Wireless Guest Account Management
One of my C# projects is an application to create guest accounts for the school wireless network. The wireless network is set up with 802.1X authentication, so we can log in using Active Directory user accounts.
The main parts of this system are:
- Pass Generator application (C#) - creates the user accounts and prints tickets with instructions
- Epson T88 based receipt printers - either USB or networked - to print the tickets
- Powershell script to clean up any old accounts
Users are created in the specified OU, and added to the specified security group. We then use membership of the group in our web filtering to determine which policies are applied. The expiry date is set on the account, and the server name is used in the "Log on to these workstations" to prevent the accounts being used to log on to domain computers. I put the name of the NPS server in here although it can be any valid computer name.
You'll need to configure the T88 printer with a virtual port - as we write directly to the port rather than using something like the OPOS ADK. The virtual port driver can be found here: https://download.epson-biz.com/modules/pos/index.php?page=single_soft&cid=6406&scat=36&pcat=3
I think the newer versions of the printer may have a different port mapper but the concept is the same. I usually set up the printer as COM7.
The configuration file for the application looks like this. I use a custom class to read/write to XML config files. It needs to be in the same folder as the EXE.
<?xml version="1.0" standalone="yes"?> <NewDataSet> <Settings> <Setting>DN</Setting> <Value>ou=Guest Wireless,DC=contoso,DC=com</Value> </Settings> <Settings> <Setting>Port</Setting> <Value>COM7</Value> </Settings> <Settings> <Setting>Group</Setting> <Value>G GuestWireless</Value> </Settings> <Settings> <Setting>UPNSuffix</Setting> <Value>@contoso.com</Value> </Settings> <Settings> <Setting>Server</Setting> <Value>SRV01</Value> </Settings> <Settings> <Setting>SSID</Setting> <Value>School-Wireless</Value> </Settings> <Settings> <Setting>LabelText</Setting> <Value>Guests must have a wireless pass in order to access the guest wireless. Passes are valid for 1, 2, 5 or 30 days, or unlimited. "Guest Details" is not printed on the ticket. This is optional for short length passes but required for 30 day or unlimited passes. Instructions for connecting will be on the printed ticket, they will need to use the $SSID$ network and the supplied username/password. Staff and students should use the $SSID$ network with their existing school login details and should not be using guest logins.</Value> </Settings> </NewDataSet>
The code for this is available on my GitHub Repository.
The application uses the current user's credentials to add the new user account into Active Directory, so you will need to delegate rights to create user accounts and set passwords in the Guest Wireless OU to the group of users who will be running the tool. You may need to give rights to add users to groups, I can't remember if just having rights on the user accounts is enough.
Finally a powershell script running as a scheduled task on a server to clear out the expired accounts:
Search-ADAccount -Server "contoso.com" -SearchBase "OU=Guest Wireless,DC=contoso,DC=com" -AccountExpired -UsersOnly -ResultPageSize 2000 | Remove-ADUser -Confirm:$false