無線存取部署計劃Wireless Access Deployment Planning

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

部署 wireless 存取之前,您必須計劃下列項目:Before you deploy wireless access, you must plan the following items:

  • 安裝 wireless 存取點 (APs) 在您的網路Installation of wireless access points (APs) on your network

  • Wireless client 設定與存取Wireless client configuration and access

下列章節依照計劃提供詳細資訊。The following sections provide details on these planning steps.

規劃 wireless AP 安裝Planning wireless AP installations

當您設計 wireless 網路存取方案時,您必須執行下列動作:When you design your wireless network access solution, you must do the following:

  1. 判斷您 wireless Ap 必須支援何種標準Determine what standards your wireless APs must support
  2. 判斷您想要提供 wireless 服務的涵蓋範圍區域Determine the coverage areas where you want to provide wireless service
  3. 判斷您想要找出 wireless ApDetermine where you want to locate wireless APs

此外,您必須 wireless ap 計劃的 IP 位址配置和無線戶端。Additionally, you must plan an IP address scheme for your wireless AP’s and wireless clients. 查看區段計劃設定的 wireless AP 的 NPS 在下方的相關資訊。See the section Plan the configuration of wireless AP’s in NPS below for related information.

請確認標準 wireless AP 支援Verify wireless AP support for standards

一致性之目的,並輕鬆部署及管理 AP,建議您部署 wireless Ap 相同品牌和模型。For the purposes of consistency and ease of deployment and AP management, it is recommended that you deploy wireless APs of the same brand and model.

您的部署 wireless Ap 必須支援下列項目:The wireless APs that you deploy must support the following:

  • IEEE 802.1 XIEEE 802.1X

  • RADIUS 驗證RADIUS authentication

  • Wireless 驗證及密碼。Wireless Authentication and Cipher. 列出至少慣用以最多的訂單:Listed in order of most to least preferred:

    1. 有好一段 WPA2\ 企業版WPA2-Enterprise with AES

    2. 使用 TKIP WPA2\ 企業版WPA2-Enterprise with TKIP

    3. 有好一段 WPA\ 企業版WPA-Enterprise with AES

    4. 使用 TKIP WPA\ 企業版WPA-Enterprise with TKIP

注意

若要部署 WPA2,您必須使用 wireless 網路介面卡,也支援 WPA2 wireless Ap。To deploy WPA2, you must use wireless network adapters and wireless APs that also support WPA2. 否則,請使用 WPA-企業版。Otherwise, use WPA-Enterprise.

此外,若要提供的網路提高的安全性,wireless Ap 必須支援下列安全性選項:In addition, to provide enhanced security for the network, the wireless APs must support the following security options:

  • DHCP 篩選。DHCP filtering. Wireless AP 必須篩選避免在這些案例中 wireless client 設定為 DHCP 伺服器 DHCP 廣播訊息傳輸 IP 連接埠。The wireless AP must filter on IP ports to prevent the transmission of DHCP broadcast messages in those cases in which the wireless client is configured as a DHCP server. Wireless AP 必須封鎖 client 從網路傳送 UDP 連接埠 68 IP 封包。The wireless AP must block the client from sending IP packets from UDP port 68 to the network.

  • DNS 篩選。DNS filtering. 若要防止 client 執行為 DNS 伺服器的 IP 連接埠必須篩選 wireless AP。The wireless AP must filter on IP ports to prevent a client from performing as a DNS server. Wireless AP 必須封鎖 client 傳送 IP 封包 TCP 或 UDP 連接埠 53 網路。The wireless AP must block the client from sending IP packets from TCP or UDP port 53 to the network.

  • Client 隔離如果 wireless 存取點提供 client 隔離的功能,您應該讓避免詐騙利用可能位址解析度通訊協定 (ARP) 的功能。Client isolation If your wireless access point provides client isolation capabilities, you should enable the feature to prevent possible Address Resolution Protocol (ARP) spoofing exploits.

找出需 wireless 使用者的涵蓋範圍Identify areas of coverage for wireless users

使用每個建置針對每個樓層架構的繪圖找出您想要提供 wireless 涵蓋的區域。Use architectural drawings of each floor for each building to identify the areas where you want to provide wireless coverage. 例如,找出適當辦公室、會議房間、lobbies、高速公路或 courtyards。For example, identify the appropriate offices, conferences rooms, lobbies, cafeterias, or courtyards.

在繪圖,表示任何干擾 wireless 訊號,例如醫療設備 wireless 攝影機、無線電話運作 2.4 透過 2.5 GHz 業界、科學與醫療 (ISM) 範圍的裝置和 Bluetooth\ 功能的裝置。On the drawings, indicate any devices that interfere with the wireless signals, such as medical equipment, wireless video cameras, cordless telephones that operate in the 2.4 through 2.5 GHz Industrial, Scientific and Medical (ISM) range, and Bluetooth-enabled devices.

在繪圖,標記方面的建築,可能會干擾 wireless 訊號。用於建置建構金屬物件可能會影響 wireless 訊號。On the drawing, mark aspects of the building that might interfere with wireless signals; metal objects used in the construction of a building can affect the wireless signal. 下列常見物件,例如干擾訊號傳播:電梯、加熱及 air-穩定導管,以及 girders 具體支援。For example, the following common objects can interfere with signal propagation: Elevators, heating and air-conditioning ducts, and concrete support girders.

指向您 AP 製造商,以取得可能會導致 wireless AP 廣播頻率衰減來源的相關資訊。Refer to your AP manufacturer for information about sources that might cause wireless AP radio frequency attenuation. 大部分的 Ap 提供測試軟體,您可以用來檢查訊號越、錯誤和資料輸送量。Most APs provide testing software that you can use to check for signal strength, error rate, and data throughput.

判斷安裝 wireless Ap 的位置Determine where to install wireless APs

在 [架構繪圖,尋找您 wireless Ap 關閉達到一起提供充裕 wireless 涵蓋範圍,但最不足分開,它們不會干擾彼此。On the architectural drawings, locate your wireless APs close enough together to provide ample wireless coverage but far enough apart that they do not interfere with each other.

必要 Ap 距離 AP 類型而定,AP 天線,層面建置封鎖無線訊號及其他來源的干擾。The necessary distance between APs depends upon the type of AP and AP antenna, aspects of the building that block wireless signals, and other sources of interference. 您可以在每個 wireless AP 不會從任何相鄰 wireless AP 超過 300 英呎的標記 wireless AP 位置。You can mark wireless AP placements so that each wireless AP is not more than 300 feet from any adjacent wireless AP. 查看 wireless AP 製造商 AP 規格文件及位置的指導方針。See the wireless AP manufacturer’s documentation for AP specifications and guidelines for placement.

暫時安裝 wireless Ap 架構繪圖上指定的位置。Temporarily install wireless APs in the locations specified on your architectural drawings. 然後,使用膝上型電腦配備 wireless 配接器通常會提供調查軟體網站與 802.11 wireless 介面卡,判斷訊號越中每個涵蓋範圍。Then, using a laptop equipped with an 802.11 wireless adapter and the site survey software that is commonly supplied with wireless adapters, determine the signal strength within each coverage area.

在涵蓋範圍低訊號越所在的區域,放在 AP 改善訊號力量的涵蓋範圍時,請安裝其他 wireless Ap 提供所需的涵蓋範圍、重新放置,或移除訊號干擾的來源。In coverage areas where signal strength is low, position the AP to improve signal strength for the coverage area, install additional wireless APs to provide the necessary coverage, relocate or remove sources of signal interference.

更新繪圖指出所有 wireless Ap 的最終位置架構。Update your architectural drawings to indicate the final placement of all wireless APs. 疑難排解操作期間之後,或您想要升級或更換 Ap,幫助有準確 AP 位置的地圖。Having an accurate AP placement map will assist later during troubleshooting operations or when you want to upgrade or replace APs.

規劃 wireless AP 和 NPS RADIUS Client 設定Plan wireless AP and NPS RADIUS Client configuration

您可以使用 NPS 設定 wireless Ap 排列或群組中。You can use NPS to configure wireless APs individually or in groups.

如果您要部署大型包含許多 Ap wireless 網路,就能輕鬆設定 Ap 群組中。If you are deploying a large wireless network that includes many APs, it is much easier to configure APs in groups. 若要新增 Ap 為 NPS RADIUS client 群組,您必須設定這些屬性 Ap。To add the APs as RADIUS client groups in NPS, you must configure the APs with these properties.

  • Wireless Ap 會以相同的 IP 位址範圍的 IP 位址設定。The wireless APs are configured with IP addresses from the same IP address range.

  • Wireless Ap 的所有設定的共用相同的密碼。The wireless APs are all configured with the same shared secret.

使用快速重新連接 PEAP 計劃Plan the use of PEAP Fast Reconnect

在 802.1 X 基礎結構,wireless 存取點被設定為 RADIUS 戶端 RADIUS 伺服器。In an 802.1X infrastructure, wireless access points are configured as RADIUS clients to RADIUS servers. 部署時重新連接 PEAP 快速兩個或更多的存取點之間漫遊 wireless client 不需要驗證的每個新的關聯。When PEAP fast reconnect is deployed, a wireless client that roams between two or more access points is not required to be authenticated with each new association.

重新連接 PEAP 快速因為驗證要求的新的存取點轉寄給最初執行 client 連接要求驗證和授權 NPS 伺服器降低 authenticator client 與驗證的回應時間。PEAP fast reconnect reduces the response time for authentication between client and authenticator because the authentication request is forwarded from the new access point to the NPS server that originally performed authentication and authorization for the client connection request.

由於 PEAP client 和兩者都使用先前 NPS 伺服器快取 (TLS) Tls 連接屬性 \(的集合命名 TLS handle\)、NPS 伺服器快速判斷 client 的重新連線授權。Because both the PEAP client and NPS server both use previously cached Transport Layer Security (TLS) connection properties (the collection of which is named the TLS handle), the NPS server can quickly determine that the client is authorized for a reconnect.

重要

快速頻道的重新連接到正確運作,Ap 必須設定為 RADIUS 固定的相同 NPS 伺服器。For fast reconnect to function correctly, the APs must be configured as RADIUS clients of the same NPS server.

如果不使用原始 NPS 伺服器或 client 移至 [設定為到不同的 RADIUS 伺服器 RADIUS client 的存取點,必須 client 之間新 authenticator 來執行完整驗證。If the original NPS server becomes unavailable, or if the client moves to an access point that is configured as a RADIUS client to a different RADIUS server, full authentication must occur between the client and the new authenticator.

Wireless AP 設定Wireless AP configuration

下列清單摘要通常 802.1X\ 上設定的項目-能 wireless Ap:The following list summarizes items commonly configured on 802.1X-capable wireless APs:

注意

在項目名稱可以視品牌和型號,而且可能從下列清單中的不同。The item names can vary by brand and model and might be different from those in the following list. 查看您 wireless AP 文件 configuration\ 特定的詳細資料。See your wireless AP documentation for configuration-specific details.

  • 服務設定識別碼 (SSID)Service set identifier (SSID). 這是 wireless 網路的名稱 \ (例如,ExampleWlan),以及 wireless 戶端到通知的名稱。This is the name of the wireless network (for example, ExampleWlan), and the name that is advertised to wireless clients. 若要減少混淆,通知您選擇 SSID 應該不符合所接收的 wireless 網路的範圍中的任何 wireless 網路廣播 SSID。To reduce confusion, the SSID that you choose to advertise should not match the SSID that is broadcast by any wireless networks that are within reception range of your wireless network.

    萬一中的多個 wireless Ap 部署 wireless 在相同網路的一部分,請使用相同的 SSID 設定每個 wireless AP。In cases in which multiple wireless APs are deployed as part of the same wireless network, configure each wireless AP with the same SSID. 萬一中的多個 wireless Ap 部署 wireless 在相同網路的一部分,請使用相同的 SSID 設定每個 wireless AP。In cases in which multiple wireless APs are deployed as part of the same wireless network, configure each wireless AP with the same SSID.

    萬一您有需要部署特定企業需求的不同 wireless 網路位置,您 wireless AP 的上一個網路應該廣播比 SSID 您其他 network(s) 不同 SSID。In cases where you have a need to deploy different wireless networks to meet specific business needs, your wireless AP’s on one network should broadcast a different SSID than the SSID your other network(s). 例如,如果您的員工和來賓需要 wireless 不同的網路,您可能會設定您 wireless Ap 的企業網路 SSID 設為廣播的ExampleWLANFor example, if you need a separate wireless network for your employees and guests, you could configure your wireless APs for the business network with the SSID set to broadcast ExampleWLAN. 客體網路,您可以再設定廣播每個 wireless AP SSID GuestWLANFor your guest network, you could then set each wireless AP’s SSID to broadcast GuestWLAN. 在這種方式可以連接您的員工和來賓而不需要混淆想要的網路。In this way your employees and guests can connect to the intended network without unnecessary confusion.

    提示

    某些 wireless AP 有廣播多 SSID 的容納 multi\ 網路部署的功能。Some wireless AP’s have the ability to broadcast multiple SSID’s to accommodate multi-network deployments. Wireless AP 的可以廣播多 SSID,可減少部署及操作維護成本。Wireless AP’s that can broadcast multiple SSID’s can reduce deployment and operational maintenance costs.

  • 無線驗證及加密Wireless authentication and encryption.

    Wireless 驗證是時 wireless client 關聯 wireless 存取點,使用安全性驗證。Wireless authentication is the security authentication that is used when the wireless client associates with a wireless access point.

    Wireless 加密是安全性加密編碼器 wireless 驗證用來保護 wireless AP 和 wireless client 之間傳送通訊。Wireless encryption is the security encryption cipher that is used with wireless authentication to protect the communications that are sent between the wireless AP and the wireless client.

  • 無線 AP IP 位址 (static)Wireless AP IP address (static). 在每個 wireless AP,設定唯一靜態 IP 位址。On each wireless AP, configure a unique static IP address. 如果 DHCP 伺服器由服務子網路,請確定的所有 AP IP 位址都落 DHCP 排除項目範圍,DHCP 伺服器不會嘗試另一部電腦或裝置發行相同的 IP 位址。If the subnet is serviced by a DHCP server, ensure that all AP IP addresses fall within a DHCP exclusion range so that the DHCP server does not try to issue the same IP address to another computer or device. 排除項目範圍所述程序」來建立及啟動 DHCP 新的領域」核心網路指南Exclusion ranges are documented in the procedure "To create and activate a new DHCP Scope" in the Core Network Guide. 如果您計劃設定的群組 NPS RADIUS 戶端 Ap,在群組中的每個 AP 必須相同的 IP 位址範圍的 IP 位址。If you are planning to configure APs as RADIUS clients by group in NPS, each AP in the group must have an IP address from the same IP address range.

  • DNS 名稱DNS name. 您可以設定部分 wireless Ap DNS 名稱。Some wireless APs can be configured with a DNS name. 設定每個 wireless AP 唯一名稱。Configure each wireless AP with a unique name. 例如擁有部署 wireless Ap multi-故事建置中,您可能會名稱的第三個樓層 AP3-01、AP3\ 02 和 AP3-03 部署前三個 wireless Ap。For example, if you have a deployed wireless APs in a multi-story building, you might name the first three wireless APs that are deployed on the third floor AP3-01, AP3-02, and AP3-03.

  • Wireless AP 子網路遮罩Wireless AP subnet mask. 設定的部分的 ip 位址是網路 ID 和 IP 位址的一部分是主機遮罩。Configure the mask to designate which portion of the IP address is the network ID and which portion of the IP address is the host.

  • AP DHCP 服務AP DHCP service. 如果您 wireless AP built\ 中 DHCP 服務,來停用它。If your wireless AP has a built-in DHCP service, disable it.

  • RADIUS 共用的密碼RADIUS shared secret. 使用獨特的 RADIUS 共用的每個 wireless AP 密碼,除非您計畫將 NPS RADIUS 伺服器中群組-的情況在您必須設定使用相同的共用密碼 Ap 群組中的所有的設定。Use a unique RADIUS shared secret for each wireless AP unless you are planning to configure NPS RADIUS clients in groups - in which circumstance you must configure all of the APs in the group with the same shared secret. 共用的密碼應至少 22 字元,同時大寫隨機系列及小寫字母、數字、標點符號。Shared secrets should be a random sequence of at least 22 characters long, with both uppercase and lowercase letters, numbers, and punctuation. 若要確保隨機,您可以使用隨機字元代程式來建立您的共用的密碼。To ensure randomness, you can use a random character generation program to create your shared secrets. 建議您的每個 wireless AP 錄製共用的密碼,以及將它儲存在安全的位置,例如安全 office。It is recommended that you record the shared secret for each wireless AP and store it in a secure location, such as an office safe. 當您設定主機 NPS RADIUS 戶端您將會建立每個 AP virtual 的版本。When you configure RADIUS clients in the NPS console you will create a virtual version of each AP. 您每個 virtual AP NPS 中的設定共用的密碼必須符合共用實際、實體 AP 的密碼。The shared secret that you configure on each virtual AP in NPS must match the shared secret on the actual, physical AP.

  • RADIUS 伺服器的 IP 位址RADIUS server IP address. 輸入您想要用來驗證,以及授權連接要求本存取點 NPS 伺服器的 IP 位址。Type the IP address of the NPS server that you want to use to authenticate and authorize connection requests to this access point.

  • UDP port(s)UDP port(s). 預設 NPS RADIUS 驗證訊息與 UDP 連接埠 1813 年和 RADIUS 計量郵件 1646 年使用 1812 年和 1645 年的 UDP 連接埠。By default, NPS uses UDP ports 1812 and 1645 for RADIUS authentication messages and UDP ports 1813 and 1646 for RADIUS accounting messages. 建議您不要變更預設 RADIUS UDP 連接埠設定。It is recommended that you do not change the default RADIUS UDP ports settings.

  • VsaVSAs. 部分 wireless Ap 需要 vendor\ 特定屬性 (VSAs) 提供完整 wireless AP 功能。Some wireless APs require vendor-specific attributes (VSAs) to provide full wireless AP functionality.

  • 篩選 DHCPDHCP filtering. 設定 wireless Ap 封鎖 wireless 戶端從網路傳送 UDP 連接埠 68 IP 封包。Configure wireless APs to block wireless clients from sending IP packets from UDP port 68 to the network. 查看您 wireless AP 設定 DHCP 篩選的文件。See the documentation for your wireless AP to configure DHCP filtering.

  • 篩選 DNSDNS filtering. 設定 wireless Ap 封鎖 wireless 戶端從網路埠 53 傳送 IP 封包。Configure wireless APs to block wireless clients from sending IP packets from TCP or UDP port 53 to the network. 查看您 wireless AP 設定 DNS 篩選的文件。See the documentation for your wireless AP to configure DNS filtering.

規劃 wireless client 設定與存取Planning wireless client configuration and access

規劃 802.1X\ 部署時-驗證 wireless 存取權,您必須考慮因素 client\ 特定:When planning the deployment of 802.1X-authenticated wireless access, you must consider several client-specific factors:

  • 規劃多個標準支援Planning support for multiple standards.

    判斷是否 wireless 電腦的所有使用相同的版本的 Windows,或是否有混合執行其他作業系統的電腦。Determine whether your wireless computers are all using the same version of Windows or whether they are a mixture of computers running different operating systems. 如果有不同,請確定您了解任何不同標準支援的作業系統。If they are different, ensure that you understand any differences in standards supported by the operating systems.

    判斷所有 wireless 網路介面卡上的所有 wireless client 電腦是否支援相同 wireless 標準,或是您需要是否支援各種標準。Determine whether all of the wireless network adapters on all of the wireless client computers support the same wireless standards, or whether you need to support varying standards. 例如,判斷是否某些網路介面卡的硬體驅動程式支援 WPA2-企業版和好一段,有些則只 WPA-企業版和 TKIP 可支援。For example, determine whether some network adapter hardware drivers support WPA2-Enterprise and AES, while others support only WPA-Enterprise and TKIP.

  • 規劃 client 驗證模式Planning client authentication mode. 驗證模式定義 Windows 戶端如何處理網域認證。Authentication modes define how Windows clients process domain credentials. 您可以從下列三種網路驗證模式 wireless 的網路原則中選取。You can select from the following three network authentication modes in the wireless network policies.

    1. 使用者 re\ 驗證User re-authentication. 此模式指定驗證一律會執行使用安全性憑證根據電腦目前的狀態。This mode specifies that authentication is always performed by using security credentials based on the computer's current state. 當到電腦不使用者登入時,來透過認證的電腦執行驗證。When no users are logged on to the computer, authentication is performed by using the computer credentials. 當使用者登入電腦時,一律使用使用者的認證來執行驗證。When a user is logged on to the computer, authentication is always performed by using the user credentials.

    2. 電腦只有Computer only. 電腦只有模式指定驗證一律執行來使用電腦認證。Computer only mode specifies that authentication is always performed by using only the computer credentials.

    3. 使用者驗證User authentication. 驗證的使用者模式指定驗證只登入電腦時執行。User authentication mode specifies that authentication is only performed when the user is logged on to the computer. 不使用者登入電腦時,將不會執行驗證嘗試。When there are no users logged on to the computer, authentication attempts are not performed.

  • 規劃 wireless 限制Planning wireless restrictions. 判斷要所有 wireless 使用者提供的相同層級的存取 wireless 網路,或是要限制適用於某些 wireless 使用者的存取。Determine whether you want to provide all of your wireless users with the same level of access to your wireless network, or whether you want to restrict access for some of your wireless users. 您可以適用於特定的 wireless 使用者群組中 NPS 限制。You can apply restrictions in NPS against specific groups of wireless users. 例如,您可以定義特定天和小時特定群組獲准 wireless 網路的存取權。For example, you can define specific days and hours that certain groups are permitted access to the wireless network.

  • 規劃方法來新增新的 wireless 電腦Planning methods for adding new wireless computers. Wireless\ 能力的電腦加入您的網域之前部署 wireless 網路,如果電腦已連接至未受 802.1 X 的有線網路的區段,wireless 設定會自動套用設定 Wireless 網路之後 \ (IEEE 802.11) 網域控制站和群組原則 wireless client 在重新整理之後原則。For wireless-capable computers that are joined to your domain before you deploy your wireless network, if the computer is connected to a segment of the wired network that is not protected by 802.1X, the wireless configuration settings are automatically applied after you configure Wireless Network (IEEE 802.11) Policies on the domain controller and after Group Policy is refreshed on the wireless client.

    不已經加入網域的電腦,但是,您必須計劃要套用的設定所需的 802.1X\ 方法-驗證存取。For computers that are not already joined to your domain, however, you must plan a method to apply the settings that are required for 802.1X-authenticated access. 例如,判斷是否想要使用其中一項下列方法加入網域的電腦。For example, determine whether you want to join the computer to the domain by using one of the following methods.

    1. 將電腦連接到 802.1 X,不受有線網路的區段,然後加入網域的電腦。Connect the computer to a segment of the wired network that is not protected by 802.1X, then join the computer to the domain.

    2. Wireless 為使用者提供的步驟和新增自己 wireless 開機設定檔,可讓他們加入網域的電腦所需的設定。Provide your wireless users with the steps and settings that they require to add their own wireless bootstrap profile, which allows them to join the computer to the domain.

    3. 指派給 IT wireless 戶端加入網域的人員。Assign IT staff to join wireless clients to the domain.

多個標準計劃的支援Planning support for multiple standards

無線網路 \ (IEEE 802.11) 原則擴充功能在群組原則中提供的各種組態選項,支援各種部署選項。The Wireless Network (IEEE 802.11) Policies extension in Group Policy provides a wide range of configuration options to support a variety of deployment options.

您可以部署 wireless Ap 標準您想要支援,設定,然後 Wireless 網路設定多個 wireless 設定檔 \ (IEEE 802.11) 原則,與每個設定檔,您需要標準指定一組。You can deploy wireless APs that are configured with the standards that you want to support, and then configure multiple wireless profiles in Wireless Network (IEEE 802.11) Policies, with each profile specifying one set of standards that you require.

例如,如果您的網路有 wireless 電腦支援 WPA2-企業版和好一段,支援 WPA-企業版和好一段的其他電腦和其他電腦支援只 WPA-企業版和 TKIP,必須判斷您是否想要:For example, if your network has wireless computers that support WPA2-Enterprise and AES, other computers that support WPA-Enterprise and AES, and other computers that support only WPA-Enterprise and TKIP, you must determine whether you want to:

  • 設定單一支援的所有 wireless 電腦使用的弱加密的方式來設定檔,您電腦的所有支援-在本案例中 WPA-企業版和 TKIP。Configure a single profile to support all of the wireless computers by using the weakest encryption method that all of your computers support - in this case, WPA-Enterprise and TKIP.
  • 設定兩個提供支援的每個 wireless 電腦最佳可能的安全性設定檔。Configure two profiles to provide the best possible security that is supported by each wireless computer. 您會在這個執行個體設定一個指定最穩定加密的設定檔 \(WPA2-企業版和 AES\),並使用較弱 WPA-企業版和 TKIP 加密的設定檔。In this instance you would configure one profile that specifies the strongest encryption (WPA2-Enterprise and AES), and one profile that uses the weaker WPA-Enterprise and TKIP encryption. 在此範例中,務必將放 WPA2-企業版和好一段最高優先順序中使用的設定檔。In this example, it is essential that you place the profile that uses WPA2-Enterprise and AES highest in the preference order. 電腦不能使用 WPA2-企業版和好一段自動將會跳到下一步的優先順序設定檔並處理指定 WPA-企業版和 TKIP 的設定檔。Computers that are not capable of using WPA2-Enterprise and AES will automatically skip to the next profile in the preference order and process the profile that specifies WPA-Enterprise and TKIP.

重要

您必須將最安全的標準較高的設定檔放排序清單中的設定檔,因為連接電腦使用的第一個個人檔案,都能使用。You must place the profile with the most secure standards higher in the ordered list of profiles, because connecting computers use the first profile that they are capable of using.

規劃限制 wireless 網路的存取權Planning restricted access to the wireless network

很多時候,您可能想要 wireless 使用者提供 wireless 網路的存取權的不同層級。In many cases, you might want to provide wireless users with varying levels of access to the wireless network. 例如,您可能要允許部分使用者不受限制的存取權,星期幾每一天中的任何一小時。For example, you might want to allow some users unrestricted access, any hour of the day, every day of the week. 其他使用者,您可能只想核心時間,每星期五,可讓存取,並在上星期六和星期日拒絕存取。For other users, you might only want to allow access during core hours, Monday through Friday, and deny access on Saturday and Sunday.

本指南提供建立存取環境地點 wireless 使用者的所有常見存取 wireless 資源群組中的指示操作。This guide provides instructions to create an access environment that places all of your wireless users in a group with common access to wireless resources. 您 snap\ 中建立 wireless 使用者安全性群組的 Active Directory 使用者和電腦,然後再進行每一位的使用者想要權限授與 wireless 該群組成員。You create one wireless users security group in the Active Directory Users and Computers snap-in, and then make every user for whom you want to grant wireless access a member of that group.

當您設定 NPS 的網路原則時,您可以指定 wireless 使用者安全性群組為 NPS 處理判斷授權時的物件。When you configure NPS network policies, you specify the wireless users security group as the object that NPS processes when determining authorization.

不過,如果您的部署需要支援的不同層級的存取您需要只能執行下列動作:However, if your deployment requires support for varying levels of access you need only do the following:

  1. 建立多個 Wireless 使用者安全性群組 Active Directory 使用者,在電腦中建立其他 wireless 安全性群組。Create more than one Wireless Users Security Group to create additional wireless security groups in Active Directory Users and Computers. 例如,您可以建立群組,其中包含擁有完整存取權,群組的人員只有在正常運作的時間,存取和其他群組符合其他條件符合您需求的使用者。For example, you can create a group that contains users who have full access, a group for those who only have access during regular working hours, and other groups that fit other criteria that match your requirements.

  2. 將使用者新增到您所建立的適當安全性群組。Add users to the appropriate security groups that you created.

  3. 設定為每個額外 wireless 安全性群組,其他 NPS 網路原則和設定的條件與限制的每個群組,您需要套用原則。Configure additional NPS network policies for each additional wireless security group, and configure the policies to apply the conditions and constraints that you require for each group.

新增新的 wireless 電腦計劃的方法Planning methods for adding new wireless computers

將新 wireless 電腦加入網域,然後登入網域慣用的方法是使用的區域網路存取網域控制站,並使用 802.1 X 驗證乙太網路將不受區段有線的連接。The preferred method to join new wireless computers to the domain and then log on to the domain is by using a wired connection to a segment of the LAN that has access to domain controllers, and is not protected by an 802.1X authenticating Ethernet switch.

有時候,不過,它可能不是電腦加入網域,或使用已經加入網域的電腦使用有線的連接上嘗試它們第一次登入的使用者使用有線的連接實用。In some cases, however, it might not be practical to use a wired connection to join computers to the domain, or, for a user to use a wired connection for their first log on attempt by using computers that are already joined to the domain.

若要加入網域的電腦使用 wireless 連接或使用者網域登入第一次使用 domain\ 加入電腦和 wireless 連接,wireless 戶端必須先建立連接 wireless 網路上的存取權的網路網域控制站使用其中一項下列方法區段。To join a computer to the domain by using a wireless connection or for users to log on to the domain the first time by using a domain-joined computer and a wireless connection, wireless clients must first establish a connection to the wireless network on a segment that has access to the network domain controllers by using one of the following methods.

  1. Wireless 電腦加入網域,IT 人員的成員,並設定單一登入開機 wireless 設定檔。A member of the IT staff joins a wireless computer to the domain, and then configures a Single Sign On bootstrap wireless profile. 這種方法,IT 系統管理員 wireless 電腦連接到有線乙太網路,然後將電腦加入的網域。With this method, an IT administrator connects the wireless computer to the wired Ethernet network, and then joins the computer to the domain. 然後系統管理員散發給使用者的電腦。Then the administrator distributes the computer to the user. 當使用者開始電腦時,以手動方式使用者登入處理程序指定網域認證可用同時連接到 wireless 網路並登入的網域。When the user starts the computer, the domain credentials that they manually specify for the user logon process are used to both establish a connection to the wireless network and log on to the domain.

  2. 使用者手動 wireless 電腦開機 wireless 設定檔,會設定,然後加入網域。The user manually configures wireless computer with bootstrap wireless profile, and then joins the domain. 使用此方法,使用者手動設定 wireless 電腦開機 wireless 設定檔根據 IT 系統管理員的指示操作。With this method, users manually configure their wireless computers with a bootstrap wireless profile based on instructions from an IT administrator. Wireless 設定檔開機可讓使用者建立 wireless 連接,並再加入網域的電腦。The bootstrap wireless profile allows users to establish a wireless connection, and then join the computer to the domain. 加入網域的電腦,開機之後使用者可以登入網域使用 wireless 連接與他們的網域 account 認證。After joining the computer to the domain and restarting the computer, the user can log on to the domain by using a wireless connection and their domain account credentials.

部署 wireless 存取,來查看Wireless 存取部署To deploy wireless access, see Wireless Access Deployment.