Requirements: 

Server: Windows Server 2003 Standard / Enterprise (I used standard) DC
Clients: Windows XP Pro SP2, wireless NIC supporting WPA
Access point: Most new wireless APs / routers will do. I used a Linksys WRT54GL with modified firmware from http://www.dd-wrt.com/ 

You will need to be a domain admin for your own domain, but you don’t need to be an enterprise admin. 

Summary: 

To get the secured wireless working we need to have a RADIUS server running which authenticates the wireless computers against Active Directory. In WS2003, RADIUS is provided by the Internet Authentication Service (IAS) which is a built-in windows component, but isn’t installed by default. 

To allow the laptops to verify that the server is what it claims to be, we need to set up certificates. In WS2003, this is done via Certificate Services which again is included with the OS, but not installed by default. 

Next, we need to tell the access point(s) where our RADIUS (IAS) server is and vice versa and then use Group Policy to tell the XP clients how to authenticate.

The finished wireless network will then be using WPA, PEAP (MS-CHAPv2) and AES.

Procedure: 

On the Domain Controller 

Setting up IAS: 

1)     Launch Add/Remove programs > Windows components > Networking Services > Details> Tick Internet Authentication Services > OK, NEXT
2)     Start > Programs > Administrative Tools > Internet Authentication Services
3)     Right click Internet Authentication Services (local) on left hand side > “Register server in Active Directory” > OK
4)     Right click Internet Authentication Services (local) > Properties > Ports – make a note of the ports used for Authentication and Accounting: you may need them for setting up your Access Point later
5)     Right click on Radius Clients > New Radius Client > Pick a friendly name and a static IP address you can use for the Access Point. Be sure not to choose something in your DHCP range. Select RADIUS Standard and enter a shared secret. Microsoft recommend 22 characters or more generated by a random password generator.
6)     Click on Remote Access Logging > Right click on Local file > As a minimum, select Accounting Requests and Authentication Requests and check the Log File tab settings.
 

Setting up Certificate Services:

7)     Launch Add/Remove programs > Windows components > Certificate Services > Details > Tick Certificate Services CA > YES > OK > NEXT
8)     In the Windows Component Wizard window:
a.      Choose “Standalone Root CA”. If you are an enterprise admin and know how to set up autoenrollment, you might want to choose “Enterprise Root CA”, but standalone should work in all cases. NEXT.
b.      Choose a “common name” such as StTriniansRootCA, increase the validity period from 5 years (I used 25), NEXT
c.      Click YES to stop the IIS service.
d.      Choose YES to installing ASP to allow web enrolment – we’ll be using that later
e.      FINISH
 

Creating and installing a server certificate: 

This process creates a certificate to prove the identity of your IAS server. By default the certificate only lasts 1 year before it expires. For instructions on increasing this value, visit http://support.microsoft.com/?id=254632
 

9)     Open Internet Explorer at http://YOURSERVER/certsrv
10)  Click “Request a certificate”
11)  Click  “advanced certificate request”
12)  Click “Create and submit a request to this CA.”
13)  The “Advanced Certificate Request” page must be filled in carefully, in particular the following fields:
Name – The fully qualified name of your server as the wireless clients see it, e.g. yourserver.yourdomain.int
Type of Certificate Needed – Choose “Server Authentication Certificate”
Create new key set – Select this option
CSP – Choose “Microsoft RSA/Schannel Cryptographic Provider”
Key Size – 1024 should be fine. Bigger numbers give better security, but increase the processing power required.
Mark Keys as exportable – Tick this
Store certificate in the local computer certificate store – Tick this
14)  Click Submit >
15)  The next screen tells you to come back later when your certificate has been approved, so go back to the Certification Authority snap-in, expand your Root CA > Pending Requests > Select the request > Right click > All tasks > Issue. It should move into the Issued Certificates container.
16)  Open Internet Explorer at http://YOURSERVER/certsrv (again)
17)  Click “View the status of a pending certificate request”
18)  Follow the link to install the certificate you just created.
 

Creating a Remote Access Policy: 

19)  Create a security group (e.g. WirelessComputers) in the Active Directory Users and Computers snap-in and add all your wireless laptops and PCs as members of the group.
20)  Start > Programs > Administrative Tools > Internet Authentication Services
21)  Right click on Remote Access Policies > New Remote Access Policy
22)  NEXT
23)  Make sure the “Use the wizard…” option is selected and type in a name, such as “Wireless Access to the St. Trinians network”. NEXT.
24)  Select “Wireless”, NEXT
25)  Select Group, click Add… and find your WirelessComputers security group. NEXT
26)  Select “Protected EAP (PEAP)” and click Configure…
27)  Pick the certificate with your IAS server’s fully qualified domain name e.g. yourserver.yourdomain.int
28)  “Enable fast reconnect” is optional, but most sources I have found suggest that you tick it.
29)  “Secured password (EAP-MSCHAP v2)” should be the only item in the list
30)  Click OK
31)  NEXT
32)  Finish
 

Pushing Wireless Networking policies out to workstations: 

Some steps required for this section vary depending on whether the Group Policy Management Console (GPMC.msc) has been installed on your server or not, so those steps are described in a general way. 

33)  Create a new Group Policy Object and link it to the OU containing your wireless computers
34)  Disable the user portion of the GPO (not necessary, but good practice for speeding up application of the policy)
35)  Edit the policy
36)  In the Group Policy Object Editor snap-in, navigate to Computer Configuration > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies
37)  Right-click Wireless Network (IEEE 802.11) Policies > Create Wireless Network Policy
38)  NEXT
39)  Type a name, e.g. “St. Trinians Secure Wireless Network”, NEXT
40)  Tick “Edit properties”, FINISH
41)  In the properties of the policy, select the General tab
42)  Set “Networks to access” to “Access point (infrastructure) networks only”
43)  Tick “Use windows to configure…”
44)  Untick “Automatically connect to non-preferred networks”
45)  Click the “Preferred networks” tab
46)  Click “Add…”
47)  Pick the SSID you will be using to identify the network, e.g. SchWlan1 This will need to match the SSID set up on your access point(s).
48)  Set “Network Authentication” to “WPA”
49)  Set “Data Encryption” to “AES”
50)  Click the IEEE 802.1x tab
51)  Set the EAP Type to “Protected EAP (PEAP)”
52)  Click Settings
53)  Tick “Validate server certificate”
54)  Tick “Connect to these servers” and type in the name of your IAS server
55)  Under “Trusted Root Certification Authorities”, find the Root CA you created earlier and tick it
56)  Tick “Do not prompt user to authorize new servers or trusted authorities”
57)  Select “Secured password (EAP-MSCHAP v2)”
58)  Tick “Enable Fast Reconnect”
59)  OK
60)  Untick “Authenticate as a guest…”
61)  Tick “Authenticate as a computer…”
62)  Computer Authentication: “Computer only” (This setting will prevent the computer being disconnected and reconnected while the user is logging in.)
63)  OK
64)  OK
65)  In the Group Policy Object Editor, move down to Public Key Policies and right click on Trusted Root Certification Authorities
66)  Import…
67)  NEXT
68)  Type \\YourDCName\CertConfig\ and click Browse…
69)  Pick the Root CA certificate, OPEN
70)  NEXT
71)  NEXT
72)  FINISH
73)  Close the Group Policy Object Editor
74)  To apply the policies, connect the wireless computers via a wired connection, log in, run “gpupdate /force” then reboot.
Setting up the wireless access point: 

Obviously this depends very much on the model of the access point, so these instructions are very generic. 

75)  Look for an option for setting up WPA with Radius. On the superb DD-WRT firmware this is under Wireless > Wireless Security.
76)  If there is an option to choose between AES and TKIP, choose AES
77)  For the RADIUS server address, enter the IP address of your domain controller running IAS
78)  For the RADIUS port, enter the port number you made a note of earlier on. By default this will probably by 1812.
79)  Enter the WPA shared key: this should match exactly with the “shared secret” you used when setting up IAS.
80)  Set up the SSID to match what you put in your Wireless Networking policies sent to the clients, e.g. SchWlan1. If you want disable broadcasting of the SSID it will make your network less visible as a target to casual snoopers, but it might make it more difficult to troubleshoot problems with your setup.

Yes, the picture is tiny. That’s because I’m too lazy to take one myself.

The basic idea is that you can have interactive whiteboard features without having to use a touch-sensitive board (and at a much lower cost). This means you can use it anywhere you can set up a projector and laptop (in theory! read on…).

Set up

You set this little (12.5 x 8.5 x 2.5 cm, 250g!) gizmo up in your room, pointing at the surface you are projecting on. Next, plug it into your PC/laptop USB port and press a button to bring up 2 red laser dots on your surface. The dots define the extent of the area you can work within, so typically you’d make it slightly bigger than your projector image. Assuming you’ve already got the driver installed on your computer, you just have to do a standard IWB clicking-on-dots calibration routine and you’re golden!

How it works

The pens you use have a small infra-red LED on the end (so yes, they take batteries – full specs here: CM2 Specs). As you press down with the pen (or use the button on the telescopic “wand” version) the LED flashes and the sensor device (shown above) tracks its location. The clever part is that the sensor can be at just about any angle to your surface and it will still work out where the pen is on your computer screen’s image. The pens have a right-click button as well, a la Promethean pens. The sensor even runs off USB power, which makes life much simpler if you want to mount it on your ceiling.

Limitations

Obviously, if you get between then pen and the sensor, it won’t be able to see what the pen is doing and you won’t be able to draw. That is a major problem if you’re using the comedy tripod shown, but when ceiling mounted (mount provided), we didn’t find it an issue.

The maximum size of your projection area is huge. They quote a figure of 150 inch diagonal (over 4 times the area of a large IWB!) Unfortunately, there’s a direct relationship between the size of the active area and the distance the sensor has to be positioned from the screen:

For a classroom, you’re looking at positioning the sensor around 2.7m from the wall (say) and that just isn’t always practical if you’re having to stand the little tripod up there. Again, ceiling mounted this isn’t usually a problem.

Batteries! I have no idea how long they’ll last, but there’s a law of physics which states that battery voltage decreases linearly with an increase in teacher stress levels (and vice versa). At least they’re cheap.

The software is a little basic to say the least. If you’ve used Promethean’s cut-down “Px” software – imagine a “lite” version of that. It also likes to crash if the user doesn’t have write access to its folder (the default if your users run as standard users rather than as admins). It covers the basics of annotation, but don’t expect anything fancy. For serious work, you’d probably want to license software from your usual whiteboard supplier.

Overall impressions

I was surprised. It’s one of those rare bits of technology that sounds complete turd when described to you, but does actually do the job quite successfully. The major failing seems to be in the way that it’s marketed. Rather than selling it as a portable whiteboard, OnFinity really should be pushing the CM2 as a low cost way to get interactivity – as a portable device it’s just too much of a pain in a classroom environment: one nudge from an inquisitive finger and your calibration is screwed.

Being able to write on a normal whiteboard with your choice of drywipe pens or the CM2 pen has got to be a bonus, making the facilities in a room more flexible for teachers with differing preferences and skills.

In short, I think we’ll be keeping ours. Including mounting it on the ceiling, it took about 30 minutes to set up and cost around 1/3 of the price of a similarly sized IWB – around £450 (not including the projector and PC).

As I’ve read in a few places around the web, it’s important to get to grips with which sorts of activites work well on an IWB and focus on those. The not-at-all-advertised Teacher Resource Exchange allows you to search for interactive whiteboard resources, but unfortunately it seems that a lot of the uploaders tag their resources as useful for IWBs when clearly they aren’t. I’m not sure how long that site will be available, as it’s part of the Virtual Teacher Centre (in turn part of the NGfL), which is due to close on 19 December 2005. As BECTA are involved, I’m not anticipating good things.

On a related note, there’s a new Australian Blog about the use of IWB’s in education: ActivBoarding. They’re using six (I think?) Promethean ActivBoards with ActivStudio. It looks like a good place to watch for a fresh perspective (most of the stuff I’ve seen is very UK-oriented) and interesting resources. It’s a shame there’s not an open/common format between the whiteboard programs (particularly between Smart, ActivStudio1 and Activstudio2) as being able to share flipcharts etc seems to be one of the key benefits of the IWB experience. We’re firmly in the Promethean camp at school, so I’ll be passing these links on to those that can’t when I return to work on Monday.

Still not sated?: There are more resources for Promethean ActivStudio users in the Promethean resource directory and at the Lighthouse for Education.

[via IWB-EFL, Teaching Generation Z]