802.11 Wireless Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
802.11 Wireless Tools and Settings
In this section
Windows Wireless Client
Wireless AP
802.11 Wireless Authentication Infrastructure
802.11 Wireless Registry Entries
This section contains information about the tools and settings available for configuring, managing, and customizing wireless clients, and for troubleshooting wireless connectivity.
Windows Wireless Client
The following services and features are associated with Windows wireless clients and wireless client connections.
Network Connections Folder
The Network Connections folder and the messages displayed in the notification area of the task bar provide information about the state of the wireless network availability as well as client authentication and connection status. If authentication of a client requires additional information from the user, such as selecting one of multiple user certificates, a text balloon appears to instruct the user. Within the Network Connections folder, the text under the name of the connection corresponding to the wireless network adapter describes the state of the authentication.
For wireless clients running Windows XP, when you click the wireless connection, the Details dialog box displays the authentication status, the Internet Protocol (IP) address configuration, and information about the connected wireless network and the current association. When you obtain status on the connection, you can view information such as the signal speed on the General tab and the IP address configuration on the Support tab.
If the wireless adapter is assigned an Automatic Private IP Addressing (APIPA) address in the range 169.254.0.0/16 or the configured alternate static IP address, the wireless client is still associated with the wireless AP, but either authentication has failed or the Dynamic Host Configuration Protocol (DHCP) server is not available. If the authentication fails and the association is still in place, the wireless adapter is enabled and Transmission Control Protocol/Internet Protocol (TCP/IP) performs its normal configuration process. If a DHCP server is not found (either authenticated or not), Windows XP automatically configures an APIPA or alternate static address.
For a wireless client running Windows 2000, you can use the Network and Dial-up Connections folder to view whether the connection corresponding to your wireless network adapter is authenticated. If authentication is successful, the connection icon appears normal. If authentication has failed, the connection icon has a red X through it. To view the IP address configuration of the connection corresponding to the wireless network adapter, type ipconfig at a command prompt.
Netsh
Windows XP, Windows Server 2003, and Windows 2000 have an extensive tracing capability that you can use to troubleshoot complex problems for specific components related to wireless client authentication. You can enable the components in Windows to log tracing information to files using the netsh command for specific components or for all components. For more detailed information, see “Netsh,” in the section “802.11 Wireless Authentication Infrastructure” later in this document.
Network Monitor
You can use Microsoft Network Monitor, available in Microsoft Systems Management Server, Windows 2000 Server, and Windows Server 2003, or a commercial packet analyzer (also known as a network sniffer), to capture and view the authentication and data traffic sent and received by a wireless network adapter.
For Windows wireless client authentication, you can use Network Monitor to capture the set of frames exchanged between the wireless client computer and the wireless AP during the wireless authentication process. You can then use Network Monitor to view the individual frames and determine why the authentication failed.
Network Monitor includes 802.1X, EAPOL, and EAP parsers. A parser is a component included with Network Monitor that can separate the fields of a protocol header and display their structure and values. Without a parser, Network Monitor displays the hexadecimal bytes of a header, which you must parse manually.
In Windows 2000 Server and Windows Server 2003, Network Monitor is installed as an optional management and monitoring tool using Control Panel's Add or Remove Programs. After it is installed, you can run Network Monitor from the Administrative Tools folder.
Wireless Monitor snap-in
In Windows Server 2003, you can use the new Wireless Monitor snap-in to view wireless AP or wireless client information. There are two main views of information in the Wireless Monitor snap-in:
Access Point Information
Wireless Client Information
When you click Access Point Information in the console tree, the wireless network adapter scans for the available wireless APs within range and then displays them in the details pane.
You can use the list of wireless APs to determine the visibility and parameters (such as signal strength, channel, and data rates) of specific wireless APs for a specific location.
When you click Wireless Client Information in the console tree, the list of wireless events for the Wireless Zero Configuration service and the EAPOL component displays in the details pane.
You can use these events to determine how the Wireless Zero Configuration service chooses to connect to a specific wireless AP and explore the details of the authentication process.
Wireless AP
The following services and features are associated with wireless access points (APs). Consult your wireless AP documentation for information about the set of troubleshooting tools provided with your wireless AP.
Panel Indicators
Most wireless APs have one or more indicators, status lights that are visible on the housing of the wireless AP, from which you can obtain a quick assessment of the wireless AP's hardware status. For example, you might see the following:
An indicator to show that the wireless AP has electrical power.
An indicator to show general operation status. For example, the indicator might show whether the wireless AP is associated with any wireless clients.
An indicator to show wireless network traffic. This indicator might blink for each frame received on the wireless network.
An indicator to show data collisions. If the blinking of this indicator seems excessive, evaluate the performance of the link by using methods suggested by the wireless AP vendor.
An indicator to show wired network traffic. This indicator might blink for each frame received on the wired network.
Alternatively, the wireless AP might have a liquid crystal display (LCD) panel display that shows icons indicating its current status. Consult your wireless AP documentation for information about panel indicators and their interpretation.
Site Survey Software
Site survey software is used to determine the coverage volume and where the data rate changes for each wireless AP. An administrator can use site survey software during the deployment of wireless APs to determine their optimal placement. It is typically installed on a wireless-capable portable computer from a CD provided by the wireless AP vendor or the wireless network adapter vendor.
If wireless clients cannot connect to a specific wireless AP, use the site survey software to perform a site survey for that wireless AP. There might have been a change in the devices that create interference and objects that interfere with signal propagation because the original site survey and wireless AP placement was done.
SNMP support
Many wireless APs include a Simple Network Management Protocol (SNMP) agent that supports the following SNMP Management Information Bases (MIBs):
IEEE 802.11 MIB
IEEE 802.1 Port Access Entity (PAE ) MIB
SNMP MIB (described in RFC 1157)
SNMP MIB II (described in RFC 1213)
Ethernet Interface MIB (described in RFC 1398)
SNMP Bridge MIB (described in RFC 1493)
Remote Network Monitoring MIB (described in RFC 1757)
RADIUS Authentication Client MIB (described in RFC 2618)
The SNMP agent on the wireless AP can be used in conjunction with your existing SNMP-based network management infrastructure to monitor your wireless APs, set trap conditions, and monitor loads on your wireless APs. In SNMP, trap conditions specify which events will trigger a message to be sent by the SNMP agent to a management system, indicating that the event has occurred on the host running the agent.
Diagnostics
The purpose of the diagnostics is to ensure that the wireless AP is operating properly (from a hardware standpoint) and to validate its current configuration. However, the exact diagnostic facilities of a wireless AP vary from one wireless AP to another.
Diagnostics for wireless APs can be of the following forms:
Software or a Web site provided by the wireless AP vendor.
A command-line tool or facility, such as terminal access to the wireless AP.
802.11 Wireless Authentication Infrastructure
Wireless 802.11 clients and APs can use Internet Authentication Service (IAS) — the Microsoft implementation of RADIUS — to enforce authentication in an enterprise environment. The following services and features are associated with authentication infrastructure of Wireless 802.11.
IAS Event Logging
To troubleshoot IAS authentication attempts, view events in the Windows event logs. Ensure that event logging is enabled for all types of IAS events (such as rejected, discarded, and successful authentication events). Event logging for all these types of events are enabled by default for both Windows Server 2003 IAS and Windows 2000 IAS.
IAS events are stored in the system event log, which can be viewed in the Event Viewer snap-in. Here is an example of a successful IAS authentication event (Event ID 1).
User client@example.com was granted access.
Fully-Qualified-User-Name =example.com/Users/Client
NAS-IP-Address =10.7.0.4
NAS-Identifier =<not present>
Client-Friendly-Name =Building 7 Wireless AP
Client-IP-Address =10.7.0.4
NAS-Port-Type =Wireless-IEEE 802.11
NAS-Port =6
Policy-Name =Wireless Remote Access Policy
Authentication-Type =EAP
EAP-Type =Smart Card or other Certificate
To view s failed IAS authentication event, view all events that have Event ID 2.
Viewing the IAS events in the system event log is one of the most useful troubleshooting tools for obtaining information about failed authentications. The IAS events are also helpful when troubleshooting remote access policies. When you have multiple remote access policies configured, the Policy-Name field in the event description records the name of the remote access policy that either accepted or rejected the connection attempt.
Network Monitor
Network Monitor is useful for checking whether RADIUS messages are being exchanged, and for determining the RADIUS attributes of each message.
You can use Microsoft Network Monitor—available in Microsoft Systems Management Server, Windows 2000 Server, and Windows Server 2003 — or a commercial packet analyzer (also known as a network sniffer) to capture and view RADIUS authentication and accounting messages that are sent to and from the IAS RADIUS server or an IAS RADIUS proxy. Network Monitor includes a RADIUS parser that you can use to view the attributes of a RADIUS message and trouble-shoot connection issues.
SChannel Logging
Secure channel (SChannel) is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) authentication protocols. SSL and TLS are the Internet standard for secure transactions.
By default, SChannel logs only error messages in the system event log. To log errors, warnings, informational, and successful events, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging registry value to 4 (as a DWORD type). With SChannel logging recording all events, it is possible to obtain more information about the certificate exchange and validation process on the IAS server during EAP-TLS authentication.
Netsh
Windows Server 2003 and Windows 2000 have an extensive tracing capability that creates tracing files that describe the internal behavior of Windows components during the wireless client authentication and authorization process. This information is typically most useful to Microsoft support engineers, who might request that you create trace files for a connection attempt during their investigation of a support issue. You can enable the components in Windows Server 2003 to log tracing information to files by using the netsh command for specific components or for all components. To enable and disable tracing for a specific component, use the following command:
netsh ras set tracing component enabled|disabled
In the preceding command, component is any of the items in the list of components found in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing. For example, to enable tracing for the IASRAD component, use the following command:
netsh ras set tracing iasrad enabled
To obtain detailed information about the EAP authentication process for Windows XP or Windows Server 2003, enable tracing for only the EAP over LAN (EAPOL) and Remote Access Service Transport Level Security (RASTLS) components. To enable tracing for EAPOL, use the following command:
netsh ras set tracing eapol enabled
To enable tracing for RASTLS, use the following command:
netsh ras set tracing rastls enabled
After these commands are issued, try the authentication process again and view the Eapol.log and Rastls.log files in the SystemRoot\Tracing folder. To disable tracing for EAPOL and RASTLS, use the following respective commands:
netsh ras set tracing eapol disabled
netsh ras set tracing rastls disabled
To obtain detailed information about the EAP authentication process for Windows 2000, enable tracing for the RASTLS component.
Although you can enable tracing for individual components of IAS, it is generally easier to turn tracing on for all the IAS components at once; and Microsoft support engineers typically want to see all the trace files, rather than the trace file for an individual component. To enable tracing for all components, use the following command:
netsh ras set tracing * enabled
To disable tracing for all components, use the following command:
netsh ras set tracing * disabled
The log files that are generated are stored in the SystemRoot\tracing folder.
Note
- Tracing consumes system resources and should be used sparingly during the investigation of a support issue. After the trace is done or the problem is identified, you should disable tracing. Do not leave tracing enabled on multiprocessor computers.
SNMP Agent
You can use the Simple Network Management Protocol (SNMP) agent software included with Windows 2000 Server and Windows Server 2003 to monitor status information for your IAS server from an SNMP snap-in. IAS supports the RADIUS Authentication Server MIB (RFC 2619) and the RADIUS Accounting Server MIB (RFC 2621). Use AddRemove Programs in Control Panel to install the SNMP agent. The SNMP agent can be used in conjunction with your existing SNMP-based network management infrastructure to monitor your IAS RADIUS servers or proxies.
Performance Logs And Alerts Snap-in
You can use the Performance Logs And Alerts snap-in to monitor counters, create logs, and set alerts for specific IAS components and program processes. You can also use charts and reports to determine how efficiently your server uses IAS and to both identify and troubleshoot potential problems.
You can use the Performance Logs And Alerts snap-in to monitor counters within the following IAS-related performance objects:
IAS Accounting Clients
IAS Accounting Proxy
IAS Accounting Server
IAS Authentication Clients
IAS Authentication Proxy
IAS Authentication Server
IAS Remote Accounting Servers
IAS Remote Authentication Servers
For more information about how to use the Performance Logs And Alerts snap-in, see Help and Support Center for Windows Server 2003.
802.11 Wireless Registry Entries
Controlling the computer and user authentication behavior of Windows XP and Windows Server 2003 can be configured by using either the AuthMode registry setting or in a Windows Server 2003 Active Directory environment by using the Wireless Network (IEEE 802.11) Policies Group Policy extension. Controlling the transmission behavior of the EAPOL-Start message when authenticating can be configured by using either the SupplicantMode registry setting or the Wireless Network (IEEE 802.11) Policies Group Policy extension.
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
AuthMode Registry Entry
The setting of the AuthMode registry entry controls the computer and user authentication behavior of Windows XP and Windows Server 2003.
Registry path
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode
Version
Windows XP and Windows Server 2003
AuthMode has the following values:
0 - Computer authentication mode. If computer authentication is successful, no user authentication is attempted. If the user logon is successful before computer authentication, user authentication is performed. This is the default setting for Windows XP (prior to Service Pack 1).
1 - Computer authentication with re-authentication. If computer authentication is successful, a subsequent user logon results in a re-authentication with user credentials. The user logon has to complete in 60 seconds or the existing network connectivity is terminated. The user credentials are used for subsequent authentication or re-authentication. Computer authentication is not attempted again until the user logs off the computer. This is the default setting for Windows XP Service Pack 1 (SP1) and Windows Server 2003.
2 - Computer authentication only. When a user logs on, it has no effect on the connection. Only computer authentication is performed. The exception to this behavior is when a user successfully logs on, and then roams between wireless APs. In that case, user authentication is performed. For changes to this setting to take effect, restart the Wireless Zero Configuration service for Windows XP or Windows Server 2003.
SupplicantMode Registry Entry
The setting of the SupplicantMode registry entry specifies the transmission behavior of the EAPOL-Start message when authenticating.
Registry path
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
Version
Windows XP and Windows Server 2003
SupplicantMode has the following values:
1 - Do not transmit. Specifies that EAPOL-Start messages are not sent.
2 - Transmit. Determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message.
3 - Transmit per 802.1x. Sends an EAPOL-Start message upon association to initiate the 802.1X authentication process.
Wireless 802.11 Group Policy Settings
To automate the configuration of network settings on wireless clients running Windows XP SP1 and Windows Server 2003, Windows Server 2003 Active Directory domains support a new Wireless Network (IEEE 802.11) Policies Group Policy extension that allows you to configure wireless network settings that are part of Computer Configuration Group Policy. The Wireless Network (IEEE 802.11) Policies Group Policy extension is found in the Group Policy Object Editor by navigating to Default Domain Policy/Computer Confiuration/Windows Settings/Security Settings/Wireless.
Wireless network settings include the list of preferred networks, WEP settings, and IEEE 802.1X settings. These settings encompass all of the items on the Association and Authentication tabs of the properties of a wireless network and additional settings. The Association and Authentication tabs on Windows XP or Windows Server 2003 computers can be found by opening Network Connections, right-clicking on the wireless connection icon and clicking Properties, then on the Wireless Network tab, click Properties. The settings are downloaded to wireless client computers running Windows XP SP1 or Windows Server 2003 that are members of a Windows Server 2003 Active Directory domain, making it much easier to deploy a specific configuration for secure wireless connections.
Wireless Network (IEEE 802.11) Policy Settings
In the Group Policy snap-in, you can configure wireless policies by using the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node.
Note
- These policy settings do not apply to wireless clients running Windows XP (prior to SP1) or Microsoft 802.1X Authentication Client.
By default, there are no Group Policy objects (GPOs) in the Wireless Network (IEEE 802.11) Policies node. You can create only a single wireless network policy for each Group Policy object.
The properties of a wireless network policy consist of a General tab and a Preferred Networks tab.
On the General tab, you can view the options as described in the following table.
General Settings of a Wireless Network Policy
Setting | Description |
---|---|
Name |
This option allows you to type a friendly name for the wireless network policy. |
Description |
This option allows you to type a description for the wireless network policy. |
Check For Policy Changes Every |
This option allows you to specify the interval in minutes after which wireless clients that are Active Directory members check for changes in the wireless network policy. |
Networks To Access |
This option selects the types of wireless networks with which the wireless network is allowed to create connections:
|
Use Windows To Configure Wireless Network Settings for Clients |
This option enables Wireless Auto Configuration. |
Automatically Connect to Non-preferred Networks |
This option enables automatic connections to wireless networks that are not configured as preferred networks. |
On the Preferred Networks tab, you can view the options as described in the following table.
Preferred Network Options of a Wireless Network Policy
Option | Description |
---|---|
Networks |
This option displays the list of preferred wireless networks. |
Add/Edit/Remove |
These buttons create a new preferred wireless network, modify the settings of the selected preferred wireless network, and delete the selected preferred wireless network. |
Move Up/Move Down |
These buttons move the selected preferred wireless network up or down in the Networks list. |
The properties of a preferred wireless network consist of a Network Properties tab and an IEEE 802.1X tab.
On the Network Properties tab, you can view and configure the settings of a wireless network for a Windows wireless client that supports the Wireless Zero Configuration service. The settings are:
Network Name (SSID). Displays the names of networks that are within the reception range of the wireless adapter on your computer. If selected, a network key is used to encrypt data while it is transmitted over the network.
Description. This option allows you to type a description for the preferred wireless network.
Data Encryption (WEP Enabled). Specifies whether Wired Equivalent Privacy (WEP) is enabled for this preferred wireless network.
Network Authentication (Shared Mode). Specifies whether a network key is used to authenticate to this preferred wireless network. Under the 802.11 standard for wireless networks, when a network key is used for authentication, the network is operating in shared key authentication mode. If a network key is not used for authentication, the network is operating in open system mode.
The Key Is Provided Automatically. Specifies whether a network key is automatically provided for this preferred wireless network. For example, if 802.1X is being used for dynamic key distribution.
This Is A Computer-to-Computer (Ad Hoc) Network; Wireless Access Points Are NotUsed. Specifies whether the preferred wireless network is a computer-to-computer (ad hoc) network, not an access point (infrastructure) network.
On the IEEE 802.1X tab, you can view and configure the following settings (which are equivalent to the authentication settings of a Windows wireless client):
Enable Network Access Control Using IEEE 802.1X. Specifies whether 802.1X authentication is enabled. If selected, credentials such as smart cards, certificates, and passwords are used for authentication.
EAP Type and Settings. Specifies the Extensible Authentication Protocol (EAP) type that is to be used.
Authenticate As Guest When User Or Computer Information Is Unavailable. Specifies whether the computer attempts authentication to the network when a user is not logged on.
Authenticate As Computer When Computer Information Is Available. Specifies whether the computer attempts authentication to the network as a guest when user or computer information is not available.
The following are additional settings on the IEEE 802.1X tab that do not appear on authentication settings of a Windows wireless client:
EAPOL-Start Message. This option allows you to specify the transmission behavior of the EAPOL-Start message when authenticating. These settings set the SupplicantMode registry setting. You can select from the following:
Do Not Transmit
Transmit
Transmit Per 802.1X
Max Start. This option allows you to specify the number of successive EAPOL-Start messages that are sent out when no response is received to the initial EAPOL-Start messages.
Start Period. This option allows you to specify the interval, in seconds, between the retransmission of EAPOL-Start messages when no response is received to the previously sent EAPOL-Start message.
Held Period. This option allows you to specify the period, in seconds, for which the authenticating client will not perform any 802.1X authentication activity after it has received an authentication failure indication from the authenticator.
Authentication Period. This option allows you to specify the interval, in seconds, for which the authenticating client will wait before retransmitting any 802.1X requests after end-to-end 802.1X authentication has been initiated.
Computer Authentication. This option allows you to specify how computer authentication works with user authentication. These settings set the AuthMode registry setting. There are three possible settings:
With User Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials.
With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context (computer credentials when no user is logged on and user credentials when a user is logged on).
Computer Only. Authentication is always performed using the computer credentials. User authentication is never performed.
For more information about Group Policy settings, see the Group Policy Settings Reference for Windows Server 2003.
WPA upgrade
To use the new Wi-Fi Protected Access (WPA) standard for wireless clients running Windows XP (SP1 and later) and Windows Server 2003 that are using a wireless network adapter that supports the WZC service, you must obtain and install the free download WPA Wireless Security Update. It updates the wireless network configuration dialog boxes to support new WPA options. An update to the properties of the Wireless Network (IEEE 802.11) Policies to allow configuration of WPA options is being investigated.