Wireless Access Deployment Overview
Updated: October 4, 2010
Applies To: Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP
The following illustration shows the components that are required to deploy 802.1X authenticated wireless access with PEAP-MS-CHAP v2.
Wireless access deployment components
The following components are required for this wireless access deployment:
802.1X-capable Wireless access points
After the required network infrastructure services supporting your wireless local area network are in place, you can begin the design process for the location of the wireless APs. The wireless AP deployment design process involves these steps:
Identify the areas of coverage for wireless users. While identifying the areas of coverage, be sure to identify whether you want to provide wireless service outside the building, and if so, determine specifically where those external areas are.
Determine how many wireless APs to deploy to ensure adequate coverage.
Determine where to place wireless APs.
Select the channel frequencies for wireless APs.
Active Directory Domain Services
Users and Computers
Use the Active Directory Users and Computers snap-in to create and manage user accounts, and to create a wireless security group for each domain member to whom you want to grant wireless access.
Wireless Network (IEEE 802.11) Policies
You can use the Wireless Network (IEEE 802.11) Policies extension of Group Policy Management to configure policies for computers that are running Windows® 7 and Windows Vista®, and Windows XP. As is the case with Group Policy Management found in Windows Server® 2008, there are two separate wireless policy nodes in the Windows Server® 2008 R2 Wireless Network (IEEE 802.11) Policies extension of Group Policy. For the purpose of this discussion, a wireless policy node is a collection of Group Policy settings that can be applied to computers running specific operating systems. By default, the two wireless policy nodes in the Windows Server 2008 R2 Wireless Network (IEEE 802.11) Policies are named:
New XP Wireless Network Policy
New Wireless Network Policy
When configuring either the New XP Wireless Network Policy or the New Wireless Network Policy you are provided the option to change the name and description of the policy. If you change the name of either policy, that change is reflected in the Details pane of Group Policy Management Editor, and on the title bar of the wireless network policy dialog. Regardless of how you rename your policies, the New XP Wireless Policy will always be listed in Group Policy Management Editor with the Type displaying XP. The New Wireless Network Policy will always be listed with the Type showing Vista and later Releases.
The following table describes which of the operating systems can be configured by each wireless policy.
|Policy||Can be applied to Windows XP (Windows Server 2003)||Can be applied to Windows Vista (Windows Server 2008)||Can be applied to Windows 7 (Windows Server 2008 R2)|
New XP Wireless Network Policy
But this policy cannot configure new wireless features in Windows Vista
But this policy cannot configure new wireless features in Windows Vista and Windows 7.
New Wireless Network Policy
Includes settings for all of the wireless features in Windows Vista.
Includes settings for all of the wireless features in Windows Vista, and settings for wireless feature enhancements in Windows 7. Computers running Windows Vista will ignore Windows 7-specific settings.
On your domain wireless client computers running Windows 7 and Windows Vista, users can view the profiles you configure in the Windows Vista Wireless Network Policy by opening Network and Sharing Center and then clicking Manage wireless networks
The Windows Vista Wireless Policies in Windows Server 2008 R2 Group Policy also provide settings that you can use to manage specific features and enhancements that are found only in wireless client computers running Windows 7.
The Windows Vista Wireless Network Policy enables you to configure, prioritize, and manage multiple wireless profiles. A wireless profile is a collection of connectivity and security settings that are used to connect to a specific wireless network. When Group Policy is updated on your wireless client computers, the profiles you create in the Windows Vista Wireless Network Policy are automatically added to your wireless client computers that are running Windows 7 and Windows Vista to which the Wireless Network Policy applies.
If you have wireless clients that you want to be able to connect to more than one wireless network, you can configure a wireless profile that contains the specific connectivity and security settings for each network. For example, assume your company has one wireless network for the main corporate office, with a service set identifier (SSID) WlanCorp. Your branch office also has a wireless network to which you also want to connect. The branch office has the SSID configured as WlanBranch. In this scenario, you can configure a profile for each network, and laptops that are used at both the corporate office and branch office will be able to connect to the wireless networks when they are at either location.
Alternately, assume your network has a mixture of wireless computers that support different security standards. Perhaps some older computers have wireless adapters that can only use WPA-Enterprise, while newer devices can use the stronger WPA2-Enterprise standard. You can create two different profiles that use the same SSID and nearly identical connectivity and security settings. However in one profile, you can set the wireless authentication to WPA2-Enterprise with AES, and in the other profile you can specify WPA-Enterprise with TKIP. This is commonly known as a mixed-mode deployment. The ability to configure mixed-mode deployments using a common SSID is one of the enhancements in the Wireless Network (IEEE 802.11) Policies for Windows Vista.
Network Policy Server (NPS) enables you to create and enforce network access policies for client health, connection request authentication, and connection request authorization. When you use NPS as a RADIUS server, you configure network access servers, such as wireless access points, as RADIUS clients in NPS. You also configure the network policies that NPS uses to authenticate access clients and authorize their connection requests.
Wireless client computers
For the purpose of this guide, wireless client computers are computers that are equipped with IEEE 802.11 wireless network adapters and that are most typically running Windows 7, Windows Vista or Windows XP. Within the context of this deployment scenario, however, wireless client computers can also be computers that are running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.
By default, the functionality for 802.11 wireless is disabled on computers that are running Windows Server 2008 R2 and Windows Server 2008. To use 802.11 wireless on computers running Windows Server 2008 R2 and Windows Server 2008 you must first install and enable the Wireless LAN Service feature on the server computer. You can install the Wireless LAN Service feature by using the Add Features Wizard in Server Manager.
Wireless access deployment process
The process of configuring and deploying wireless access occurs in these stages:
Stage 1 – AP Deployment
Plan, deploy, and configure your APs for wireless client connectivity and for use with NPS. Depending on your preference and network dependencies, you can either pre-configure settings on your wireless APs prior to installing them on your network, or you can configure them remotely after installation.
Stage 2 – AD DS Group Configuration
You must create one or more wireless users security groups. Then, you must add each user for whom you want to allow wireless access to the wireless network to the appropriate wireless users security group.
Stage 3 – Group Policy Configuration
Configure the Wireless Network (IEEE 802.11) Policies extension of Group Policy by using the Group Policy Management Editor Microsoft Management Console (MMC).
To configure domain-member computers using the settings in the wireless network policies, you must apply Group Policy. When a computer is first joined to the domain Group Policy is automatically applied. If changes are made to Group Policy, the new settings are automatically applied:
by Group Policy at pre-determined intervals
if a domain user logs off and then back on to the network
by restarting the client computer and logging on to the domain
You can also force Group Policy to refresh by running gpupdate at the command prompt.
Stage 4 – NPS server configuration
Use a configuration wizard in NPS to add wireless access points as RADIUS clients, and to create the network policies that NPS uses when processing connection requests. When using the wizard to create the network policies, specify PEAP as the EAP type, and the wireless users security group that was created in the second stage.
Stage 5 – Deploy wireless clients
Use client computers to connect to the network.
For domain member computers that can log on to the wired LAN, the necessary wireless configuration settings are automatically applied when Group Policy is refreshed. If you have enabled the setting in Wireless Network (IEEE 802.11) Policies to connect automatically when the computer is within broadcast range of the wireless network, your wireless, domain-joined computers will then automatically attempt to connect to the wireless LAN. To connect to the wireless network, users need only supply their domain user name and password credentials when prompted by Windows.