Configure 802.1X Wireless Clients Running Windows Vista with Group Policy
Applies To: Windows Server 2008
Use the procedures in this topic to configure the Wireless Network (IEEE 802.11) Policies for client computers running Windows Vista® that connect to your wireless network through 802.1X authenticating wireless access points (APs).
This document provides the detailed steps to create and configure the Windows Vista Wireless Network (IEEE 802.11) Policies and wireless configuration profiles for wireless computers running Windows Vista.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
Configure wireless clients running Windows Vista by using the Wireless Network (IEEE 802.11) Policies
The New Vista Wireless Network (IEEE 802.11) Policies enables you to configure, prioritize and manage multiple wireless profiles that each use different profile names and different wireless settings, while using the same Service Set Identifier (SSID). For example, you can configure two (or more) profiles using the same SSID; one profile to use Smart Cards and one profile to use Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), or one using Wi-Fi Protected Access version 2 (WPA2)-Enterprise and one using WPA-Enterprise. The ability to configure mixed-mode deployments using a common SSID is one of the enhancements in the Wireless Network (IEEE 802.11) Policies for Windows Vista.
Note
You can use the Windows Vista Wireless Network (IEEE 802.11) Policies to configure wireless computers running Windows Vista and Windows Server 2008. You cannot use this policy to configure computers running Windows XP. Computers running Windows XP cannot interpret settings in a Windows Vista Wireless Network (IEEE 802.11) Policies.
You can use these features to configure security and authentication settings, manage wireless profiles, and specify permissions for wireless networks that are not configured as preferred networks.
Opening the Wireless Network (IEEE 802.11) Policies properties
Use this procedure to access the Wireless Network (IEEE 802.11) Policies.
To open the Wireless Network (IEEE 802.11) Policies properties
Open the Group Policy Management Console (GPMC).
In Default Domain Policy, open Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policies.
- If there is a Wireless Network Policy shown in the details pane, with the Type listed as Vista, right-click that policy, and then click Properties, to access the properties of the wireless policy.
Note
The wireless policy is not necessarily listed as New Vista Wireless Network Policy in the details pane of the GPMC. If the default policy name was previously changed from New Vista Wireless Network Policy to another name, the name change is reflected in the GPMC details pane.
- If there is not a Wireless Network Policy shown in the details pane, with the **Type** listed as **Vista**, right-click **Wireless Network (IEEE 802.11) Policies**, and then click **Create A New Windows Vista Policy** to activate and open **New Vista Wireless Network Policy Properties**.
Note
After the Windows Vista wireless policy is added, it is only listed in the GPMC details pane, when Wireless Network (IEEE 802.11) Policies is selected.
Configure PEAP-MS-CHAP v2 and EAP-TLS wireless infrastructure profiles
The procedures in this section provide the steps to configure the Windows Vista Wireless Network (IEEE 802.11) Policies to create one or more wireless profiles that wireless clients running Windows Vista will use to connect to your wireless network. The first procedure provides the steps to use Windows Vista Wireless Network (IEEE 802.11) Policies to configure a wireless profile for PEAP-MS-CHAP v2. The second procedure provides the steps to use Windows Vista Wireless Network (IEEE 802.11) Policies to configure a wireless profile for EAP-TLS.
Note
PEAP-MS-CHAPv2 is easier to deploy than other authentication methods, such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). PEAP does not require the deployment of a public key infrastructure (PKI); only a Remote Authentication Dial-In User Service (RADIUS) server is required to provide a certificate. Additionally, PEAP does not require the deployment of an infrastructure, such as smart cards or another type of client certificates, to validate connecting clients.
Configuring a PEAP-MS-CHAP v2 wireless profile
This procedure provides the steps required to configure a PEAP-MS-CHAP v2 wireless profile.
To configure a PEAP-MS-CHAP v2 wireless profile
In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, do one of the following:
To add a new profile, click Add, and then select Infrastructure.
To modify an existing profile, select the profile, and then click Edit.
Note
For more information about the settings on any tab, press F1 while viewing that tab.
On the Connection tab, do the following:
In Profile Name, type a name for this wireless profile.
In Network Name(s) (SSID), type the SSID that corresponds to the SSID configured on your wireless APs, and then click Add.
If present, select NEWSSID, and then click Remove.
If your wireless access point is configured to suppress its broadcast beacon, select Connect even if the network is not broadcasting.
Note
Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.
Click the Security tab, click Advanced, and then configure the following:
- To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.
Note
When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, and Auth Period are sufficient for most wireless deployments.
2. To enable Single Sign On, select **Enable Single Sign On for this network**.
Note
The remaining default values in Single Sign On are sufficient for most wireless deployments.
3. In **Fast Roaming**, select **This network uses pre-authentication**, if your wireless AP is configured for pre-authentication.
Click OK to return to the Security tab, and then configure the following:
In Select the security methods for this network, for Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client network adapters. Otherwise, select WPA-Enterprise.
In Encryption, select AES, if it is supported by your wireless AP and wireless client network adapters. Otherwise, select TKIP.
Note
The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for most wireless deployments.
In Select a network authentication method, select Protected EAP (PEAP), and then click Properties. In the Protected EAP Properties dialog box, configure the following:
Verify that Validate server certificate is selected.
In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your Network Policy server.
Note
This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store.
3. In the **Select Authentication Method** list, select **Secured password (EAP-MS-CHAP v2)**.
4. Select **Enable Fast Reconnect**.
5. Clear **Enable Quarantine checks**.
Click Configure. In the EAP MSCHAPv2 Properties dialog box, verify Automatically use my Windows logon name and password (and domain if any) is selected, click OK, and then click OK to close Protected EAP Properties.
Click OK to close the Security tab.
Configuring an EAP-TLS wireless profile
This procedure provides the steps required to configure an EAP-TLS wireless profile.
To configure an EAP-TLS wireless profile
- In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, click Add, and then select Infrastructure.
Note
For more information about the settings on any tab, press F1 while viewing that tab.
On the Connection tab, do the following:
In Profile Name, type a name for the EAP-based profile.
In Network Name(s) (SSID), type the SSID that corresponds to the SSID configured on your wireless APs, and then click Add.
If present, select NEWSSID, and then click Remove.
If your wireless access point is configured to suppress its broadcast beacon, select Connect even if the network is not broadcasting.
Note
Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.
Select the Security tab, click Advanced, and then configure the following:
- To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.
Note
When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held period, Start Period, and Auth Period are sufficient for most wireless deployments.
2. In **Single Sign On**, select **Enable Single Sign On for this network**.
Note
The remaining default values in Single Sign On are sufficient for most wireless deployments.
3. In **Fast Roaming**, select **This network uses pre-authentication** if your wireless AP is configured for pre-authentication.
Click OK to return to the Security tab, and then configure the following:
In Select the security methods for this network, for Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client network adapters. Otherwise, select WPA-Enterprise.
In Encryption, select AES (preferred) if it is supported by your wireless AP and wireless client network adapters. Otherwise, select TKIP.
Note
The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for most wireless deployments.
In Select a network authentication method, select Smart Card or other certificate (EAP-TLS). On the Security tab, click Properties, and then configure the following:
In When connecting, verify that Use a certificate on this computer and Use simple certificate selection are selected.
Verify that Validate server certificate is selected.
In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your Network Policy Server (NPS).
Note
This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store.
- Click OK to close Smart Card or other Certificate Properties, and then click OK again to close the EAP Profile.
Configuring connection preference order for wireless networks
Wireless clients running Windows Vista attempt to connect to wireless networks in the order specified in Windows Vista Wireless Policy. This procedure demonstrates how to specify the order of wireless profiles to which domain clients running Windows Vista will attempt to connect.
To specify the order of wireless networks
Open the Windows Vista Wireless Network (IEEE 802.11) Policies Properties. On the General tab, in Connect to available networks in the order of profiles listed below, select any profile, then click the "up arrow" or the "down arrow" to move the profile to the desired location in the list.
Click OK to save the change, and then close the Windows Vista Wireless Policy.
Defining network permissions
You can configure the following on the Network Permissions tab to specify network permissions:
To block your domain members running Windows Vista from gaining access to ad hoc networks, select Prevent connections to ad-hoc networks.
To block your domain members running Windows Vista from gaining access to infrastructure networks, select Prevent connections to infrastructure networks.
To allow your domain members running Windows Vista to view network types (ad hoc or infrastructure) to which they are denied access, select Allow user to view denied networks.
Note
The Remove button on the Network Permissions tab allows you to remove only those networks that you have defined by using the Add feature. Networks that are defined on the General tab, in Connect to available networks in the order of profiles listed below, cannot be removed from the permissions list.
Adding wireless networks to the Deny list
For a variety of reasons, you might want to block managed wireless computers from connecting to other wireless networks that are within range of the organization’s wireless network. For example, an adjoining building might have a wireless AP broadcasting, which can be seen on your network wireless client computers running Windows Vista.
This procedure demonstrates how to use the Windows Vista Wireless Network (IEEE 802.11) Policies to allow or deny permissions for wireless networks.
To add a wireless network to the Deny list
Open the Windows Vista Wireless Policy.
On the Network Permissions tab, click Add.
On the New Permission Entry dialog box, configure the following:
In Network Name (SSID) type the SSID of a wireless network.
In Network Type, select Infrastructure or Ad-hoc.
Note
If you are unsure whether the broadcasting network is an infrastructure or ad hoc network, you can configure a network permission entry for both types.
3. In **Permission**, select **Deny**.
- Click OK. On the Network Permissions tab, select Allow user to view denied networks, and then click OK.
To prevent users from viewing blocked networks
To prevent users from seeing broadcasting networks to which you want to deny access. This procedure demonstrates how to prevent your wireless clients from displaying wireless networks to which you have denied access.
To prevent users from viewing networks in the Deny list
Open the Windows Vista Wireless Policy.
On the Network Permissions tab, clear the Allow user to view denied networks check box, and then click OK.
Exporting wireless profiles
In addition to creating a backup of configured profiles, the export and import features are used to support independent hardware vendor (IHV) extensibility. An administrator can include IHV-specific connectivity or security settings in an Extensible Markup Language (XML) profile and then import this profile to wireless Group Policy. Because these settings do not display onscreen in Windows Vista, importing them is the only way that a profile can include these settings in wireless Group Policy.
This procedure demonstrates how to export a wireless profile.
To export a wireless profile
In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, in Connect to available networks in the order of profiles listed below, select the profile you want to export, and then click Export.
In the Save exported profile as dialog box, verify that Save as type is (*.xml), and then click Save.
Note
By default, the profile is saved as an XML file in the Documents folder of the current user. The profile name is automatically provided in its file name. If you specify a different name for the exported file, such as "Backup.xml," when imported the profile will appear in "Connect to available networks" in the order of profiles listed below with the original profile name and the original SSID.
Importing a wireless profile
This procedure demonstrates how to import a wireless profile. You can use the import feature to restore profiles that have been deleted. You can also use the import feature to restore a profile that was changed after a backup copy was exported.
To import a wireless profile
In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, in Connect to available networks in the order of profiles listed below, click Import.
In Import a profile, navigate to the profile that you want to import, and then click Open.
Note
By default, the Open to import a profile dialog box opens the most recent directory that has been accessed using the import and export features.
- Select the profile, and then click Open.