Wireless Access Deployment Planning
Applies To: Windows Server 2008, Windows Vista
Before you deploy wireless access, you must plan the following items:
Installation of wireless access points (APs) on your network
Wireless client configuration and access
Planning wireless AP installations
When you design your wireless network access solution, you must determine what standards your wireless APs must support, the areas where you want to provide wireless service, and where to locate wireless APs.
Verify wireless AP support for standards
For the purposes of consistency and simpler deployment, it is recommended that you deploy wireless APs of the same brand and model.
The wireless APs that you deploy must support the following:
Wireless Authentication and Cipher. WPA2-Enterprise (preferred), or a minimum of WPA-Enterprise and AES (preferred), or a minimum of TKIP.
To deploy WPA2, use wireless network adapters and wireless APs that also support WPA2. Otherwise, use WPA-Enterprise.
In addition, to provide enhanced security for the network, the wireless APs must support the following filtering options:
DHCP filtering. The wireless AP must filter on IP ports to prevent the transmission of DHCP broadcast messages in those cases in which the client is a DHCP server. The wireless AP must block the client from sending IP packets from UDP port 68 to the network.
DNS filtering. The wireless AP must filter on IP ports to prevent a client from performing as a DNS server. The wireless AP must block the client from sending IP packets from TCP or UDP port 53 to the network.
Identify areas of coverage for wireless users
Use architectural drawings of each floor for each building to identify the areas where you want to provide wireless coverage. For example, identify the appropriate offices, conferences rooms, lobbies, cafeterias, or courtyards. On the drawings, indicate any devices that interfere with the wireless signals, such as medical equipment, wireless video cameras, cordless telephones that operate in the 2.4 through 2.5 GHz Industrial, Scientific and Medical (ISM) range, and Bluetooth-enabled devices. On the drawing, mark aspects of the building that might interfere with wireless signals; metal objects used in the construction of a building can affect the wireless signal. For example, the following common objects can interfere with signal propagation: Elevators, heating and air-conditioning ducts, and concrete support girders.
Refer to your AP manufacturer for information about sources that might cause wireless AP radio frequency attenuation. Most APs provide testing software that you can use to check for signal strength, error rate, and data throughput.
Determine where to install wireless APs
On the architectural drawings, locate your wireless APs close enough together to provide ample wireless coverage but far enough apart that they do not interfere with each other. The necessary distance between APs depends upon the type of AP and AP antenna, aspects of the building that block wireless signals, as well as other sources of interference. Typically, mark wireless APs placements so that each wireless AP is not more than 300 feet from any adjacent wireless AP.See the wireless AP manufacturer’s documentation for AP specifications and guidelines for placement.
Temporarily install wireless APs in the locations specified on your architectural drawings. Then using a laptop equipped with an 802.11 wireless adapter and the site survey software that is commonly supplied with wireless adapters, determine the signal strength within each coverage area. In coverage areas where signal strength is low, reposition the AP to improve signal strength for the coverage area, install additional wireless APs to provide the necessary coverage, relocate or remove sources of signal interference.
Update your architectural drawings to indicate the final placement of all wireless APs. Having an accurate AP placement map will assist later during troubleshooting operations or when you want to upgrade or replace APs.
Wireless AP configuration
The following list summarizes items commonly configured on 802.1X-capable wireless APs:
The item names can vary by brand and model and might be different from those in the following list. See your wireless AP documentation for configuration-specific details.
SSID. This is the name of the wireless network (for example, ExampleWlan). This is the name that is advertised to wireless clients. In Windows XP, the SSID is the name displayed in View Available wireless networks when the computer detects the wireless AP advertisement. In cases in which multiple wireless APs are deployed as part of the same wireless network, configure each wireless AP with the same SSID.
Wireless AP IP address (static). For each AP, configure a unique static IP address that falls within the DHCP exclusion range as documented in the Windows Server 2008 Foundation Network Guide procedure “Creating a new DHCP Scope.
DNS name. Some wireless APs can be configured with a DNS name. The DNS service on the network can resolve DNS names to an IP address. On each wireless AP that supports this feature, enter a unique name for DNS resolution.
Wireless AP subnet mask. Configure this to match the subnet mask used for the IP address range in DHCP. For example, the IP address range used in this guide is 255.255.255.0.
AP DHCP service. If your wireless AP has a built-in DHCP service, disable it.
RADIUS shared secret. Use a unique RADIUS shared secret for each wireless AP. Each shared secret should be a random sequence at least 22 characters long of uppercase and lowercase letters, numbers, and punctuation. To ensure randomness, you can use a random character generation program to create your shared secrets. It is recommended that you record the shared secret for each wireless AP and store it in a secure location, such as an office safe. Configure the shared secret on each wireless AP when you configure RADIUS clients in the NPS procedures that follow.
RADIUS server IP address. Type the IP address of the server running NPS. Because NPS is installed on the domain controller in this scenario, this is the same IP address as the domain controller.
UDP port(s). By default, NPS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages. It is recommended that you do not change the default RADIUS UDP ports settings.
VSAs. Some wireless APs require vendor-specific attributes (VSAs) to provide full wireless AP functionality. VSAs are specified by using NPS remote access network policy.
DHCP filtering. Configure wireless APs to block wireless clients from sending IP packets from UDP port 68 to the network, as documented by the wireless AP manufacturer.
DNS filtering. Configure wireless APs to block wireless clients from sending IP packets from TCP or UDP port 53 to the network, as documented by the wireless AP manufacturer.
Planning wireless client configuration and access
When planning the deployment of 802.1X-authenticated wireless access, you must consider several factors:
Planning support for multiple standards. Are your wireless computers limited to one version of Windows? For example, are all of your wireless client computers all running Windows Vista, or does your deployment include computers running a mixture of Windows Vista and Windows XP? Do all of the wireless network adapters on all of your wireless client computers support the same standards, or do you need to support varying standards. For example, do some network adapter hardware drivers support WPA2-Enterprise and AES, while others support only WPA-Enterprise and TKIP?
Planning wireless restrictions. Do you want to provide all of your wireless users with the same level of access to your wireless network, or do you want to restrict access for some of your wireless users?
Planning methods for adding new wireless computers. For computers that are already joined to your domain, wireless configuration settings are automatically applied after you configure Wireless Network (IEEE 802.11) Policies and Group Policy is refreshed. For these wireless clients, 802.1X authenticated access is possible after you have configured network policies in NPS.
For computers that are not already joined to your domain, however, you must plan a method to apply the settings that are required for 802.1X-authenticated access. For example, do you want to provide your wireless users with the steps and settings that they require to add their own wireless bootstrap profile, or do you want configuration preformed by a member of your IT staff?
Planning support for multiple standards
In Windows Server 2008, the Wireless Network (IEEE 802.11) Policies extension in Group Policy provide a wide range of configuration options to support mixed mode deployments. Mixed mode deployments are accomplished by deploying wireless APs that are configured with the standards that you want to support, and then configuring multiple wireless profiles in Wireless Network (IEEE 802.11) Policies, with each profile specifying one of the required set of standards.
For example, if your network has wireless computers that support WPA2-Enterprise and AES as well as WPA-Enterprise and TKIP, while others support only WPA-Enterprise and TKIP, you must determine whether you want to:
Configure a single profile to support all of the wireless computers using the lowest common standard; in this case, WPA-Enterprise and TKIP.
Configure two profiles to provide the best possible security that is supported by each wireless computer. In this instance, you must configure one profile that specifies WPA2-Enterprise and AES, and one profile that uses WPA-Enterprise and TKIP. It is essential that you place the profile that uses WPA2-Enterprise and AES highest in the preference order. Computers that are not capable of using WPA2-Enterprise and AES will automatically skip to the next profile in the preference order and process the profile that specifies WPA-Enterprise and TKIP.
If the WPA-Enterprise-TKIP profile is placed higher in the preference order, computers that are capable of using both standards will connect using the less secure standards.
The Wireless Network (IEEE 802.11) Policies extension provides two distinct sets of settings in Windows Server 2008:
XP Wireless Network Policy. By using this policy, you can configure computers running Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. However, if you use the XP Wireless Network Policy, the configuration of computers running Windows Vista and Windows Server 2008 are limited to those settings. Therefore, to take advantage of the enhancements provided in Windows Vista and Windows Server 2008, it is recommend that you configure the Vista Wireless Network Policy for wireless computers running Windows Vista and Windows Server 2008.
Vista Wireless Network Policy. This policy provides enhanced features for wireless client computers running Windows Vista and Windows Server 2008. You cannot use the Vista Wireless Network Policy to configure computers running either Windows XP or Windows Server 2003.
Planning restricted access to the wireless network
In many cases, you might want to provide wireless users with varying levels of access to the wireless network. For example, you might want to allow some users unrestricted access, any hour of the day, every day of the week. For other users, you might only want to allow access during core hours, Monday through Friday, and deny access on Saturday and Sunday.
This guide provides instructions to create an access environment that places all of your wireless users in a group with common access to wireless resources. You create one wireless users security group in the Active Directory Users and Computers snap-in, and then make every user for whom you want to grant wireless access – a member of that group. When you configure NPS network policies, you specify the wireless users security group as the object that NPS processes when determining authorization.
However, if your deployment requires support for varying levels of access you need only do the following:
Follow the procedure Create a Wireless Users Security Group in this guide, to create additional wireless security groups in Active Directory Users and Computers, each security group specifying a unique name.
Follow the procedure Add Users to the Wireless Users Security Group to make each user a member of the appropriate security group.
Follow the procedure Create NPS Policies for 802.1X Wireless Using a Wizard to configure an additional set of NPS policies for each additional wireless security group. In step 9 of the procedure, in Specify User Groups, click Add, and then type the name of the security group that you configured in Active Directory Users and Computers.
Planning methods for adding new wireless computers
The preferred method to join new wireless computers to the domain and then log on to the domain, is by using a wired connection to a segment of the LAN that has access to domain controllers, and is not protected by an 802.1X authenticating Ethernet switch.
For more information about the steps to join computers to the domain by using a wired connection, and to log on to the domain by using a wired connection, see the Windows Server 2008 Foundation Network Guide, in the section titled Joining computers to the Domain and Logging On. The Windows Server 2008 Foundation Network Guide is available for download in Word formant at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).
In some cases, however, it might not be practical to use a wired connection to join computers to the domain, or, for a user to use a wired connection for their first logon attempt by using computers that are already joined to the domain. To join a computer to the domain by using a wireless connection, or for users to logon to the domain the first time by using a wireless connection, wireless clients must first establish a connection to the wireless network on a segment that has access to the network domain controllers. This is explained in more detail as follows:
In 802.1X authentication, for successful mutual authentication to occur by using PEAP-MS-CHAP v2, both of the following take place:
Connecting clients present their domain user and password credentials. Client authentication is accomplished by validating the presented credentials against records in the Active Directory User Accounts database.
NPS servers present their server certificates to the connecting client for validation. Authentication of the NPS server is accomplished by comparing the certificate presented by the NPS server against the record in the Trusted Root Certification Authorities certificate store on the client computer.
In mutual authentication, verification of the NPS server certificate is used to prevent the connecting client from unintentionally connecting to rogue networks. The requirement to perform mutual authentication is the default behavior of Windows wireless clients.
If the RADIUS server is using a certificate from a commercial public key infrastructure (PKI), such as VeriSign, Inc., and if the root certification authority certificate is already installed on the connecting client in the Trusted Root Certification Authorities certificate store, then the connecting client can validate the RADIUS server's computer certificate regardless of whether the wireless client has joined the Active Directory domain.
If the RADIUS server is using computer certificates from a private PKI that is integrated with Active Directory (such as one that is based on Windows Server 2008 Active Directory Certificate Services), and the client has not yet joined the domain, and does not yet have the root CA certificate of the RADIUS server's computer certificate, then the authentication process, by default, will fail.
To join computers to the domain by using a wireless connection, you can temporarily disable the client-side requirement to authenticate the NPS server. However, for security reasons, disabling the requirement to authenticate the NPS server is not a recommended configuration after the computer is successfully joined to the domain.
This guide provides the following methods to configure wireless computers running Windows Vista with wireless profiles that users can use to either join the computer to the domain by using a wireless connection, or to log on to the domain by using a wireless connection and a computer that is already joined to the domain:
A member of the IT staff joins a wireless computer to the domain, and then configures a Single Sign On bootstrap wireless profile. In this method, an IT administrator connects the wireless computer to the wired Ethernet network, and then joins the computer to the domain. Then the administrator distributes the computer to the user. When the user starts the computer, the domain credentials that they manually specify for the user logon process are used to both establish a connection to the wireless network and log on to the domain.
The user manually configures wireless computer with bootstrap wireless profile, and then joins the domain. In this method, users manually configure their wireless computers with a bootstrap wireless profile based on instructions from an IT administrator. The bootstrap wireless profile allows users to establish a wireless connection, and then join the computer to the domain. After joining the computer to the domain and restarting the computer, the user can log on to the domain by using a wireless connection and their domain account credentials.