Sunday, 11 January 2015

Configuring a WLAN profile for Windows computers using Group Policy

"If a trainstation is where the train stops, what's a workstation?"

As you go along with this tutorial, make sure to deviate from my settings so that you end up with a profile that suits your environment. In any case, you should have a functioning Active Directory and workstations running Windows Vista or higher.

This is a rare instance of something that benefits both usability and security and not one at the expense of the other. The users will not have to worry about WLAN settings as those are configured by the GPO and I will not have to worry about users watering down security settings because the settings are locked in into the profile and users cannot change them.

In my case the wireless connection deployed on the workstations will be based on
  • WPA2-Enterprise mode
  • A Network Policy Server (NPS) that will also serve as RADIUS server
  • Client and server authenticating using (pre-autoenrolled) X.509 certificates
  •  
     
  • I opened gpmc.msc and navigated to the Organizational Unit (OU) that contained my wireless capable computers.
  • Next, I created a new GPO (i.e. "WLAN profiles <<insert SSID>>"
  • Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) policies.
  • "Create A New Wireless Network Policy for Windows Vista and Later Releases".
    You can only do this once. When you have created the first policy, the option will disappear until the policy is deleted.
  • The policy gets a name and description. Properties General

  •  Adding a network
    The workstations connect automatically, do not connect to more preferable networks and do not connect if the SSID is not broadcast.



The RADIUS Server authenticates via X.509 certificate. There is also some sort of certificate pinning at the root-CA level. Note the checkbox in the middle. Alle three things must match for the client to proceed:
  1. Server hostname
  2. Server certificate
  3. Root certificate
This will ensure that the workstations is connected to the right network and it will remove unnecessary pop-ups that may require information that is not available to the user. ("Do you trust this computer?"). The authentication method selection at the lower end of the screenshot ensures that the workstation will authenticate using its own certificate which will be presented to the server. The alternative would be EAP-MSCHAP v2.


Leaving the PEAP setting, going back to Security > Advanced. I left following settings unchanged.


Network permissions


Once the GPO is deployed on the client side, you should see a pre-configured wireless connection with greyed out check-boxes and a message with exclamation mark, stating the the connection settings are managed by the system administrator.

Sunday, 4 January 2015

Network Access Protection - part I

Draft Jan 4, 2015


All is set, except for the access points.

see also (1) (2)



(2)



(1) Microsoft Network Access Protection (Simple setup), South Central District Client Team Blog, Jan 4 2014, http://blogs.technet.com/b/scd-odtsp/archive/2013/05/14/microsoft-network-access-protection-simple-setup.aspx
(2)  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example - Cisco

Saturday, 3 January 2015

iaStor timeout errors after SSD upgrade on ICH7R based Intel SATA controllers



"When a system is stable, telling the worker about mistakes is only tampering."

The quite outdated ASUS EEE-PC got an SSD upgrade, replacing the HDD that shipped with it.
 
I installed Windows 8 and very soon the system crashed seemingly randomly with the mouse and keyboard and screen frozen and the only remedy being a four second button held shutdown.

Solution 

Before you apply the solution 

  • Check that your SSD is otherwise fine (CrystalDiskInfo)
  • Make sure you have an Intel ICH7R chip-set or similarly affected chip-set
  • You should have similar event log entries as shown here

The system log shows errors indicating the AHCI driver iaStor cannot find the SSD caused by a timeout. 

Event Source: iaStor  
Event-ID 9 
Event General: The device, \Device\Ide\iaStor0, did not respond within the timeout period.
 
 
How to fix this
I disabled Link Power Management.(LPM) in the Intel AHCI driver settings in the registry. Where certain keys were not there, I created them manually. LPM can be enabled or disabled on a per port basis. I did this for the first SATA port, exported the key, made minimal changes and applied it again until I had all SATA ports covered. Lastly, a reboot is due. I haven't seen this issue again

ahci.reg This is the .reg files for the sixth port. This chip-set comes with six SATA ports (labeled 0-5) at the most, perhaps less ports and in the case of the EEE-PC even less ports with an actual pin-out.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iaStor\Parameters\Port5]
"LPM"=dword:00000000
"LPMSTATE"=dword:00000000
"LPMDSTATE"=dword:00000000
"DIPM"=dword:00000000

 Supplemental I
  • The per port settings
    I have not experimented with the setting. It may be that setting
    "LPM" to 0 deactivates and renders the other settings useless.
  •  Which port to deactivate for LPM?
    Again, going from 0-5 may be over the top. Getting the right port, the port to which the SSD is connected, may be enough. Other devices may work fine with LPM. The right port can be found by trial and error or other means.
  • Don't I need LPM?
    Most likely you won't miss it. On mobile devices it may lead to slightly reduced battery times, on the other hand users report of increased performance after deactivating LPM
  • Who is to blame?
    Unknown. Reportedly version ten of Intel's AHCI driver was the first to automatically activate LPM. Later drivers (11 and higher) do not work with the ICH7. The error must be located somewhere in the triangle SSD (with possibly faulty LPM implementation), ICH7R SATA controller and lastly the Intel AHCI SATA driver. Anyone of these, or a combination could be the cause of the timeouts.

Supplemental II
Make sure the SSD is not actually broken. I use CrystalDiskInfo.
Device details:
Netbook
ASUS EEE-PC 1001P
(BIOS Revision 0901, 03/04/10)
BIOS Setting: SATA: AHCI
Intel Chipset with ICH7R AHCI SATA Controller
Latest driver version: AHCI driver 10.8.0.1003 (date Oct 17 2011)

SSD SANDISK 128 GB
----------------------------------------------------------------------------

    OS : Windows 8.1 Pro [6.3 Build 9600] (x64)
  Date : 2015/01/04 5:10:38

-- Controller Map ----------------------------------------------------------
 + Intel(R) ICH7R/DH SATA AHCI Controller [ATA]
   - SanDisk SDSSDP128G
 - Microsoft Storage Spaces Controller [SCSI]

-- Disk List ---------------------------------------------------------------
 (1) SanDisk SDSSDP128G : 126,0 GB [0/0/0, pd1] - sd

----------------------------------------------------------------------------
 (1) SanDisk SDSSDP128G
----------------------------------------------------------------------------

           Model : SanDisk SDSSDP128G
        Firmware : 3.2.0
   Serial Number : ************
       Disk Size : 126,0 GB (8,4/126,0/126,0/126,0)
     Buffer Size : Unknown
     Queue Depth : 32
    # of Sectors : 246162672
   Rotation Rate : ---- (SSD)
       Interface : Serial ATA
   Major Version : ACS-2
   Minor Version : ACS-2 Revision 3
   Transfer Mode : SATA/300 | SATA/600
  Power On Hours : 67 hours
  Power On Count : 154 count
      Host Reads : 212 GB
     Host Writes : 170 GB
     Temperature : 32 C (89 F)
   Health Status : Good (100 %)
        Features : S.M.A.R.T., APM, 48bit LBA, NCQ, TRIM, DevSleep
       APM Level : 0000h [OFF]
       AAM Level : ----

Sources
http://www.techsupportforum.com/forums/f108/solved-device-ide-iastor0-did-not-respond-within-the-timeout-period-634560.html