|
Windows Vista Wireless Networking Evaluation Guide
This document outlines deployment scenarios to support wireless networking with the Microsoft® Windows Vista® operating system. The evaluation scenarios presented in this document rely on a test network that uses Microsoft® Windows Server® 2003 Active Directory, Internet Authentication Service (IAS), Dynamic Host Configuration Protocol (DHCP), an IEEE 802.1X-compliant wireless access point (AP) to provide 802.1X authenticated network access, and one client running Windows Vista with an IEEE 802.3 wired Ethernet connection to the test network.
The test lab configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. For more information about deploying secure wireless, see the Microsoft Wi-Fi Web site.
The scenarios cover a range of features that are new in Windows Vista and Microsoft® Windows Server® 2008.
The evaluation scenarios in this guide provide methods to configure wireless clients running Windows Vista and Windows Server® 2008, and demonstrate the following new wireless features in Windows Vista:
| • | Windows Server 2003 Active Directory with schema extension for Windows Vista Wireless (and Wired) Group Policy - This new extension updates your existing Windows Server 2003 Active Directory schema, to support a Wireless Network (IEEE 802.11) Policy for wireless clients running Windows Vista, and Windows Server 2008. Deploying the schema extension will not affect an existing Wireless Network (IEEE 802.11) Policy for Windows XP. The schema enables you to configure one wireless policy for wireless computers running Windows Vista that is separate from the wireless policy for wireless computers running Microsoft® Windows XP. The schema extension enables you to takes advantage of wireless enhancements available in wireless clients running Windows Vista, and Windows Server 2008, such as: Wi-Fi Protected Access 2 (WPA2), fast reconnect, fast roaming, and profile management using Active Directory Group Policy. | ||||||||||
| • | Wireless Network (IEEE 802.11) Policy The Windows Vista Wireless Network Policy enables you to provide and manage multiple wireless profiles which your wireless clients can use to connect to wireless networks. This document examines the configuration and management of both PEAP-MS-CHAP v2 profiles and EAP-TLS profiles. Additionally, this document contains information about the following management features in the Wireless Network (IEEE 802.11) Policy:
| ||||||||||
| • | Wireless diagnostics - The primary objective for wireless diagnostics is to diagnose and help troubleshoot wireless connectivity issues, including failed connections and intermittent connectivity issues. Wireless diagnostics works with the Network Diagnostics Framework (NDF), which in turn plugs into Windows Diagnostics Infrastructure (WDI). The role of wireless diagnostics is to simplify correction of wireless connectivity issues by collecting and analyzing information about wireless connectivity, and then providing the results of the analysis with repair options to WDI through the NDF. | ||||||||||
| • | Netsh wlan - The Windows Vista netsh commands for wireless local area network (WLAN) provide methods for configuring connectivity and security settings and for gathering information about client configuration settings. As a troubleshooting tool, netsh wlan provides useful configuration details about client wireless configuration, and about wireless network adaptor configuration. |
In this document, IEEE 802.3 wired Ethernet is referred to as "wired," IEEE 802.11 is referred to as "wireless."
In this guide
This section provides an overview of each of the main sections contained within the remainder of this document:
| • | Who should use Windows Vista wireless networking, and why? This section presents information about the target audience for this evaluation guide. Additionally, a sample of the Windows Vista wireless enhancements is provided to show the benefits of wireless networking in Windows Vista. |
| • | Prerequisites for testing wireless networking in Windows Vista This section presents information about test lab deployment decisions that you need to make before you begin your wireless test network deployment. |
| • | Deploying your test network This section presents general information about extending the Active Directory Group Policy schema in Windows Server 2003 to support Windows Vista wireless Group Policy. A link to the detailed instructions for extending the schema is also provided. The last portion of this section provides the step-by-step instructions to configure the computer, user, and administrator accounts that are required before you can configure the Windows Vista wireless Group Policy. |
| • | Configure Windows Vista Group Policy Object Editor and the basic Windows Vista Wireless Network Policy This section provides the detailed steps to configure Group Policy Object Editor, and to activate the default Wireless Network (IEEE 802.11) Policy for Windows Vista. |
| • | Configure wireless clients running Windows Vista by using Wireless Network (IEEE 802.11) Policy This section provides step-by-step instructions to configure Windows Vista wireless profiles for both the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) for the wireless test network in the example.com test domain. |
| • | Configure wireless clients running Windows XP by using Wireless Network (IEEE 802.11) Policy This section provides step-by-step instructions to configure Windows XP wireless profiles for both the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) for the wireless test network in the example.com test domain. |
| • | Using wireless profile management features Using step-by-step procedures, this section provides an evaluation of the Windows Vista profile management features that enable you to prioritize, export, import, add, and delete profiles. |
| • | Perform wireless diagnostics to troubleshoot connection problems The diagnostics section of this document provides several tests that you can perform to evaluate how Windows Vista responds to various wireless connectivity errors. The tests in this section represent only a small sample of the capabilities of Windows Vista wireless diagnostics. Additionally, this section contains examples demonstrating several ways that netsh wlan is used for troubleshooting Windows Vista wireless connectivity problems. |
Who should use Windows Vista wireless networking, and why?
This guide is for the following audiences:
| • | IT professionals who are considering deployment of Windows Vista in their existing Windows Server 2003 wireless infrastructure |
| • | IT managers and IT administrators who need to configure wireless settings on multiple clients |
| • | IT managers who want to configure enhanced security settings, such as WPA2, on multiple computers running Windows XP with SP2 |
| • | IT planners and analysts who are evaluating Windows Vista |
| • | Enterprise IT planners and designers |
| • | Security architects who are responsible for implementing trustworthy computing |
Why should you use Windows Vista wireless networking?
There are numerous reasons to use Windows Vista and Windows Server 2008 wireless networking. The following section highlights some of the more compelling reasons.
Native Wi-Fi Architecture
| • | The Native Wi-Fi Architecture, the software infrastructure for 802.11 wireless connections in Windows Vista and Windows Server 2008, has been redesigned to: |
| • | Allow independent hardware vendors (IHVs) more flexibility in supporting advanced features of IEEE 802.11 networks, such as a larger frame size than Ethernet. |
| • | Perform authentication, authorization, and management of 802.11 connections, reducing the burden on IHVs to incorporate these functions into their wireless network adapter drivers. |
| • | Support APIs that allow independent software vendors (ISVs) and IHVs to extend wireless services and customize capabilities. |
Wireless Group Policy enhancements
| • | Group Policy enhancements for wireless include the following: |
| • | Separation of wired 802.1X and wireless services |
| • | Support for individual Windows XP and Windows Vista wireless policies |
| • | Better security using Wi-Fi Protected Access 2 (WPA2) authentication options for Windows Vista, Windows Server 2008, and Windows XP with Service Pack 2 |
| • | WPA2 fast roaming settings |
| • | Configuration of preferred wireless networks for automatic or manual connection |
| • | Configuration of allow and deny lists to specify whether wireless network clients can view or attempt to connect to other wireless networks that are not controlled by the network administrator. |
| • | Support for multiple profiles using the same SSID, but different network security and authentication methods. |
| • | Support for connecting to non-broadcast networks |
| • | Support for importing of IHV profiles |
| • | User experience improved (parity with client UI) |
Windows Server 2003 Active Directory Schema Extensions for Windows Vista wireless and wired Group Policy
You can configure Wireless Network (IEEE 802.11) Policy for clients running Windows Vista by using Group Policy on either:
| • | Domain controllers running Windows Server 2008 | ||||
| • | Domain controllers running Windows Server 2003 with SP1 (or R2), when combined with the Active Directory schema extensions for Windows Vista wireless Group Policy
|
Note: User interface improvements for wireless connections
The function of wireless configuration, and the user interface (UI) has been improved in several ways:
| • | ISVs or IHVs can add custom wireless configuration dialog boxes or wizards to the built-in Windows wireless client, allowing the configuration of custom wireless features and capabilities. |
| • | Non-broadcast wireless networks can be marked as hidden. In Windows Vista and Windows Server 2008, you can indicate that a preferred wireless network is hidden by configuring it as a non-broadcast network. This reduces the confusing behavior in earlier versions of Windows when automatically connecting to hidden wireless networks. |
| • | Windows Vista and Windows Server 2008 prompt the user when connecting to an unsecured wireless network and allow them to confirm the connection attempt. |
| • | By default, the Network Connection wizard sets security to the highest security level supported by the wireless network adapter. |
Integration with Network Access Protection
| • | When using 802.1X authentication, 802.1X wireless networks can be combined with Network Access Protection to block wireless clients that do not meet system health requirements from gaining unlimited access to the private network. |
New default EAP authentication method
| • | To leverage the account name and password-based authentication infrastructure that already exists in Active Directory, in Windows Vista and Windows Server 2008, the EAP authentication method for 802.1X-authenticated wireless connections uses PEAP-MS-CHAP v2 by default. |
Wireless diagnostics
Wireless diagnostics helps troubleshoot wireless connectivity issues, including failed connections & intermittent connectivity. In Windows Vista, when a user experiences a network problem, wireless diagnostics will provide the user with the ability to diagnose and repair the problem within the context of that problem. Diagnostics are implemented through the following features:
| • | The new Network Diagnostics Framework is an extensible architecture that helps users recover from and troubleshoot problems with network connections. |
| • | The Windows event log stores new information specific to failed wireless connection attempts. IT professionals can use these event records to perform further troubleshooting when wireless diagnostics cannot fix the problem, or when the problem is not specific to the wireless client and therefore cannot be fixed by changing wireless client settings. |
| • | Windows error reporting prompts users who have wireless connection problems to send information to Microsoft for analysis. Successful diagnostics can also be sent to Microsoft through the Software Quality Metrics (SQM) infrastructure (known as the Customer Experience Improvement Program in Windows XP). The reports contain no personal information about the computer or the user. Microsoft will use this information to identify the top root causes for wireless connection failures, and take appropriate actions to either improve the wireless client software in Windows or work with wireless vendors to help improve wireless hardware products. |
Netsh wlan command
The Windows Vista netsh commands for wireless local area network (WLAN) provide methods to configure connectivity and security settings. You can use the Netsh wlan commands to view configuration settings, configure the local computer, or to configure multiple computers by using a logon script. You can also use the netsh wlan commands to view wireless Group Policy settings.
The wireless netsh interface has the following benefits:
| • | Easier wireless deployment: Provides a light-weight alternative to Group Policy to configure wireless connectivity and security settings. |
| • | Mixed mode support: Allows administrators to configure clients to support multiple security options. For example, a client can be configured to support both the WPA2 and the WPA authentication standard. This allows the client to use WPA2 to connect to networks that support WPA2 and use WPA to connect to networks that only support WPA. |
| • | Blocked networks: Administrators can block and hide access to non-corporate wireless networks by adding specific networks or network types to the list of denied networks. Similarly, administrators can allow access to corporate wireless networks. |
| • | An easy method to gather configuration details for administration and troubleshooting purposes. |
Prerequisites for testing wireless networking in Windows Vista
This section presents information and considerations that you need before deploying your test network.
The tests contained within this document are designed to work in conjunction with a test environment using Windows Server 2003 Active Directory - as documented in "Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab" on the Microsoft Web site at http://go.microsoft.com/fwlink/?linkid=28117.
The test lab document describes how to configure secure IEEE 802.1X authenticated wireless access using either PEAP-MS-CHAP v2 or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The test lab hardware consists of a wireless access point (AP) and four computers. Of the four computers, one is a wireless client; one is a domain controller that is also a certification authority (CA), Dynamic Host Configuration Protocol (DHCP) server, and Domain Name System (DNS) server; one is a Web and file server; and one is an Internet Authentication Service (IAS) server that is acting as a Remote Authentication Dial-In User Service (RADIUS) server.
| |
For the remainder of this document, the "Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab" document is referred to as the "Step-by-Step Test Lab." |
Before you deploy your test network
Before you configure your test network:
| • | Review the information presented in the Step-by-Step Test Lab documentation to get a general understanding of the deployment requirements. |
| • | Determine whether you want to deploy authentication by using PEAP-MS-CHAP v2 or smart card or other certificates (EAP-TLS). PEAP-MS-CHAP v2 is very secure, and is easier to deploy than EAP-TLS. Because only the RADIUS server must have a certificate for authentication, you can purchase a RADIUS server certificate from a third party, rather then deploying a public key infrastructure. PEAP-MS-CHAP v2 is the most user-friendly method for wireless clients, because they need only to provide their account credentials (user name and password) for authentication. EAP-TLS is even more secure than PEAP-MS-CHAP v2, but it is more difficult to deploy because it requires deployment of a public key infrastructure. EAP-TLS requires certificates to authenticate the RADIUS server and smart cards or other certificates to authenticate wireless clients. |
| • | Your wireless AP and client wireless adapters must provide the same level of support for 802.1X and WPA2, WPA or WEP. |
Deviations and adjustments to the test lab
The Step-by-Step Test Lab was designed to evaluate Windows XP wireless in a Windows Server 2003 domain environment. The configuration presented in this evaluation guide extends the test lab deployment, and requires several adjustments to accommodate Windows Vista.
The Step-by-Step Test Lab provides instructions to configure computer, user, and administrator accounts. This evaluation guide provides complete configuration steps for a different set of user and administrator accounts. This is done intentionally to clarify and isolate Windows Vista configuration from the Windows XP configuration presented in the Step-by-Step Test Lab. Specifically:
| • | Wireless computer running Windows XP with Service Pack 2 (SP2) - The Windows Vista Group Policy Management Console exposes enhanced settings, such as WPA2, for computers running Windows XP with SP2. The test lab specifies a wireless computer running Windows XP, named CLIENT1. This document provides steps to use the Windows Vista Group Policy Management Console to configure computers running Windows XP with SP2. Therefore, you must deploy a computer running Windows XP with SP2, to test wireless connectivity. Follow all of the deployment steps in Step-by-Step Test lab for configuring the computer running Windows XP with SP2 (named CLIENT1), including the associated user and computer accounts, in order to test the enhanced features of the Wireless Network (IEEE 802.11) for Windows XP (recommended). If you do not intend to test connectivity for Windows XP computers that are configured using the Windows Vista Group Policy Management Console's enhanced configuration capabilities, deployment of the wireless computer running Windows XP is not required. |
| • | Computer running Windows Server 2003 providing IIS service - The test lab specifies a computer running Windows Server 2003, named IIS1. This computer is optional. The IIS1 computer is used to demonstrate connectivity to the intranet, and shared resources; however, it is not required in this Windows Vista evaluation guide. Alternately, to test connectivity, you can configure a shared folder on DC1, and connect to that share to demonstrate wireless connectivity. |
| • | Wired computer running Windows Vista - Configuration of the Windows Vista Wireless Network (IEEE 802.11) Policy in a Windows Server 2003 Active Directory environment must be performed from a domain member computer running Windows Vista. Therefore, the scenarios presented in this document require one client computer with a new installation of Windows Vista Release Candidate 1 (RC 1) or later, which is physically attached to the wired test network, but not joined to the test network example.com domain. |
| • | Wireless computer running Windows Vista - The main scenarios in this document require one wireless computer with a new installation of Windows Vista RC 1 or later, that is not joined to the test network example.com domain. The following figure lists the computers described in the Step-by-Step Test Lab, and the additional required computers running Windows Vista. |
| • | Consolidated Step-by-Step Test Lab deployment - The Step-by-Step Test Lab specifies 3 individual computers running Windows Server 2003: one as a domain controller (DC1), one IAS RADIUS server (IAS1), and one IIS server (IIS1). Optionally, the domain controller and IAS server can be combined on a single computer, as shown in the following figure: If you consolidate the domain controller and IAS server on a single computer, your wireless AP must specify the IP address of DC1, 172.16.0.1 for the RADIUS server. |
| • | Additional wireless computers running Windows Vista - Some ad-hoc and profile management tests described in this evaluation guide require one additional wireless client running Windows Vista RC 1 or later that is not joined to the test network example.com domain. The additional wireless computer is necessary only if you intend to test ad hoc networking features and connectivity. |
Deploying your test network
Deploying the base structure for your test network involves two main steps:
1. | Deploy all of the services for your test network, including PEAP-MS-CHAP v2 or EAP-TLS authentication, as documented in the Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab on the Microsoft Web site at http://go.microsoft.com/fwlink/?linkid=28117. |
2. | After you have deployed your test network, you must extend the Windows Server 2003 Active Directory Group Policy schema to configure Group Policy for wireless clients running Windows Vista. |
Extending the Windows Server 2003 Active Directory Group Policy schema
Before you can configure wireless or wired clients running Windows Vista by using Group Policy in Windows Server 2003 Active Directory, you must first extend the Windows Server 2003 Group Policy schema. To update your Windows Server 2003 Group Policy schema, carefully follow the procedures documented in Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=70195.
| |
After extending the schema, the Windows Vista Group Policy extensions are not exposed on the computer running Windows Server 2003. You must use the computer running Windows Vista that is attached to the wired segment of your test network to configure the Wireless Network (IEEE 802.11) Policy. Before you can configure the Wireless Network (IEEE 802.11) Policy, you must first configure the necessary accounts and set up the Windows Vista Group Policy Object Editor, as documented in the next two sections. |
Configuring Computer, User, and Administrator Accounts
Configuration of the Windows Vista wireless policy in a Windows Server 2003 Active Directory environment must be performed from a wired domain member computer running Windows Vista, and using an account that is a member of the Domain Admins group in Active Directory. Before configuring the wireless Group Policy object, you must first configure the administrator account that you will use to configure the wireless policy.
This section provides the steps to configure the necessary administrator and user accounts, on the Windows Server 2003 domain controller, and on the computer running Windows Vista that is attached to the network with a wired connection. After configuring the necessary accounts, this section provides the instructions to rename your wired computer and join it to the example.com test domain.
To reduce redundancy in steps, this section also includes configuration steps to configure user accounts on your wireless computer running Windows Vista.
Adding the GPAdmin account for administering Group Policy
This procedure adds the account that you will use to configure the Windows Vista Group Policy objects.
To add the GPAdmin account for administering Group Policy | |||||||||||||||
|
Adding groups to the domain
This procedure adds the group named WirelessUsers in Active Directory Users and Computers. If you already configured the group named WirelessUsers as part of the Step-by-Step Test Lab, advance to the next procedure.
To add groups to the domain | |||||
|
Adding users to the WirelessUsers group
This procedure adds the GPAdmin account to the WirelessUsers group.
Add users to the WirelessUsers group | |||||||||||
|
Adding the GPAdmin account to the Domain Admins Group
This procedure adds your GPAdmin account to the Domain Admins group. Adding GPAdmin to this group provides the necessary administrative privileges to allow GPAdmin to configure wireless and wired policies.
To add the GPAdmin account to the Domain Admins group | |||||||||||
|
Naming your wired computer running Windows Vista
This procedure provides the steps to name your wired and wireless computers running Windows Vista.
To name your wired computer running Windows Vista | |||||||||||||||||||||||
|
Configuring the GPAdmin account on your computers running Windows Vista
This procedure configures the GPAdmin account on the computer Windows Vista, named WiredV, and on your primary wireless computer running Windows Vista, named WirelessV. In procedures that follow, you will log on to the WiredV computer using the GPAdmin account to administer the Wireless Network (IEEE 802.11) Policy for your wireless computers running Windows Vista.
To configure the GPAdmin account on the computer named WiredV | |||||||||||||||||||
|
Joining the computer named WiredV to the example.com domain
This procedure joins your wired computer running Windows Vista to the example.com test domain. You will use this computer to administer the Wireless Network (IEEE 802.11) policy for your wireless computers running Windows Vista.
To join the computer named WiredV to the example.com domain | |||||||||||||||||||||||||
|
This concludes this section. You have named your computers, and joined the computer named WiredV to the example.com domain. Additionally, you have configured the Domain Admins account that you will use to administer the Windows Vista Wireless Network (IEEE 802.11) Policy. You now have the necessary infrastructure in place to open the Windows Vista Group Policy Management Console, and access the Group Policy Object Editor to configure the Wireless Network (IEEE 802.11) Policy using your wired computer running Windows Vista.
Configure Windows Vista Group Policy Object Editor and New Vista Wireless Network Policy
This section provides the detailed steps needed to open the Windows Vista Group Policy Object Editor, and link it to the Windows Server 2003 Group Policy object. Additionally, you will activate the unconfigured Windows Vista Wireless Network (IEEE 802.11) Policy.
Adding the basic Wireless Network (IEEE 802.11) Policy
This procedure describes how to open the GPOE, and activate the unconfigured New Vista Wireless Network Policy in the Group Policy Object Editor console.
The procedures to configure the Wireless Network (IEEE 802.11) Policy will be provided in the next section of this document. The policy configuration is intentionally separated from this section to demonstrate how to access the policy once you have activated it.
To add the basic Wireless Network (IEEE 802.11) Policy | |||||||||||||||||||||||||
|
This concludes this section. You have opened the Group Policy Object Editor, and linked the GPOE to the Windows Server 2003 Group Policy object. Additionally, you have activated the basic Wireless Network (IEEE 802.11) Policy. You next configure the specific settings in the Windows Vista Wireless Network (IEEE 802.11) Policy.
Configure wireless clients running Windows Vista by using the Wireless Network (IEEE 802.11) Policy
The Windows Vista Wireless Network (IEEE 802.11) Policy enables you to configure multiple profiles, using different profile names and different settings, while same using the same SSID. For example, you can configure two (or more) profiles using the same SSID; one profile to use Smart Cards and one profile to use PEAP-MS-CHAP v2, or one using WPA2-Enterprise and one using WPA-Enterprise. The ability to configure mix-mode deployments using a common SSID is one of the enhancements in the Windows Vista Wireless Network (IEEE 802.11) Policy.
This section contains procedures that will demonstrate the features provided in Wireless Network (IEEE 802.11) Policy for Windows Vista. You can use these features to configure security and authentication settings, manage wireless profiles, and specify permissions for wireless networks that are not configured as preferred networks.
The following procedures are all conducted using the GPAdmin user account on the computer named WiredV.
Opening the Wireless Network (IEEE 802.11) Policy properties
This procedure provides the steps to access the Wireless Network (IEE 802.11) Policy after the policy has been activated in the Group Policy Object Editor.
To open the Wireless Network (IEEE 802.11) Policy properties | |||||||||
|
Configure PEAP-MS-CHAP v2 and EAP-TLS wireless infrastructure profiles
The procedures in this section provide the steps to use the Windows Vista Wireless Network (IEEE 802.11) Policy to configure two wireless profiles that wireless clients running Windows Vista can use to connect to the WIR_TST_Lab wireless network. The first profile is a PEAP-MS-CHAP v2 profile that will connect your wireless clients if you deployed PEAP-MS-CHAP v2 when you configured the Step-by-Step Test Lab. The second profile configured is a smart card or other certificate (EAP-TLS) profile that will connect your wireless clients if you deployed EAP-TLS when you configured the Step-by-Step Test Lab. Configure both profiles, regardless of which authentication method you deployed when you configured the Step-by-Step Test Lab. The two profiles are necessary for profile management procedures that follow this section.
Finally, in this section, you will configure an ad hoc wireless profile. You will use the ad hoc profile in the profile management section that follows. You can also use the ad hoc wireless profile to create an ad hoc network, if you have two or more wireless computers running Windows Vista.
| |
PEAP-MS-CHAPv2 is easier to deploy than other authentication methods, such as EAP-TLS, for several reasons. First, PEAP does not require the deployment of a public key infrastructure (PKI); only the RADIUS server is required to provide a certificate. Second, PEAP does not require the deployment of an infrastructure, such as smart cards or another type of client certificates, to validate connecting clients. The result is a user-friendly experience; network clients need only provide their account credentials (user name and password) for authentication. The account credentials are then verified against the user account records that exist in the user accounts database (such as Active Directory). |
| |
By default, Windows Server 2003 supports the EAP methods: PEAP-MS-CHAP v2, EAP-TLS, and PEAP-TLS. If you need to manage an EAP method other then the three default methods, you must first install that EAP method on the server. |
Configuring a PEAP wireless profile for the WIR_TST_Lab infrastructure network
This section provides the steps required to configure a PEAP-MS-CHAP v2 wireless profile for the wireless infrastructure test network WIR_TST_Lab, specified in the Step-by-Step Test Lab.
To configure a PEAP-MS-CHAP v2 wireless profile | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Configuring an EAP-TLS wireless profile for the infrastructure WIR_TST_Lab network
This section provides the steps required to configure an EAP-TLS wireless profile for the wireless infrastructure test network WIR_TST_Lab.
To configure an EAP-TLS wireless profile | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Configure wireless clients running Windows XP by using the Wireless Network (IEEE 802.11) Policy
You can use the Group Policy Management console in Windows Vista to configure a new Windows XP Wireless Network (IEEE 802.11) Policy, or to modify an existing Windows XP Wireless Network (IEEE 802.11) Policy. Additionally, in the Windows Vista console, the settings are exposed that allow you to configure WPA2 on client computers running Windows XP with SP2. Similar to the Wireless Network (IEEE 802.11) Policy for Windows Vista, you can configure multiple profiles by using the Wireless Network (IEEE 802.11) Policy for Windows XP. However, with Wireless Network (IEEE 802.11) Policy for Windows XP, each profile must specify a unique SSID.
This section provides the steps to configure a Windows XP profile for the WIR_TST_Lab using either PEAP-MS-CHAP v2 or Smart Cards or other certificates.
The following procedures are all conducted using the GPAdmin user account on the computer named WiredV. These procedure rely on the management accounts and services that were documented in previous procedures:
| • | To add the GPAdmin account for administering Group Policy |
| • | To add the GPAdmin account to the Domain Admins group |
| • | To name your wired computer running Windows Vista |
| • | To configure the GPAdmin account on the computer named WiredV |
| • | To join the computer named WiredV to the example.com domain |
| • | To add the basic Wireless Network (IEEE 802.11) Policy |
To configure wireless clients running Windows XP by using the Wireless Network (IEEE 802.11) Policy | |||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Connect Windows XP CLIENT1 to WIR_TST_Lab
To connect CLIENT1 to WIR_TST_LAb | |||||||||||
|
Configure an ad hoc profile
This section provides the steps to configure an ad hoc profile for a wireless peer-to-peer network. You will use this profile in profile management procedures that follow this section.
You can also use this profile to create ad hoc wireless network connections, if you have a second wireless computer running Windows Vista.
To configure an ad hoc profile | |||||||||||||||||||||
|
Connect to the WIR_TST_Lab Wireless Network
In 802.1X-authenticated wireless networks, wireless clients need to provide security credentials that are authenticated by a RADIUS server. These credentials can be based on user account credentials (user name and password) for PEAP-MS-CHAP v2, or certificates for EAP-TLS. For either PEAP-MS-CHAP v2 or EAP-TLS, the wireless client - by default - also validates a computer certificate sent by the RADIUS server during the authentication process.
In the case of the WIR_TST_Lab deployment, the RADIUS server is using computer certificates from Windows Server 2003 Certificate Services, a private PKI that is integrated with Active Directory. Any wireless client that has not yet joined the domain does not have the root "Example CA" certificate and so the authentication process - by default - will fail.
One way to obtain the Example CA certificate is to make a wired connection to the network and join the domain. When the wireless client joins the domain, the root Example CA certificate is automatically installed in the Trusted Root Certification Authorities store.
| |
If your deployment used a certificate from a commercial public key infrastructure (PKI), such as VeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is already installed on the wireless client, the wireless client can validate the RADIUS server's computer certificate, regardless of whether the wireless client has joined the Active Directory domain. |
Joining the computer named WirelessV to the example.com domain
This procedure joins your wireless computer running Windows Vista to the example.com test domain.
To join WirelessV to the example.com domain | |||||||||||||||||||||
|