B?RGVhbg==?=, Aug 21, 2007
    #1
    1. Advertising

  2. I'm going to make an assumption here in my next question: why are you then
    issuing laptops with wireless NICs? In most cases, organizations give
    employees laptops with wireless so that the employees will work for free in
    airports, hotels, at home, wherever. But since I don't know the specifics of
    your case, I could be wrong. Tell us more?

    You can configure policies in Windows Vista to do what you want. However,
    Windows XP doesn't have any built-in way to do this.

    --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "Dean" <> wrote in message
    news:...
    > This may sound a bit backwards, but I would like to find out how to limit
    > XP
    > to a single wireless network. We do not wish the adapter to connect to,
    > or
    > even "find" any other wireless nets, ssid's, or hotspots, when it is not
    > connected to ours.
    > Thanks !
    > Dean
    >
     
    Steve Riley [MSFT], Aug 21, 2007
    #2
    1. Advertising

  3. Re: Limit wireless adapter to a single (WEP or WPA secured) networ

    Steve,

    Oh yes, there is more... These laptops are in County Sheriff's cars.
    About 75 of them. We use Cingular (EDGE) for wide area mobile data services,
    throughout about 1800 sq. miles of the county, as well as outside the county.
    We use Netmotion Mobility for VPN & encryption. We have placed our AP's
    (about 30) to cover the parking lots at the various Police Dept's in the
    county, and many other places that the police cars are regularly parked.
    These include the jail parking lots & sally ports, the city hall parking
    lots, fire stations, etc. These places are already connected countywide, by
    fiber network. The wireless "DMZ" vlan is carried on that fiber network.
    Until lately, ONLY Cingular has been used for the County Sheriff cars, and
    the wireless net was used for other purposes, mostly indoors.

    The Netmotion Mobility VPN client has the ability (by design) to roam from
    network to network. It will choose the fastest available interface, by
    itself, without disrupting the AES VPN connection. While police cars are at
    common locations, we would have (considerably) faster service to/from the
    cars, yet when they leave the wireless net, they will roam back to Cingular
    seamlessly.

    Management has decreed that these mobiles are to NEVER connect to any other
    802.11a,b,g wireless net as they travel. So, that is why they need the
    "opposite" sort of approach to wireless connectivity.

    A rather lengthy response, but I hope this clears upthe question of "Why ?".

    Dean


    "Steve Riley [MSFT]" wrote:

    > I'm going to make an assumption here in my next question: why are you then
    > issuing laptops with wireless NICs? In most cases, organizations give
    > employees laptops with wireless so that the employees will work for free in
    > airports, hotels, at home, wherever. But since I don't know the specifics of
    > your case, I could be wrong. Tell us more?
    >
    > You can configure policies in Windows Vista to do what you want. However,
    > Windows XP doesn't have any built-in way to do this.
    >
    > --
    > Steve Riley
    >
    > http://blogs.technet.com/steriley
    > http://www.protectyourwindowsnetwork.com
    >
    >
    > "Dean" <> wrote in message
    > news:...
    > > This may sound a bit backwards, but I would like to find out how to limit
    > > XP
    > > to a single wireless network. We do not wish the adapter to connect to,
    > > or
    > > even "find" any other wireless nets, ssid's, or hotspots, when it is not
    > > connected to ours.
    > > Thanks !
    > > Dean
    > >

    >
     
    =?Utf-8?B?RGVhbg==?=, Aug 21, 2007
    #3
  4. Re: Limit wireless adapter to a single (WEP or WPA secured) networ

    Thanks for the details, now I understand.

    Next question: why has management issued this decree? What risk do they feel
    requires this kind of mitigation? Since it seems like all your
    communications are encrypted (VPN), and you've already been using another
    public network anyway (Cingular), this decree seems quite arbitrary. The VPN
    is sufficient for protecting the data traveling any public network. So as
    long as you're enabling the built-in firewall on all the laptops (to protect
    them from attack from the Internet), I'd say it's perfectly fine to allow
    these machines to use any wireless network they want. Millions of people
    operate in this same mode every day (public network connection, VPN to
    protect corporate data).

    --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "Dean" <> wrote in message
    news:...
    > Steve,
    >
    > Oh yes, there is more... These laptops are in County Sheriff's cars.
    > About 75 of them. We use Cingular (EDGE) for wide area mobile data
    > services,
    > throughout about 1800 sq. miles of the county, as well as outside the
    > county.
    > We use Netmotion Mobility for VPN & encryption. We have placed our
    > AP's
    > (about 30) to cover the parking lots at the various Police Dept's in the
    > county, and many other places that the police cars are regularly parked.
    > These include the jail parking lots & sally ports, the city hall parking
    > lots, fire stations, etc. These places are already connected countywide,
    > by
    > fiber network. The wireless "DMZ" vlan is carried on that fiber network.
    > Until lately, ONLY Cingular has been used for the County Sheriff cars, and
    > the wireless net was used for other purposes, mostly indoors.
    >
    > The Netmotion Mobility VPN client has the ability (by design) to roam from
    > network to network. It will choose the fastest available interface, by
    > itself, without disrupting the AES VPN connection. While police cars are
    > at
    > common locations, we would have (considerably) faster service to/from the
    > cars, yet when they leave the wireless net, they will roam back to
    > Cingular
    > seamlessly.
    >
    > Management has decreed that these mobiles are to NEVER connect to any
    > other
    > 802.11a,b,g wireless net as they travel. So, that is why they need the
    > "opposite" sort of approach to wireless connectivity.
    >
    > A rather lengthy response, but I hope this clears upthe question of "Why
    > ?".
    >
    > Dean
    >
    >
    > "Steve Riley [MSFT]" wrote:
    >
    >> I'm going to make an assumption here in my next question: why are you
    >> then
    >> issuing laptops with wireless NICs? In most cases, organizations give
    >> employees laptops with wireless so that the employees will work for free
    >> in
    >> airports, hotels, at home, wherever. But since I don't know the specifics
    >> of
    >> your case, I could be wrong. Tell us more?
    >>
    >> You can configure policies in Windows Vista to do what you want. However,
    >> Windows XP doesn't have any built-in way to do this.
    >>
    >> --
    >> Steve Riley
    >>
    >> http://blogs.technet.com/steriley
    >> http://www.protectyourwindowsnetwork.com
    >>
    >>
    >> "Dean" <> wrote in message
    >> news:...
    >> > This may sound a bit backwards, but I would like to find out how to
    >> > limit
    >> > XP
    >> > to a single wireless network. We do not wish the adapter to connect
    >> > to,
    >> > or
    >> > even "find" any other wireless nets, ssid's, or hotspots, when it is
    >> > not
    >> > connected to ours.
    >> > Thanks !
    >> > Dean
    >> >

    >>
     
    Steve Riley [MSFT], Aug 22, 2007
    #4
  5. Re: Limit wireless adapter to a single (WEP or WPA secured) networ

    Steve,

    For the most part, you have hit the nail on the head. The key word is
    "arbitrary". I was seeking a technical solution to a (percieved) political
    problem. If it was reasonably possible to meet the wishes of management,
    without placing a heavy burden on the workstation support crew, it was worth
    asking. If not, then I'll have to schedule a meeting with the director, and
    draw some pictures on his white board.

    The only actual technical issue, in our particular case, are open access
    points that have a captive portal for web based authentication (such as most
    hotels, coffee shops, etc.). These will actually cause a temporary outage
    for the client, as the car passes by or is parked near. The mobility VPN
    client will find the alternate network, pause, try to send crafted udp
    packets to the VPN server, only to discover that the network has no path.
    Then it will revert to Cingular. This process takes about 10-15 seconds.
    Not a major issue, but a noticable delay to the user. We may just have to
    deal with it.

    Thanks !

    Dean



    "Steve Riley [MSFT]" wrote:

    > Thanks for the details, now I understand.
    >
    > Next question: why has management issued this decree? What risk do they feel
    > requires this kind of mitigation? Since it seems like all your
    > communications are encrypted (VPN), and you've already been using another
    > public network anyway (Cingular), this decree seems quite arbitrary. The VPN
    > is sufficient for protecting the data traveling any public network. So as
    > long as you're enabling the built-in firewall on all the laptops (to protect
    > them from attack from the Internet), I'd say it's perfectly fine to allow
    > these machines to use any wireless network they want. Millions of people
    > operate in this same mode every day (public network connection, VPN to
    > protect corporate data).
    >
    > --
    > Steve Riley
    >
    > http://blogs.technet.com/steriley
    > http://www.protectyourwindowsnetwork.com
    >
    >
    > "Dean" <> wrote in message
    > news:...
    > > Steve,
    > >
    > > Oh yes, there is more... These laptops are in County Sheriff's cars.
    > > About 75 of them. We use Cingular (EDGE) for wide area mobile data
    > > services,
    > > throughout about 1800 sq. miles of the county, as well as outside the
    > > county.
    > > We use Netmotion Mobility for VPN & encryption. We have placed our
    > > AP's
    > > (about 30) to cover the parking lots at the various Police Dept's in the
    > > county, and many other places that the police cars are regularly parked.
    > > These include the jail parking lots & sally ports, the city hall parking
    > > lots, fire stations, etc. These places are already connected countywide,
    > > by
    > > fiber network. The wireless "DMZ" vlan is carried on that fiber network.
    > > Until lately, ONLY Cingular has been used for the County Sheriff cars, and
    > > the wireless net was used for other purposes, mostly indoors.
    > >
    > > The Netmotion Mobility VPN client has the ability (by design) to roam from
    > > network to network. It will choose the fastest available interface, by
    > > itself, without disrupting the AES VPN connection. While police cars are
    > > at
    > > common locations, we would have (considerably) faster service to/from the
    > > cars, yet when they leave the wireless net, they will roam back to
    > > Cingular
    > > seamlessly.
    > >
    > > Management has decreed that these mobiles are to NEVER connect to any
    > > other
    > > 802.11a,b,g wireless net as they travel. So, that is why they need the
    > > "opposite" sort of approach to wireless connectivity.
    > >
    > > A rather lengthy response, but I hope this clears upthe question of "Why
    > > ?".
    > >
    > > Dean
    > >
    > >
    > > "Steve Riley [MSFT]" wrote:
    > >
    > >> I'm going to make an assumption here in my next question: why are you
    > >> then
    > >> issuing laptops with wireless NICs? In most cases, organizations give
    > >> employees laptops with wireless so that the employees will work for free
    > >> in
    > >> airports, hotels, at home, wherever. But since I don't know the specifics
    > >> of
    > >> your case, I could be wrong. Tell us more?
    > >>
    > >> You can configure policies in Windows Vista to do what you want. However,
    > >> Windows XP doesn't have any built-in way to do this.
    > >>
    > >> --
    > >> Steve Riley
    > >>
    > >> http://blogs.technet.com/steriley
    > >> http://www.protectyourwindowsnetwork.com
    > >>
    > >>
    > >> "Dean" <> wrote in message
    > >> news:...
    > >> > This may sound a bit backwards, but I would like to find out how to
    > >> > limit
    > >> > XP
    > >> > to a single wireless network. We do not wish the adapter to connect
    > >> > to,
    > >> > or
    > >> > even "find" any other wireless nets, ssid's, or hotspots, when it is
    > >> > not
    > >> > connected to ours.
    > >> > Thanks !
    > >> > Dean
    > >> >
    > >>

    >
     
    =?Utf-8?B?RGVhbg==?=, Aug 22, 2007
    #5
  6. Re: Limit wireless adapter to a single (WEP or WPA secured) networ

    That's a really odd behavior for a VPN client. Usually, VPN clients don't go
    about redirecting the underlying Internet connection!

    Let me know how you get on with your whiteboarding session. Email me if you
    need any more help. Oftentimes, all it takes is a bit of education on the
    part of those setting such "arbitrary" policies.

    --
    Steve Riley

    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "Dean" <> wrote in message
    news:...
    > Steve,
    >
    > For the most part, you have hit the nail on the head. The key word is
    > "arbitrary". I was seeking a technical solution to a (percieved)
    > political
    > problem. If it was reasonably possible to meet the wishes of management,
    > without placing a heavy burden on the workstation support crew, it was
    > worth
    > asking. If not, then I'll have to schedule a meeting with the director,
    > and
    > draw some pictures on his white board.
    >
    > The only actual technical issue, in our particular case, are open access
    > points that have a captive portal for web based authentication (such as
    > most
    > hotels, coffee shops, etc.). These will actually cause a temporary outage
    > for the client, as the car passes by or is parked near. The mobility VPN
    > client will find the alternate network, pause, try to send crafted udp
    > packets to the VPN server, only to discover that the network has no path.
    > Then it will revert to Cingular. This process takes about 10-15 seconds.
    > Not a major issue, but a noticable delay to the user. We may just have
    > to
    > deal with it.
    >
    > Thanks !
    >
    > Dean
    >
    >
    >
    > "Steve Riley [MSFT]" wrote:
    >
    >> Thanks for the details, now I understand.
    >>
    >> Next question: why has management issued this decree? What risk do they
    >> feel
    >> requires this kind of mitigation? Since it seems like all your
    >> communications are encrypted (VPN), and you've already been using another
    >> public network anyway (Cingular), this decree seems quite arbitrary. The
    >> VPN
    >> is sufficient for protecting the data traveling any public network. So as
    >> long as you're enabling the built-in firewall on all the laptops (to
    >> protect
    >> them from attack from the Internet), I'd say it's perfectly fine to allow
    >> these machines to use any wireless network they want. Millions of people
    >> operate in this same mode every day (public network connection, VPN to
    >> protect corporate data).
    >>
    >> --
    >> Steve Riley
    >>
    >> http://blogs.technet.com/steriley
    >> http://www.protectyourwindowsnetwork.com
    >>
    >>
    >> "Dean" <> wrote in message
    >> news:...
    >> > Steve,
    >> >
    >> > Oh yes, there is more... These laptops are in County Sheriff's cars.
    >> > About 75 of them. We use Cingular (EDGE) for wide area mobile data
    >> > services,
    >> > throughout about 1800 sq. miles of the county, as well as outside the
    >> > county.
    >> > We use Netmotion Mobility for VPN & encryption. We have placed our
    >> > AP's
    >> > (about 30) to cover the parking lots at the various Police Dept's in
    >> > the
    >> > county, and many other places that the police cars are regularly
    >> > parked.
    >> > These include the jail parking lots & sally ports, the city hall
    >> > parking
    >> > lots, fire stations, etc. These places are already connected
    >> > countywide,
    >> > by
    >> > fiber network. The wireless "DMZ" vlan is carried on that fiber
    >> > network.
    >> > Until lately, ONLY Cingular has been used for the County Sheriff cars,
    >> > and
    >> > the wireless net was used for other purposes, mostly indoors.
    >> >
    >> > The Netmotion Mobility VPN client has the ability (by design) to roam
    >> > from
    >> > network to network. It will choose the fastest available interface, by
    >> > itself, without disrupting the AES VPN connection. While police cars
    >> > are
    >> > at
    >> > common locations, we would have (considerably) faster service to/from
    >> > the
    >> > cars, yet when they leave the wireless net, they will roam back to
    >> > Cingular
    >> > seamlessly.
    >> >
    >> > Management has decreed that these mobiles are to NEVER connect to any
    >> > other
    >> > 802.11a,b,g wireless net as they travel. So, that is why they need
    >> > the
    >> > "opposite" sort of approach to wireless connectivity.
    >> >
    >> > A rather lengthy response, but I hope this clears upthe question of
    >> > "Why
    >> > ?".
    >> >
    >> > Dean
    >> >
    >> >
    >> > "Steve Riley [MSFT]" wrote:
    >> >
    >> >> I'm going to make an assumption here in my next question: why are you
    >> >> then
    >> >> issuing laptops with wireless NICs? In most cases, organizations give
    >> >> employees laptops with wireless so that the employees will work for
    >> >> free
    >> >> in
    >> >> airports, hotels, at home, wherever. But since I don't know the
    >> >> specifics
    >> >> of
    >> >> your case, I could be wrong. Tell us more?
    >> >>
    >> >> You can configure policies in Windows Vista to do what you want.
    >> >> However,
    >> >> Windows XP doesn't have any built-in way to do this.
    >> >>
    >> >> --
    >> >> Steve Riley
    >> >>
    >> >> http://blogs.technet.com/steriley
    >> >> http://www.protectyourwindowsnetwork.com
    >> >>
    >> >>
    >> >> "Dean" <> wrote in message
    >> >> news:...
    >> >> > This may sound a bit backwards, but I would like to find out how to
    >> >> > limit
    >> >> > XP
    >> >> > to a single wireless network. We do not wish the adapter to connect
    >> >> > to,
    >> >> > or
    >> >> > even "find" any other wireless nets, ssid's, or hotspots, when it is
    >> >> > not
    >> >> > connected to ours.
    >> >> > Thanks !
    >> >> > Dean
    >> >> >
    >> >>

    >>
     
    Steve Riley [MSFT], Aug 22, 2007
    #6
  7. "Dean" wrote:

    > This may sound a bit backwards, but I would like to find out how to limit XP
    > to a single wireless network. We do not wish the adapter to connect to, or
    > even "find" any other wireless nets, ssid's, or hotspots, when it is not
    > connected to ours.
    > Thanks !
    > Dean
    >
     
    =?Utf-8?B?TllSYWRpbw==?=, Nov 12, 2007
    #7
  8. I have a similar issue. I am in New York City and there are dozens of WAPs
    around. Some secure some not.

    We have a secure wireless network connection to our LAN. I do not want
    our machines connecting to any other wireless networks.

    Is it possible to limit my machines to only my network.

    Thanks



    "Dean" wrote:

    > This may sound a bit backwards, but I would like to find out how to limit XP
    > to a single wireless network. We do not wish the adapter to connect to, or
    > even "find" any other wireless nets, ssid's, or hotspots, when it is not
    > connected to ours.
    > Thanks !
    > Dean
    >
     
    =?Utf-8?B?TllSYWRpbw==?=, Nov 12, 2007
    #8
  9. This how to may help.

    How to limit the machine only connect to one secure wireless network
    http://www.wifimvp.com/howto/limitoneconnection.htm

    --
    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com


    "NYRadio" <> wrote in message
    news:...
    >
    >
    > "Dean" wrote:
    >
    >> This may sound a bit backwards, but I would like to find out how to limit
    >> XP
    >> to a single wireless network. We do not wish the adapter to connect to,
    >> or
    >> even "find" any other wireless nets, ssid's, or hotspots, when it is not
    >> connected to ours.
    >> Thanks !
    >> Dean
    >>
     
    Robert L. \(MS-MVP\), Nov 13, 2007
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gary R. Lehrer

    Ad hoc network and WEP/WPA not feasible?

    Gary R. Lehrer, Aug 23, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    2,517
    simonova
    Sep 9, 2004
  2. =?Utf-8?B?SGVsbG8sV2lyZWxlc3MgaXMgQW5ub3lpbmc=?=

    WEP/WPA Key / Network Key...Cant connect !

    =?Utf-8?B?SGVsbG8sV2lyZWxlc3MgaXMgQW5ub3lpbmc=?=, Sep 20, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,348
    =?Utf-8?B?UGF2ZWwgQS4=?=
    Sep 20, 2005
  3. Gustaf Liljegren

    Can't connect to WEP-secured network

    Gustaf Liljegren, Dec 21, 2005, in forum: Wireless Networking
    Replies:
    0
    Views:
    802
    Gustaf Liljegren
    Dec 21, 2005
  4. hax3
    Replies:
    10
    Views:
    4,860
  5. =?Utf-8?B?Qm9iIEQu?=

    Connecting Pocket PC to internet via WEP Secured WLAN

    =?Utf-8?B?Qm9iIEQu?=, Feb 17, 2007, in forum: Wireless Networking
    Replies:
    2
    Views:
    673
    =?Utf-8?B?Qm9iIEQu?=
    Feb 19, 2007
Loading...

Share This Page