Configure 802.1X Wireless Clients Running Windows XP with Group Policy

  • Article

Applies To: Windows Server 2008

Use the procedures in this topic to configure the Wireless Network (IEEE 802.11) Policies for client computers running Windows XP that connect to your wireless network through 802.1X authenticating wireless access points (APs).

This document provides the detailed steps to create and configure the Wireless Network (IEEE 802.11) Policies and wireless configuration profiles for wireless computers running Windows XP and Windows Server 2003.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Configure wireless clients running Windows XP by using the Wireless Network (IEEE 802.11) Policies

You can use the Windows XP Wireless Network (IEEE 802.11) Policies to configure and manage wireless profiles for computers running Windows XP.

Similar to the wireless policy for computers running Windows Vista, you can configure and prioritize multiple profiles by using the wireless network policy for computers running Windows XP. However, unlike the wireless policy for Windows Vista, the wireless policy for Windows XP requires each profile to specify a unique SSID.

Using the Windows Server 2008 or Windows Vista Group Policy Management Console to configure wireless policies exposes the settings that enable you to configure Wi-Fi Protected Access version 2 (WPA2) on client computers running Windows XP with Service Pack 2 (SP2). This is not possible when using the GPMC in Windows Server 2003.

Note

You can use the Windows XP Wireless Network (IEEE 802.11) Policies to configure wireless computers running Windows Vista and Windows Server 2008. However, the only the Windows Vista Wireless Network (IEEE 802.11) Policies provides the configuration settings for the enhanced security and management features available in computers running Windows Vista and Windows Server 2008.

Opening the Wireless Network (IEEE 802.11) Policies properties

Use this procedure access the Wireless Network (IEE 802.11) Policy.

To open the Wireless Network (IEEE 802.11) Policies properties

  1. Open the Group Policy Management Console (GPMC).

  2. In Default Domain Policy, open Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policies.

  3. If there is a Wireless Network Policy in the details pane, with the Type listed as XP, right-click that policy, and then click Properties, to access the properties of the wireless policy.

Note

The wireless policy is not necessarily listed as New Vista Wireless Network Policy in the details pane of the Group Policy Management Console. If the default policy name was previously changed from New Vista Wireless Network Policy to another name, the name change is reflected in the GPMC details pane.

  1. If there is not a Wireless Network Policy in the details pane, with the Type listed as XP, right-click Wireless Network (IEEE 802.11) Policies, and then click Create A New Windows XP Policy to activate and open the New XP Wireless Network Policy Properties.

Note

After the Windows Vista Wireless Policy is added, it is only listed in the GPMC details pane, when Wireless Network (IEEE 802.11) Policies is selected.

Configure wireless clients running Windows XP

The procedure in this section provide the steps to use the Windows XP Wireless Network (IEEE 802.11) Policies to configure wireless profiles that wireless clients running Windows XP will use to connect to your wireless network.

To configure wireless clients running Windows XP by using the Wireless Network (IEEE 802.11) Policies

  1. In Windows XP Wireless Network (IEEE 802.11) Policies Properties, on the General tab, do the following:

    1. In XP PolicyName, type a name for your wireless policy.

    2. In Description, type a brief description of the policy.

    3. In Networks to access, select either Any available network (wireless AP preferred) or Access Point (infrastructure) network only.

    4. Select Use Windows to configure wireless network settings for clients.

  2. On the Preferred Networks tab, click Add, and then select Infrastructure. On the Network Properties tab, configure the following:

    1. In Network Name (SSID), type the SSID for your network.

Note

The value you enter in this field must match the value configured on the access points you have deployed on your network. 

2.  In **Description**, enter a description for the **New Preferred Setting Properties**.  
      
3.  To specify that a network key is used for authentication to the wireless network, under **Select the security methods for this network**, in **Authentication**, select either **WPA2** (preferred), or **WPA**. In **Encryption**, specify either **AES** or **TKIP**.

Note

In the Windows XP Wireless Network (IEEE 802.11) Policies, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies WPA2-Enterprise and WPA-Enterprise settings, respectively.

Note

Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.

  1. Click the IEEE 802.1X tab. In EAP type, select one of the following:

    For deployments using PEAP-MS-CHAP v2, do the following:

    1. By default, Protected EAP (PEAP) is selected.

      The remaining default settings on the IEEE 802.1X tab are sufficient for most wireless deployments.

    2. Click Settings. In the Protected EAP Properties dialog box, do the following:

      Verify that Validate Server certificate is selected.

      In Select Authentication Method, select Secured password (EAP-MS-CHAP v2).

      In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your Network Policy Server (NPS).

Note

This setting limits the trusted root CAs that clients trust to the selected values. If no Trusted Root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store. 

    To enable PEAP Fast Reconnect, ensure that **Enable Fast Reconnect** is selected.  
      
3.  Click **OK** two times. The PEAP profile is listed under **Networks**. Click **OK**, and then close the Group Policy Management Console.  
      

**For deployments using Smart Card or other certificates** (EAP-TLS) do the following:

1.  Select **Smart Card or other Certificate**.  
      
    The remaining default settings on the IEEE 802.1X tab are typically sufficient for wireless deployments.  
      
2.  Click **Settings**. In the **Smart Card or other Certificate Properties** dialog box, do the following:  
      
    For smart card deployments, select **Use my smart card**, for other certificate deployments, select **Use a certificate on this computer**.  
      
    Verify that **Validate Server certificate** is selected.  
      
    In **Trusted Root Certification Authoritie**s, select the trusted root CA that issued the server certificate to your Network Policy server.

Note

This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store. 

3.  Click **OK** two times. The EAP-TLS profile is listed under **Networks**. Click **OK**, and then close the Group Policy Management Console.