Configure Computers Running Windows XP to Use EAP-TLS

Applies To: Windows Server 2008, Windows Vista

Follow these steps to configure an Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) wireless configuration profile for wireless computers running Windows XP and Windows Server 2003.

Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.

To configure an EAP-TLS profile for wireless client computers running Windows XP

  1. In Windows XP Wireless Network (IEEE 802.11) Policies Properties, on the General tab, do the following:

    1. In XP PolicyName, type a name for your wireless policy.

    2. In Description, type a brief description of the policy.

    3. In Networks to access, select either Any available network (wireless AP preferred) or Access Point (infrastructure) network only.

    4. Select Use Windows to configure wireless network settings for clients.

  2. On the Preferred Networks tab, click Add, and then select Infrastructure. On the Network Properties tab, configure the following:

    1. In Network Name (SSID), type the service set identifier (SSID) for your network.


The value that you enter in this field must match the value configured on the access points that you have deployed on your network.

2.  In **Description**, enter a description for the **New Preferred Setting Properties**.  

3.  To specify that a network key is used for authentication to the wireless network, under **Select the security methods for this network**, in **Authentication**, select either **WPA2** (preferred), or **WPA**. In **Encryption**, specify either **AES** or **TKIP**.  


In the Windows XP Wireless Network (IEEE 802.11) Policies, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies WPA2-Enterprise and WPA-Enterprise settings, respectively.


Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.

  1. Click the IEEE 802.1X tab. In EAP type, select Smart Card or other Certificate.

    The remaining default settings on the IEEE 802.1X tab are typically sufficient for wireless deployments.

  2. Click Settings. In the Smart Card or other Certificate Properties dialog box, do the following:

    1. For smart card deployments, select Use my smart card, for other certificate deployments, select Use a certificate on this computer.

    2. Verify that Validate Server certificate is selected.

    3. In Trusted Root Certification Authorities, select the CA that issued the server certificate to your Network Policy server.

      Security Note
      This setting limits the CAs that clients trust to the selected values. If no CAs are selected, clients will trust all CAs in their Trusted Root Certification Authorities certificate store.

  3. Click OK two times. The EAP-TLS profile is listed under Networks. Click OK, and then close the Group Policy Management Console (GPMC).