Wireless Access Deployment Overview

Applies To: Windows Server 2008, Windows Vista

The following illustration shows the components that are required to deploy 802.1X authenticated wireless access with PEAP-MS-CHAP v2.

Wireless access deployment components

The following components are required for this wireless access deployment:

802.1X-capable Wireless access points

After the required network infrastructure services supporting your wireless local area network are in place, you can begin the design process for the location of the wireless APs. The wireless AP deployment design process involves these steps:

  • Identify the areas of coverage for wireless users. While identifying the areas of coverage, be sure to identify whether you want to provide wireless service outside the building, and if so, determine specifically where those external areas are.

  • Determine how many wireless APs to deploy to ensure adequate coverage.

  • Determine where to place wireless APs.

  • Select the channel frequencies for wireless APs.

Active Directory Domain Services

Users and Computers

Use the Active Directory Users and Computers snap-in to create and manage user accounts, and to create a wireless security group for each domain member to whom you want to grant wireless access.

Wireless Network (IEEE 802.11) Policies

You can use the Wireless Network (IEEE 802.11) Policies extension of Group Policy Management to configure separate policies for computers running Windows Vista® and Windows XP. If your network contains a mixture of wireless client computers that run either Windows Vista or Windows XP, this guide provides instructions about how to configure both types of policies.

The Vista Wireless Network (IEEE 802.11) Policies extension enables you to configure, prioritize and manage multiple wireless profiles that each use different profile names and different wireless settings, while using the same Service Set Identifier (SSID). For example, you can configure two (or more) profiles using the same SSID; one profile to use smart cards and one profile to use Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), or one using Wi-Fi Protected Access version 2 (WPA2)-Enterprise and one using WPA-Enterprise. The ability to configure mixed-mode deployments using a common SSID is one of the enhancements in the Wireless Network (IEEE 802.11) Policies for Windows Vista. You can use the Windows Vista Wireless Network (IEEE 802.11) Policies to configure wireless computers running Windows Vista and Windows Server 2008. You must use a Windows XP Wireless Policy to configure computers running Windows XP. Computers running Windows XP cannot be configured by using the Windows Vista Wireless Network (IEEE 802.11) Policies.


Network Policy Server (NPS) enables you to create and enforce network access policies for client health, connection request authentication, and connection request authorization. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points, as RADIUS clients in NPS. You also configure the network policies that NPS uses to authenticate access clients and authorize their connection requests.

Wireless client computers

Wireless client computers are computers that are equipped with IEEE 802.11 wireless network adapters and that are most typically running Windows Vista or Windows XP. Within the context of this deployment scenario, wireless client computers can also be computers running Windows Server 2008 or Windows Server 2003. You can specify network policy for computers running Windows Server 2003 using the same Wireless Network (IEEE 802.11) Policies extension of Group Policy as computers running Windows XP. With minor differences, you can specify network policy for computers running Windows Server 2008 by using the same Wireless Network (IEEE 802.11) Policies Group Policy extension as computers running Windows Vista. To use wireless service on computers running Windows Server 2008, you must first install the Wireless LAN Service. In Windows Server 2008, the Wireless LAN Service is installed using the Add Features component of Server Manager.

Wireless access deployment process

The process of configuring and deploying wireless access occurs in these stages:

Stage 1

Plan, deploy, and configure your APs for wireless client connectivity and for use with NPS. Depending on your preference and network dependencies, you can either pre-configure settings on your wireless APs prior to installing them on your network, or you can configure them remotely after installation.

Stage 2

You must create one or more wireless users security groups. Then, you must add each user for whom you want to allow wireless access to the wireless network to the appropriate wireless users security group.

Stage 3

Configure the Wireless Network (IEEE 802.11) Policies extension of Group Policy by using the Group Policy Management Editor Microsoft Management Console (MMC). The Wireless Network (IEEE 802.11) Policies provision wireless client computers with the configuration settings required for 802.1X authentication and wireless connectivity. It is in this Group Policy extension that you specify network permission parameters, connection settings, and security settings.

For example, administrators can use the Wireless Network (IEEE 802.11) Policies to specify the network authentication mode, which determines how user and computer domain credentials are used for authentication. Three of the network authentication modes that administrators can select, process domain credentials as follows:

  • User re-authentication specifies that authentication always uses security credentials based on the computer's current state. Authentication is performed by using the computer credentials when no local users are logged on to the computer. When a local user logs on to the computer, authentication is always performed by using the user credentials.


A local user specifies a user who is physically logged on to the computer locally, as opposed to a user who logs on to a computer by using a remote connection.

  • Computer only specifies that authentication is always preformed by using only the computer credentials.

  • User authentication specifies that authentication is only performed when the user is logged on to the computer. When no user is logged on to the computer, the computer is not connected to the network.

For domain member computers that can log on to the network, newly-configured Group Policy settings are automatically applied when Group Policy is refreshed. Group Policy is automatically refreshed at pre-determined intervals, or by restarting the client computer. Additionally, you can force Group Policy to refresh by running gpupdate at the command prompt.

Stage 4

Use a configuration wizard in NPS to add wireless access points as RADIUS clients, and to create the network policies that NPS uses when processing connection requests. When using the wizard to create the network policies, specify PEAP as the EAP type, and the wireless users security group that was created in the second stage.

Stage 5

Use client computers to connect to the network.

For domain member computers that can log on to the wired LAN, the necessary wireless configuration settings are automatically applied when Group Policy is refreshed. If you have enabled the setting in Wireless Network (IEEE 802.11) Policies to connect automatically when the computer is within broadcast range of the wireless network, your wireless, domain-joined computers will automatically attempt to connect. To connect to the wireless network, users need only supply their domain user name and password credentials when prompted by Windows.