Wireless 存取部署Wireless Access Deployment

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

請依照下列步驟來部署 wireless 存取:Follow these steps to deploy wireless access:

部署和設定 Wireless ApDeploy and Configure Wireless APs

請依照下列步驟來部署,並設定您的 wireless Ap:Follow these steps to deploy and configure your wireless APs:

注意

本文中的程序中不包含案例指示使用者 Account 控制項對話方塊要求您的權限才能繼續。The procedures in this guide do not include instructions for cases in which the User Account Control dialog box opens to request your permission to continue. 如果此對話方塊同時執行程序本指南,如果對話方塊一個因應以您的動作,按一下 [繼續If this dialog box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.

指定 Wireless AP 通道頻率Specify Wireless AP Channel Frequencies

當您要部署的單一地理網站多個 wireless Ap 時,您必須設定 wireless Ap 已使用獨特的通道頻率減少干擾 wireless Ap 之間重疊訊號。When you deploy multiple wireless APs at a single geographical site, you must configure wireless APs that have overlapping signals to use unique channel frequencies to reduce interference between wireless APs.

您可以協助您選擇不衝突 wireless 網路的地理位置其他 wireless 網路的通道頻率使用下列指導方針。You can use the following guidelines to assist you in choosing channel frequencies that do not conflict with other wireless networks at the geographical location of your wireless network.

  • 如果有其他組織中有辦公室鄰近或做為您的組織相同的建築物、找出是否有任何 wireless 這些公司所擁有的網路。If there are other organizations that have offices in close proximity or in the same building as your organization, identify whether there are any wireless networks owned by those organizations. 了解同時位置,指定的通道頻率他們 wireless AP 的因為您需要為您的 AP 不同通道的頻率,您需要來判斷要安裝您的 AP 的最佳位置Find out both the placement and the assigned channel frequencies of their wireless AP’s, because you need to assign different channel frequencies to your AP’s and you need to determine the best location to install your AP’s.

  • 找出重疊 wireless 訊號在組織中相鄰樓層之間切換。Identify overlapping wireless signals on adjacent floors within your own organization. 檢測軍人重疊的涵蓋範圍和外,在組織中通道頻率指派給您的 wireless Ap 之後,確保任何兩重疊的涵蓋範圍 wireless Ap 指派不同通道的頻率。After identifying overlapping coverage areas outside and within your organization, assign channel frequencies for your wireless APs, ensuring that any two wireless APs with overlapping coverage are assigned different channel frequencies.

設定 Wireless ApConfigure Wireless APs

設定您的 wireless Ap 使用下列資訊以及 wireless AP 製造商所提供的 product 文件。Use the following information along with the product documentation provided by the wireless AP manufacturer to configure your wireless APs.

此程序列舉通常設定 wireless AP 的項目。This procedure enumerates items commonly configured on a wireless AP. 在項目名稱可以視品牌和型號,而且可能從下列清單中的不同。The item names can vary by brand and model and might be different from those in the following list. 適用於特定的詳細資訊,查看您 wireless AP 文件。For specific details, see your wireless AP documentation.

若要設定您的 wireless ApTo configure your wireless APs

  • SSIDSSID. Wireless network(s) 名稱指定 \ (例如,ExampleWLAN)。Specify the name of the wireless network(s) (for example, ExampleWLAN). 這是通知給 wireless 戶端名稱。This is the name that is advertised to wireless clients.

  • 加密Encryption. 指定 WPA2\ 企業 (preferred) 或 WPA-企業版和好一段 (preferred) 或 TKIP 加密的密碼,而定,支援的版本,您 wireless client 電腦網路介面卡。Specify WPA2-Enterprise (preferred) or WPA-Enterprise, and either AES (preferred) or TKIP encryption cipher, depending on which versions are supported by your wireless client computer network adapters.

  • 無線 AP IP 位址 (static)Wireless AP IP address (static). 在每個 AP,設定落 DHCP 子網路的範圍排除項目各種唯一靜態 IP 位址。On each AP, configure a unique static IP address that falls within the exclusion range of the DHCP scope for the subnet. 使用 DHCP,排除指派的地址會防止 DHCP 伺服器相同的 IP 位址指派的電腦或其他裝置。Using an address that is excluded from assignment by DHCP prevents the DHCP server from assigning the same IP address to a computer or other device.

  • 子網路遮罩Subnet mask. 設定此選項可符合您有連接 wireless AP 區域網路子網路遮罩設定。Configure this to match the subnet mask settings of the LAN to which you have connected the wireless AP.

  • DNS 名稱DNS name. 您可以設定部分 wireless Ap DNS 名稱。Some wireless APs can be configured with a DNS name. 網路上的 DNS 服務可以名稱解析為 IP 位址。The DNS service on the network can resolve DNS names to an IP address. 在每個 wireless AP 支援此功能,輸入唯一的解析度 DNS 名稱。On each wireless AP that supports this feature, enter a unique name for DNS resolution.

  • DHCP 服務DHCP service. 如果您 wireless AP built\ 中 DHCP 服務,來停用它。If your wireless AP has a built-in DHCP service, disable it.

  • RADIUS 共用的密碼RADIUS shared secret. 除非您計劃設定 Ap 在群組 NPS RADIUS 戶端為每個 wireless AP 使用獨特的 RADIUS 共用的密碼。Use a unique RADIUS shared secret for each wireless AP unless you are planning to configure APs as RADIUS Clients in NPS by group. 如果您計劃中 NPS 設定 Ap 群組,必須是群組的相同的每個成員共用的密碼。If you plan to configure APs by group in NPS, the shared secret must be the same for every member of the group. 此外,您在使用每個共用的密碼應該隨機一連串至少 22 混合大寫的字元和小寫字母、數字和標點符號。In addition, each shared secret you use should be a random sequence of at least 22 characters that mixes uppercase and lowercase letters, numbers, and punctuation. 若要確保隨機,您可以使用發電機隨機字元,例如 NPS 中找到隨機字元發電機設定 802.1 X精靈中,以建立共用的密碼。To ensure randomness, you can use a random character generator, such as the random character generator found in the NPS Configure 802.1X wizard, to create the shared secrets.

提示

針對每個 wireless AP 錄製共用的密碼,並將它儲存在安全的位置,例如安全 office。Record the shared secret for each wireless AP and store it in a secure location, such as an office safe. 當您設定 NPS RADIUS 戶端時,您必須知道的每個 wireless AP 共用的密碼。You must know the shared secret for each wireless AP when you configure RADIUS clients in the NPS.

  • RADIUS 伺服器的 IP 位址RADIUS server IP address. 輸入的伺服器的 IP 位址。Type the IP address of the server running NPS.

  • UDP port(s)UDP port(s). 根據預設,NPS 使用 UDP 連接埠 1812 年和 1645 年驗證訊息與 UDP 連接埠 1813 年和 1646,用於會計訊息。By default, NPS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages. 建議您在您的 Ap,使用這些相同 UDP 連接埠,但如果您有有效的理由使用不同的連接埠,確保您不只使用新的連接埠號碼設定 Ap 也重新設定所有 NPS 伺服器為 Ap 使用相同的連接埠號碼。It is recommended that you use these same UDP ports on your APs, but if you have a valid reason to use different ports, ensure that you not only configure the APs with the new port numbers but also reconfigure all of your NPS servers to use the same port numbers as the APs. 如果 Ap 和 NPS 伺服器未與 UDP 連接埠相同設定、NPS 無法接收或處理連接 Ap,要求和網路上的所有 wireless 連接嘗試將會失敗。If the APs and the NPS servers are not configured with the same UDP ports, NPS cannot receive or process connection requests from the APs, and all wireless connection attempts on the network will fail.

  • VsaVSAs. 部分 wireless Ap 需要 vendor\ 特定屬性 (VSAs) 提供完整 wireless AP 功能。Some wireless APs require vendor-specific attributes (VSAs) to provide full wireless AP functionality. 加入 Vsa NPS 的網路原則。VSAs are added in NPS network policy.

  • 篩選 DHCPDHCP filtering. 設定 wireless Ap 封鎖 wireless 戶端從 IP 封包 UDP 連接埠傳送 68 網路,如 wireless AP 製造商所述。Configure wireless APs to block wireless clients from sending IP packets from UDP port 68 to the network, as documented by the wireless AP manufacturer.

  • 篩選 DNSDNS filtering. 設定 wireless Ap 如 wireless AP 製造商所述封鎖 wireless 戶端從網路、埠 53 傳送 IP 封包。Configure wireless APs to block wireless clients from sending IP packets from TCP or UDP port 53 to the network, as documented by the wireless AP manufacturer.

Wireless 使用者建立安全性群組Create Security Groups for Wireless Users

請依照下列步驟來建立一或多個 wireless 使用者安全性群組,然後將使用者新增至適當的 wireless 使用者安全性群組:Follow these steps to create one or more wireless users security groups, and then add users to the appropriate wireless users security group:

建立無線使用者安全性群組Create a Wireless Users Security Group

您可以使用此程序 Active Directory 使用者 (MMC) snap\ 電腦 Microsoft Management Console 中建立 wireless 安全性群組-中。You can use this procedure to create a wireless security group in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.

資格在網域系統管理員,或相當於,才能執行此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure.

若要建立 wireless 使用者安全性群組To create a wireless users security group

  1. 按一下[開始],按一下系統管理工具],然後按一下 [ Active Directory 使用者與電腦Click Start, click Administrative Tools, and then click Active Directory Users and Computers. Active Directory 使用者和電腦 snap\ 在開啟。The Active Directory Users and Computers snap-in opens. 如果您未選取,按一下您的網域節點。If it is not already selected, click the node for your domain. 例如,如果您的網域 example.com,請按一下example.comFor example, if your domain is example.com, click example.com.

  2. 在詳細資料窗格中,按一下 right\ 資料夾中您要新增新的群組 \ (,例如 right\ 按一下使用者),指向 [,,然後按一下 [群組In the details pane, right-click the folder in which you want to add a new group (for example, right-click Users), point to New, and then click Group.

  3. 新物件 – 群組,請在群組名稱,輸入新群組的名稱。In New Object – Group, in Group name, type the name of the new group. 例如,輸入群組無線For example, type Wireless Group.

  4. 群組範圍,選擇下列其中一個選項:In Group scope, select one of the following options:

    • 本機的網域Domain local

    • 全球Global

    • 通用Universal

  5. 群組類型的安全性In Group type, select Security.

  6. 按一下[確定]Click OK.

如果您需要更多個安全性群組 wireless 使用者時,重複這些步驟來建立其他 wireless 使用者群組。If you need more than one security group for wireless users, repeat these steps to create additional wireless users groups. 之後,您可以在每個群組,提供不同的存取權限和連接規則套用不同條件和條件 NPS 中建立個人的網路原則。Later you can create individual network policies in NPS to apply different conditions and contstraints to each group, providing them with different access permissions and connectivity rules.

將使用者新增至無線使用者安全性群組 Add Users to the Wireless Users Security Group

您可以使用此程序將使用者、電腦或群組新增至您 wireless 安全性群組 Active Directory 使用者 (MMC) snap\ 電腦 Microsoft Management Console 中-中。You can use this procedure to add a user, computer, or group to your wireless security group in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.

資格在網域系統管理員,或相當於的最低需求才能執行此程序。Membership in Domain Admins, or equivalent is the minimum required to perform this procedure.

將使用者新增至 wireless 安全性群組To add users to the wireless security group

  1. 按一下[開始],按一下系統管理工具],然後按一下 [ Active Directory 使用者與電腦Click Start, click Administrative Tools, and then click Active Directory Users and Computers. Active Directory 使用者和電腦 MMC 開啟。The Active Directory Users and Computers MMC opens. 如果您未選取,按一下您的網域節點。If it is not already selected, click the node for your domain. 例如,如果您的網域 example.com,請按一下example.comFor example, if your domain is example.com, click example.com.

  2. 在詳細資料窗格中,按一下 double\ wireless 安全性群組所在的資料夾。In the details pane, double-click the folder that contains your wireless security group.

  3. 在 [詳細資料窗格,right\ 按一下 wireless 安全性群組,然後再按一下屬性In the details pane, right-click the wireless security group, and then click Properties. 屬性中的安全性群組。The Properties dialog box for the security group opens.

  4. 成員索引標籤上,按一下 [新增,並將電腦新增或新增的使用者或群組下列程序完成。On the Members tab, click Add, and then complete one of the following procedures to either add a computer or add a user or group.

若要新增的使用者或群組To add a user or group
  1. [輸入物件名稱來選取中,輸入名稱的使用者或群組,您想来新增,然後再按一下[確定]In Enter the object names to select, type the name of the user or group that you want to add, and then click OK.

  2. 若要指定群組成員資格其他使用者或群組,重複步驟 1 此程序。To assign group membership to other users or groups, repeat step 1 of this procedure.

若要將電腦加入To add a computer
  1. 按一下物件類型Click Object Types. 物件類型對話方塊。The Object Types dialog box opens.

  2. 物件類型,請選取電腦,然後按一下 [ [確定]In Object types, select Computers, and then click OK.

  3. [輸入物件名稱來選取,輸入您想要新增,然後按一下 [電腦名稱[確定]In Enter the object names to select, type the name of the computer that you want to add, and then click OK.

  4. 若要指定的其他電腦群組成員資格,重複步驟 1-3 此程序。To assign group membership to other computers, repeat steps 1-3 of this procedure.

設定 Wireless 網路 \ (IEEE 802.11) 原則Configure Wireless Network (IEEE 802.11) Policies

請依照下列步驟來設定無線網路 \ (IEEE 802.11) 原則群組原則擴充功能:Follow these steps to configure Wireless Network (IEEE 802.11) Policies Group Policy extension:

打開或新增並打開群組原則物件Open or Add and Open a Group Policy Object

根據預設時已安裝的 Active Directory Domain Services (AD DS) 伺服器角色為網域控制站伺服器設定, 執行 Windows Server 2016 的電腦上安裝的群組原則管理功能。By default, the Group Policy Management feature is installed on computers running Windows Server 2016 when the Active Directory Domain Services (AD DS) server role is installed and the server is configured as a domain controller. 告訴您如何左網域控制站在群組原則管理主控台 (GPMC) 下列程序。The following procedure that describes how to open the Group Policy Management Console (GPMC) on your domain controller. 此程序再告訴您如何任一個開放現有 domain\ 層級群組原則物件 (GPO) 以供編輯,或建立新的網域 GPO 與開放它來編輯。The procedure then describes how to either open an existing domain-level Group Policy object (GPO) for editing, or create a new domain GPO and open it for editing.

資格在網域系統管理員,或相當於,才能執行此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure.

透過或新增並打開群組原則物件To open or add and open a Group Policy object

  1. 在您的網域控制站,按一下[開始],按一下 [ Windows 系統管理工具],,然後按一下 [群組原則管理On your domain controller, click Start, click Windows Administrative Tools, and then click Group Policy Management. 群組原則管理主控台開啟。The Group Policy Management Console opens.

  2. 在左窗格中,按一下 double\ 樹系。In the left pane, double-click your forest. 例如,按 double*的樹系:example.comFor example, double-click **Forest: example.com*.

  3. 在左窗格中,按一下 double*網域,再 double\ 按網域您想要管理群組原則物件。In the left pane, double-click **Domains, and then double-click the domain for which you want to manage a Group Policy object. 例如,按 double\ **example.comFor example, double-click **example.com*.

  4. 執行下列其中一個動作:Do one of the following:

    • 若要打開現有的 domain\ 層級 GPO 以供編輯、按兩下包含您想要管理的群組原則物件的網域 right\ 按一下網域原則您想要管理,例如 [預設網域原則,然後按一下 [編輯To open an existing domain-level GPO for editing, double click the domain that contains the Group Policy object that you want to manage, right-click the domain policy you want to manage, such as the Default Domain Policy, and then click Edit. 群組原則編輯器] 管理開啟。Group Policy Management Editor opens.

    • 建立新的群組原則物件和編輯開放、right\ 按一下網域您想要建立新的群組原則物件,並按一下 [在這個網域中建立 GPO 並連結到To create a new Group Policy object and open for editing, right-click the domain for which you want to create a new Group Policy object, and then click Create a GPO in this domain, and Link it here.

      新的 GPO,請在名稱,輸入新的群組原則物件的名稱,再按[確定]In New GPO, in Name, type a name for the new Group Policy object, and then click OK.

      Right\ 按一下新的群組原則物件,然後再按一下編輯Right-click your new Group Policy object, and then click Edit. 群組原則編輯器] 管理開啟。Group Policy Management Editor opens.

在下一節中,您將使用群組原則編輯器] 管理建立 wireless 原則。In the next section you will use Group Policy Management Editor to create wireless policy.

啟動預設 Wireless 網路 \ (IEEE 802.11) 原則Activate Default Wireless Network (IEEE 802.11) Policies

此程序告訴您如何啟動預設無線網路 \ (IEEE 802.11) 使用群組原則編輯器] 管理 (GPME) 原則。This procedure describes how to activate the default Wireless Network (IEEE 802.11) Policies by using the Group Policy Management Editor (GPME).

注意

您之後Windows Vista 和稍後發行版本無線網路 \ (IEEE 802.11) 原則或Windows XP版,版本選項會自動移除清單選項時您 right\ 按無線網路 \ (IEEE 802.11) 原則After you activate the Windows Vista and Later Releases version of the Wireless Network (IEEE 802.11) Policies or the Windows XP version, the version option is automatically removed from the list of options when you right-click Wireless Network (IEEE 802.11) Policies. 這是因為選取原則版本之後,已新增原則 GPME 詳細資料窗格中當您選取 [無線網路 \ (IEEE 802.11) 原則節點。This occurs because after you select a policy version, the policy is added in the details pane of the GPME when you select the Wireless Network (IEEE 802.11) Policies node. 除非您 delete wireless 原則,此時 wireless 原則版本傳回 right\ 按一下功能表會維持此狀態Wireless 網路 \ (IEEE 802.11) 原則中 GPME。This state remains unless you delete the wireless policy, at which time the wireless policy version returns to the right-click menu for Wireless Network (IEEE 802.11) Policies in the GPME. 此外,wireless 原則只會列在 GPME 詳細資料窗格時Wireless 網路 \ (IEEE 802.11) 原則選取節點。Additionally, the wireless policies are only listed in the GPME details pane when the Wireless Network (IEEE 802.11) Policies node is selected.

資格在網域系統管理員,或相當於,才能執行此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure.

若要啟動預設無線網路 \ (IEEE 802.11) 原則To activate default Wireless Network (IEEE 802.11) Policies

  1. 先前的程序,請遵循透過或新增並打開群組原則物件打開 GPME。Follow the previous procedure, To open or add and open a Group Policy object to open the GPME.

  2. 在 GPME,請在左窗格中,double\ 按一下電腦設定,double\ 按原則,double\ 按Windows 設定,double\ 再按的安全性設定In the GPME, in the left pane, double-click Computer Configuration, double-click Policies, double-click Windows Settings, and then double-click Security Settings.

802.1 X 無線群組原則

  1. 安全性設定,right\ 按一下無線網路 \ (IEEE 802.11) 原則,然後按一下 [建立新的 Windows Vista 無線原則和稍後發行In Security Settings, right-click Wireless Network (IEEE 802.11) Policies, and then click Create a new Wireless Policy for Windows Vista and Later Releases.

802.1 x Wireless 原則

  1. 無線新的網路原則屬性對話方塊。The New Wireless Network Policy Properties dialog box opens. 原則的名稱,輸入原則的名稱,或讓預設的名稱。In Policy Name, type a new name for the policy or keep the default name. 按一下[確定]以儲存的原則。Click OK to save the policy. 預設的原則啟動和使用您所提供的新名稱,或使用的預設名稱 GPME 的詳細資料窗格中列出無線新的網路原則The default policy is activated and listed in the details pane of the GPME with the new name you provided or with the default name New Wireless Network Policy.

新的網路 Wireless 原則屬性

  1. 在詳細資料窗格中,按一下 double*無線新的網路原則打開它。In the details pane, double-click **New Wireless Network Policy* to open it.

下一節中,您可以執行原則設定、原則處理喜好設定順序和網路權限。In the next section you can perform policy configuration, policy processing preference order, and network permissions.

設定新網路 Wireless 原則Configure the New Wireless Network Policy

您也可以在本區段中使用程序,設定無線網路 \ (IEEE 802.11) 原則。You can use the procedures in this section to configure Wireless Network (IEEE 802.11) Policy. 這項原則可讓您設定的安全性,並驗證、管理 wireless 設定檔,以及指定 wireless 網路不會設定為慣用網路的權限。This policy enables you to configure security and authentication settings, manage wireless profiles, and specify permissions for wireless networks that are not configured as preferred networks.

設定 PEAP-MS-CHAP v2 Wireless 連接設定檔Configure a Wireless Connection Profile for PEAP-MS-CHAP v2

此程序提供所需設定 PEAP-MS-CHAP v2 wireless 設定檔的步驟。This procedure provides the steps required to configure a PEAP-MS-CHAP v2 wireless profile.

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

若要設定 PEAP-MS-CHAP v2 wireless 連接設定檔To configure a wireless connection profile for PEAP-MS-CHAP v2
  1. GPME,為您剛剛建立的原則 wireless 網路屬性對話方塊中的一般索引標籤在描述,輸入原則的簡短描述。In GPME, in the wireless network properties dialog box for the policy that you just created, on the General tab and in Description, type a brief description for the policy.

  2. 若要指定 WLAN 自動設定用於 wireless 網路介面卡設定,請確定使用 Windows WLAN 自動設定戶端服務選取。To specify that WLAN AutoConfig is used to configure wireless network adapter settings, ensure that Use Windows WLAN AutoConfig service for clients is selected.

  3. 連接到可用的網路設定檔下列之,按一下 [新增,],然後選取基礎結構In Connect to available networks in the order of profiles listed below, click Add, and then select Infrastructure. 新的設定檔屬性對話方塊。The New Profile properties dialog box opens.

  4. 新的設定檔屬性對話方塊中,於連接索引標籤設定檔名稱] 欄位,輸入新的設定檔的名稱。In theNew Profile properties dialog box, on the Connection tab, in the Profile Name field, type a new name for the profile. 例如,輸入適用於 Windows 10 WLAN 設定檔 Example.comFor example, type Example.com WLAN Profile for Windows 10.

  5. 網路 Name(s) (SSID),輸入 [對應至設定在您的 wireless Ap,SSID SSID,然後按新增]In Network Name(s) (SSID), type the SSID that corresponds to the SSID configured on your wireless APs, and then click Add.

    如果您的部署使用多個 Ssid,每個 wireless AP 使用相同的 wireless 安全性設定重複此步驟,即可新增您想要套用此設定擋每個 wireless AP SSID。If your deployment uses multiple SSIDs and each wireless AP uses the same wireless security settings, repeat this step to add the SSID for each wireless AP to which you want this profile to apply.

    如果您的部署使用多個 Ssid,不符合安全性設定為每個 SSID 設定為使用相同的安全性設定的每個群組不同的設定檔。If your deployment uses multiple SSIDs and the security settings for each SSID do not match, configure a separate profile for each group of SSIDs that use the same security settings. 例如,如果您有一個群組設定為使用 WPA-企業版和 TKIP 使用 WPA2\ 企業好一段及其他群 wireless Ap wireless Ap,設定設定檔 wireless Ap 的每個群組。For example, if you have one group of wireless APs configured to use WPA2-Enterprise and AES, and another group of wireless APs to use WPA-Enterprise and TKIP, configure a profile for each group of wireless APs.

  6. 如果預設文字NEWSSID是存在,選取它,然後按一下移除If the default text NEWSSID is present, select it, and then click Remove.

  7. 如果您要部署 wireless 存取點的設定來隱藏廣播的指標,請選取 [連接即使未廣播網路If you deployed wireless access points that are configured to suppress the broadcast beacon, select Connect even if the network is not broadcasting.

    注意

    因為 wireless 戶端會探查,並嘗試連接到任何 wireless 網路,讓這個選項可以建立是安全性風險。Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. 預設不支援此設定。By default, this setting is not enabled.

  8. 按一下安全性索引標籤上,按一下 [進階],然後進行下列設定:Click the Security tab, click Advanced, and then configure the following:

    1. 設定進階 802.1 X 的設定,請在IEEE 802.1 X動作將使用進階 802.1 X 設定To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.

      時進階的 802.1 X 設定正在執行,預設值的最大的 [開始] 畫面 Eapol\ 訊息保留期間開始期間,和驗證期間的一般 wireless 部署的不足。When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, and Auth Period are sufficient for typical wireless deployments. 因此,您不需要變更的預設值,除非您有特定的原因。Because of this, you do not need to change the defaults unless you have a specific reason for doing so.

    2. 若要讓單一登入,請選取這個網路讓單一登入To enable Single Sign On, select Enable Single Sign On for this network.

    3. 剩餘的預設值的單一登入的一般 wireless 部署的不足。The remaining default values in Single Sign On are sufficient for typical wireless deployments.

    4. 「快速頻道」漫遊,如果您 wireless AP 設定 pre-驗證功能,請選取此網路使用 pre\ 驗證In Fast Roaming, if your wireless AP is configured for pre-authentication, select This network uses pre-authentication.

  9. 若要指定 wireless 通訊符合 FIPS 140-2 標準,請選取 [ FIPS 140-2 認證模式中執行密碼編譯To specify that wireless communications meet FIPS 140-2 standards, select Perform cryptography in FIPS 140-2 certified mode.

  10. 按一下[確定]以返回的安全性索引標籤。在選取此網路安全性方法,請在驗證、選取WPA2\ 企業您 wireless AP 與 wireless client 網路介面卡所支援下,如果。Click OK to return to the Security tab. In Select the security methods for this network, in Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client network adapters. 否則,請選取WPA\ 企業Otherwise, select WPA-Enterprise.

  11. 加密,如果支援您 wireless AP 及 wireless client 網路介面卡,選取好一段-CCMPIn Encryption, if supported by your wireless AP and wireless client network adapters, select AES-CCMP. 如果您使用存取點,並支援 802.11ac wireless 網路介面卡,請選取 [好一段-GCMPIf you are using access points and wireless network adapters that support 802.11ac, select AES-GCMP. 否則,請選取TKIPOtherwise, select TKIP.

    注意

    兩者的設定為驗證加密必須符合您 wireless Ap 上的設定。The settings for both Authentication and Encryption must match the settings configured on your wireless APs. 預設設定驗證模式驗證失敗的最大,並快取的後續連接到這個網路使用者資訊的典型 wireless 部署滿足。The default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for typical wireless deployments.

  12. 選取網路驗證方法,請選取受保護的 EAP (PEAP),然後按一下 [屬性In Select a network authentication method, select Protected EAP (PEAP), and then click Properties. 保護 EAP 屬性對話方塊。The Protected EAP Properties dialog box opens.

  13. 保護 EAP 屬性,確認已選取驗證身分伺服器的驗證憑證的選取。In Protected EAP Properties, confirm that Verify the server’s identity by validating the certificate is selected.

  14. 受信任的根憑證授權單位,請選取 NPS 伺服器的受信任的根憑證授權單位 (CA) 發出伺服器的憑證。In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your NPS server.

    注意

    這個設定限制的根信任選取 Ca 戶端 Ca。This setting limits the root CAs that clients trust to the selected CAs. 如果未受信任的根 Ca 選取,戶端將信任所有根 Ca 列在其受信任的根憑證授權單位憑證存放區。If no trusted root CAs are selected, then clients will trust all root CAs listed in their Trusted Root Certification Authorities certificate store.

  15. 選擇驗證方法清單中,選取 [ Secured 密碼 \ (EAP-MS-CHAP v2)In the Select Authentication Method list, select Secured password (EAP-MS-CHAP v2).

  16. 按一下設定Click Configure. EAP MSCHAPv2 屬性對話方塊方塊中,請確認自動使用我的登入 Windows 名稱與密碼 \ (和網域如果 any)已選取,然後按一下 [ [確定]In the EAP MSCHAPv2 Properties dialog box, verify Automatically use my Windows logon name and password (and domain if any) is selected, and click OK.

  17. 讓 PEAP(fast ring)重新連接,以確保(fast ring)讓重新連接選取。To enable PEAP Fast Reconnect, ensure that Enable Fast Reconnect is selected.

  18. 若要需要連接嘗試伺服器加密繫結 TLV,請選取 [如果伺服器不會顯示加密繫結 TLV 中斷連接To require server cryptobinding TLV on connection attempts, select Disconnect if server does not present cryptobinding TLV.

  19. 若要指定的使用者身分有遮罩驗證的其中一個階段,請選取 [讓身分隱私權,並在文字方塊中輸入名稱匿名的身分,或留在文字方塊。To specify that user identity is masked in phase one of authentication, select Enable Identity Privacy, and in the textbox, type an anonymous identity name, or leave the textbox blank.

    [!筆記]

    • 802.1 X 無線 NPS 原則必須使用 NPS 來建立連接要求原則The NPS policy for 802.1X Wireless must be created by using NPS Connection Request Policy. 如果 NPS 原則以 NPS 建立的網路原則,然後將無法運作的身分隱私權。If the NPS policy is created by using NPS Network Policy, then identity privacy will not work.
    • 空或匿名的身分某些 EAP 方法提供 EAP 身分隱私權 \(不同的實際 identity\)傳送回應 EAP 身分邀請。EAP identity privacy is provided by certain EAP methods where an empty or an anonymous identity (different from the actual identity) is sent in response to the EAP identity request. PEAP 傳送身分在驗證期間兩次。PEAP sends the identity twice during the authentication. 在第一階段,身分傳送一般,此身分用於路由,不適用於 client 驗證。In the first phase, the identity is sent in plain text and this identity is used for routing purposes, not for client authentication. 實際的身分,用來驗證-傳送驗證,在安全的通道,會建立在第一階段中的第二個階段。The real identity—used for authentication—is sent during the second phase of the authentication, within the secure tunnel that is established in the first phase. 如果讓身分隱私權核取方塊已選取,指定文字方塊中的項目會取代使用者名稱。If Enable Identity Privacy checkbox is selected, the username is replaced with the entry specified in the textbox. 例如假設讓身分隱私權已選取的身分隱私權別名和匿名文字方塊中指定。For example, assume Enable Identity Privacy is selected and the identity privacy alias anonymous is specified in the textbox. 實際身分別名使用者的jdoe@example.com,將會傳送中第一階段的驗證身分變更為anonymous@example.com。為用於路由用途,就不會修改 1 階段身分領域部分。For a user with a real identity alias jdoe@example.com, the identity sent in first phase of authentication will be changed to anonymous@example.com. The realm portion of the 1st phase identity is not modified as it is used for routing purposes.
  20. 按一下[確定]以關閉 [保護 EAP 屬性對話方塊。Click OK to close the Protected EAP Properties dialog box.

  21. 按一下[確定]以關閉 [的安全性索引標籤。Click OK to close the Security tab.
  22. 如果您想要建立額外的設定檔,請按一下新增,然後重複上一個步驟,並進行其他選擇以自訂 wireless 戶端和網路您想要套用的設定檔的每個設定檔。If you want to create additional profiles, click Add, and then repeat the previous steps, making different choices to customize each profile for the wireless clients and network to which you want the profile applied. 當您新增設定檔完成後時,按一下 [ [確定]來關閉對話方塊無線的網路原則屬性。When you are done adding profiles, click OK to close the Wireless Network Policy Properties dialog box.

下一節中,您可以訂購最佳的安全性原則設定檔。In the next section you can order the policy profiles for optimum security.

設定的喜好設定順序 Wireless 連接設定檔Set the Preference Order for Wireless Connection Profiles

如果您已建立多個 wireless 設定檔 wireless 的網路原則中,而您想要訂單的設定檔,如要達到最佳效能和安全性,您可以使用此程序。You can use this procedure if you have created multiple wireless profiles in your wireless network policy and you want to order the profiles for optimal effectiveness and security.

若要確保 wireless 戶端連接的安全性,他們可以支援最高層級,將最多限制原則清單的頂端。To ensure that wireless clients connect with the highest level of security that they can support, place your most restrictive policies at the top of the list.

例如,如果您有兩種設定檔,一個支援 WPA2 之用戶端,一個用於戶端支援 WPA,放置 WPA2 設定檔更高版本清單。For example, if you have two profiles, one for clients that support WPA2 and one for clients that support WPA, place the WPA2 profile higher on the list. 這樣可確保的支援 WPA2 用方法連接,而不是使用較不安全 WPA。This ensures that the clients that support WPA2 will use that method for the connection rather than the less secure WPA.

此程序提供的步驟來指定連接網域成員 wireless 戶端 wireless 網路使用 wireless 連接設定檔的順序。This procedure provides the steps to specify the order in which wireless connection profiles are used to connect domain member wireless clients to wireless networks.

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

若要設定的喜好設定順序 wireless 連接設定檔To set the preference order for wireless connection profiles
  1. 在 [GPME,只要設定原則 wireless 網路屬性對話方塊中按一下一般索引標籤。In GPME, in the wireless network properties dialog box for the policy that you just configured, click the General tab.

  2. 一般索引標籤的連接到可用的網路設定檔下列之、選取在清單中,移至您想要的設定檔,再按一下任一」向上箭號 [按鈕] 或 [向下箭號 [按鈕將個人檔案移至您想要的位置在清單中。On the General tab, in Connect to available networks in the order of profiles listed below, select the profile that you want to move in the list, and then click either the "up arrow" button or “down arrow” button to move the profile to the desired location in the list.

  3. 重複步驟 2 的每個您想要移動的清單中的設定檔。Repeat step 2 for each profile that you want to move in the list.

  4. 按一下[確定]以儲存的所有變更。Click OK to save all changes.

下一節,您可以定義 wireless 原則的網路權限。In the following section, you can define network permissions for the wireless policy.

定義網路權限Define Network Permissions

您可以在設定設定網路權限索引標籤無線網路網域成員 \ (IEEE 802.11) 原則套用。You can configure settings on the Network Permissions tab for the domain members to which Wireless Network (IEEE 802.11) Policies apply.

您可以只適用於下列設定 wireless 網路未在設定一般索引標籤中Wireless 的網路原則屬性頁面:You can only apply the following settings for wireless networks that are not configured on the General tab in the Wireless Network Policy Properties page:

  • 允許或拒絕連接到特定 wireless 網路所指定的網路類型 Service 設定識別碼 (SSID)Allow or deny connections to specific wireless networks that you specify by network type and Service Set Identifier (SSID)

  • 允許或拒絕連接到特定的網路Allow or deny connections to ad hoc networks

  • 允許或拒絕基礎結構網路來連接情形Allow or deny connections to infrastructure networks

  • 允許或拒絕使用者檢視的網路類型 \(臨機操作或 infrastructure\)他們無法存取Allow or deny users to view network types (ad hoc or infrastructure) to which they are denied access

  • 允許或拒絕使用者建立套用到所有使用者的設定檔Allow or deny users to create a profile that applies to all users

  • 使用者只能使用群組原則設定檔來連接允許網路Users can only connect to allowed networks by using Group Policy profiles

資格在網域系統管理員,或相當於,才能完成這些程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures.

若要允許或拒絕連接到特定 wireless 網路To allow or deny connections to specific wireless networks
  1. 在 [GPME,在 wireless 網路屬性對話方塊中,按一下 [網路權限]索引標籤。In GPME, in the wireless network properties dialog box, click the Network Permissions tab.

  2. 網路權限]索引標籤上,按一下 [新增]On the Network Permissions tab, click Add. 新的權限的項目對話方塊。The New Permissions Entry dialog box opens.

  3. 新的權限的項目對話方塊中,在的網路名稱 (SSID)欄位中輸入的網路 SSID 網路您想要定義權限。In the New Permission Entry dialog box, in the Network Name (SSID) field, type the network SSID of the network for which you want to define permissions.

  4. 的網路類型基礎結構臨機操作In Network Type, select Infrastructure or Ad hoc.

    注意

    如果您不確定是否廣播網路基礎結構或特定網路,您可以設定兩個網路的權限的項目,為每個網路的類型。If you are uncertain whether the broadcasting network is an infrastructure or ad hoc network, you can configure two network permission entries, one for each network type.

  5. 的權限允許拒絕In Permission, select Allow or Deny.

  6. 按一下[確定],以返回網路權限]索引標籤。Click OK, to return to the Network Permissions tab.

若要指定其他網路權限 (Optional)To specify additional network permissions (Optional)
  1. 網路權限]索引標籤上,設定下列一或多個動作:On the Network Permissions tab, configure any or all of the following:

    • 若要即可授權您的網域成員至特定網路,選取 [避免 ad\ 特殊網路來連接To deny your domain members access to ad hoc networks, select Prevent connections to ad-hoc networks.

    • 若要即可授權您的網域成員網路基礎結構,選取 [避免基礎結構網路來連接To deny your domain members access to infrastructure networks, select Prevent connections to infrastructure networks.

    • 若要允許您檢視的網路類型網域成員 \(臨機操作或 infrastructure\)到,他們無法存取,選取允許使用者檢視拒絕的網路To allow your domain members to view network types (ad hoc or infrastructure) to which they are denied access, select Allow user to view denied networks.

    • 若要讓使用者建立套用到所有使用者的設定檔,請選取 [讓任何人建立所有的使用者設定檔以To allow users to create profiles that apply to all users, select Allow everyone to create all user profiles.

    • 若要指定您的使用者可以僅限連接到允許使用群組原則設定檔的網路,請選取 [只能使用群組原則設定檔,允許的網路的To specify that your users can only connect to allowed networks by using Group Policy profiles, select Only use Group Policy profiles for allowed networks.

設定您的 NPS 伺服器Configure your NPS Servers

請依照下列步驟來設定 NPS 伺服器 wireless 存取執行 802.1 X 驗證:Follow these steps to configure NPS servers to perform 802.1X authentication for wireless access:

在 Active Directory Domain Services 登記 NPSRegister NPS in Active Directory Domain Services

您可以使用此程序登記執行 Active Directory Domain Services (AD DS) 位於網域中 NPS 伺服器成員網路原則伺服器 (NPS) 伺服器。You can use this procedure to register a server running Network Policy Server (NPS) in Active Directory Domain Services (AD DS) in the domain where the NPS server is a member. NPS 讀取的帳號 dial\ 中屬性授權程序期間的權限授與的伺服器,每個 NPS 伺服器必須在 AD DS 登記完畢。For NPS servers to be granted permission to read the dial-in properties of user accounts during the authorization process, each NPS server must be registered in AD DS. 登記 NPS 伺服器新增伺服器RAS 及 IAS 伺服器]中 AD DS 安全性群組。Registering an NPS server adds the server to the RAS and IAS Servers security group in AD DS.

注意

您可以安裝 NPS 網域控制站在或專用的伺服器上。You can install NPS on a domain controller or on a dedicated server. 執行下列 Windows PowerShell 命令安裝 NPS,如果您有您尚未執行此動作:Run the following Windows PowerShell command to install NPS if you have not yet done so:

Install-WindowsFeature NPAS -IncludeManagementTools

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

若要在其預設網域登記 NPS 伺服器To register an NPS server in its default domain

  1. NPS 伺服器,在伺服器管理員,按一下 [工具,,然後按一下 [的網路原則伺服器On your NPS server, in Server Manager, click Tools, and then click Network Policy Server. NPS snap\ 在開啟。The NPS snap-in opens.

  2. Right\ 按一下NPS (Local),然後按一下 [登記伺服器 Active DirectoryRight-click NPS (Local), and then click Register Server in Active Directory. 的網路原則伺服器對話方塊。The Network Policy Server dialog box opens.

  3. 的網路原則伺服器,按一下 [ [確定],,然後按一下 [ [確定]再試一次。In Network Policy Server, click OK, and then click OK again.

Wireless AP 設定為 NPS RADIUS ClientConfigure a Wireless AP as an NPS RADIUS Client

您可以使用此程序,設定 AP,也就是網路存取伺服器 (NAS),為使用中 snap\ NPS 遠端驗證 Dial-In 使用者服務 (RADIUS) client。You can use this procedure to configure an AP, also known as a network access server (NAS), as a Remote Authentication Dial-In User Service (RADIUS) client by using the NPS snap-in.

重要

Client 電腦,例如 wireless 筆記型電腦與其他執行 client 作業系統的電腦不是 RADIUS 戶端。Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS 戶端的網路存取伺服器,例如 wireless 存取點,802.1X-能參數、virtual 私人網路 (VPN) 伺服器及 dial\ 接伺服器,因為它們可以使用 RADIUS 通訊協定進行通訊例如伺服器 NPS RADIUS 伺服器。RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as NPS servers.

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

新增為中 NPS RADIUS client 的網路存取伺服器To add a network access server as a RADIUS client in NPS

  1. NPS 伺服器,在伺服器管理員,按一下 [工具,,然後按一下 [的網路原則伺服器On your NPS server, in Server Manager, click Tools, and then click Network Policy Server. NPS snap\ 在開啟。The NPS snap-in opens.

  2. 在 snap\ 中 NPS double\ 按一下RADIUS 戶端與伺服器In the NPS snap-in, double-click RADIUS Clients and Servers. Right\ 按一下RADIUS 戶端,然後按一下 [Right-click RADIUS Clients, and then click New.

  3. 新 RADIUS Client,確認可讓這個 RADIUS client核取方塊。In New RADIUS Client, verify that the Enable this RADIUS client check box is selected.

  4. 新 RADIUS Client,請在的易記名稱,輸入 wireless 存取點的顯示名稱。In New RADIUS Client, in Friendly name, type a display name for the wireless access point.

    例如,如果您想要新增的 wireless 存取點 (AP) 名 AP-01,輸入AP-01For example, if you want to add a wireless access point (AP) named AP-01, type AP-01.

  5. 位址 (IP or DNS)中,輸入 IP 位址或的完整網域名稱 (FQDN) nas。In Address (IP or DNS), type the IP address or fully qualified domain name (FQDN) for the NAS.

    如果您輸入 FQDN,若要確認是否正確的名稱,並且對應至有效的 IP 位址,按一下確認,然後在驗證地址,請在地址欄位中,按一下解析If you enter the FQDN, to verify that the name is correct and maps to a valid IP address, click Verify, and then in Verify Address, in the Address field, click Resolve. 如果名稱 FQDN 對應至有效的 IP 位址,該 NAS 的 IP 位址會自動出現在的 IP 位址If the FQDN name maps to a valid IP address, the IP address of that NAS will automatically appear in IP address. 如果 FQDN 無法解析為 IP 位址您將會收到訊息,指出稱為主機。If the FQDN does not resolve to an IP address you will receive a message indicating that no such host is known. 發生這種情形,如果確認您擁有正確 AP 名稱,且 AP 為電源且連上網路。If this occurs, verify that you have the correct AP name and that the AP is powered on and connected to the network.

    按一下[確定]以關閉 [驗證地址Click OK to close Verify Address.

  6. 新 RADIUS Client,請在共用密碼,執行下列其中一個動作:In New RADIUS Client, in Shared Secret, do one of the following:

    • 若要手動設定 RADIUS 共用的密碼,請選取 [手動,然後在共用密碼,輸入長,這也 NAS 上輸入密碼。To manually configure a RADIUS shared secret, select Manual, and then in Shared secret, type the strong password that is also entered on the NAS. 共用的密碼中重新輸入確認共用的密碼Retype the shared secret in Confirm shared secret.

    • 若要自動產生共用的密碼,請選取 [產生核取方塊,並再按產生按鈕。To automatically generate a shared secret, select the Generate check box, and then click the Generate button. 儲存產生共用的密碼,然後再使用該值來設定 NAS,讓它可以具有 NPS 伺服器通訊。Save the generated shared secret, and then use that value to configure the NAS so that it can communicate with the NPS server.

      重要

      您輸入您 virtual AP 的中 NPS RADIUS 共用的密碼完全必須符合您實際 wireless AP 的已 RADIUS 共用的密碼The RADIUS shared secret that you enter for your virtual AP’s in NPS must exactly match the RADIUS shared secret that is configured on your actual wireless AP’s. 如果您使用 NPS 選項產生 RADIUS 共用的密碼,您必須使用由 NPS RADIUS 共用密碼設定相符實際 wireless AP。If you use the NPS option to generate a RADIUS shared secret, then you must configure the matching actual wireless AP with the RADIUS shared secret that was generated by NPS.

  7. 新 RADIUS Client,在進階索引標籤廠商名稱,指定 NAS 製造商名稱。In New RADIUS Client, on the Advanced tab, in Vendor name, specify the NAS manufacturer name. 如果您不確定 NAS 製造商名稱,請選取RADIUS 標準If you are not sure of the NAS manufacturer name, select RADIUS standard.

  8. 其他選項,如果您使用任何 EAP 和 PEAP,以外的驗證方法,如果您 NAS 支援使用訊息 authenticator 屬性,選取 [的訊息存取要求必須包含 Message-Authenticator 屬性In Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports the use of the message authenticator attribute, select Access Request messages must contain the Message-Authenticator attribute.

  9. 按一下[確定]Click OK. 您 NAS 會出現在清單中的設定伺服器 NPS RADIUS 用。Your NAS appears in the list of RADIUS clients configured on the NPS server.

使用精靈 802.1 X 無線建立 NPS 原則Create NPS Policies for 802.1X Wireless Using a Wizard

您可以使用此程序來建立連接要求原則和網路原則部署任一 802.1X\ 所需的功能 wireless 的存取點,為遠端驗證 Dial-In 使用者服務 (RADIUS) 戶端執行的網路原則伺服器 (NPS) RADIUS 伺服器。You can use this procedure to create the connection request policies and network policies required to deploy either 802.1X-capable wireless access points as Remote Authentication Dial-In User Service (RADIUS) clients to the RADIUS server running Network Policy Server (NPS).
您在執行精靈之後,下列原則建立:After you run the wizard, the following policies are created:

  • 有一個連接要求原則One connection request policy

  • 有一個網路原則One network policy

注意

您可以在每次您需要為 802.1 X 驗證存取建立新原則執行新 IEEE 802.1 X 的安全有線和無線連接精靈。You can run the New IEEE 802.1X Secure Wired and Wireless Connections wizard every time you need to create new policies for 802.1X authenticated access.

資格在網域系統管理員,或相當於,才能完成此程序最小值。Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

建立 802.1 X 驗證無線的原則,使用精靈Create policies for 802.1X authenticated wireless by using a wizard

  1. 打開 NPS snap\ 中。Open the NPS snap-in. 如果您未選取,按一下 [ NPS (Local)If it is not already selected, click NPS (Local). 如果您 NPS MMC snap\ 中執行,並想要 NPS 遠端伺服器上建立的原則,選取 [伺服器。If you are running the NPS MMC snap-in and want to create policies on a remote NPS server, select the server.

  2. 開始,請在標準設定、選取802.1 X 無線或有線連接 RADIUS 伺服器In Getting Started, in Standard Configuration, select RADIUS server for 802.1X Wireless or Wired Connections. 文字和連結的文字變更,以反映您的選擇。The text and links below the text change to reflect your selection.

  3. 按一下設定 802.1 XClick Configure 802.1X. 設定 802.1 X 精靈開啟。The Configure 802.1X wizard opens.

  4. 選取 802.1 X 連接類型精靈] 頁面上,在類型 802.1 X 連接,請選取安全無線連接,並在名稱、輸入您的原則的名稱或離開預設名稱安全無線連接On the Select 802.1X Connections Type wizard page, in Type of 802.1X connections, select Secure Wireless Connections, and in Name, type a name for your policy, or leave the default name Secure Wireless Connections. 按一下下一步Click Next.

  5. 指定 802.1 X 參數中精靈頁面RADIUS 戶端,所有 802.1 X 參數和 wireless 存取點,您已經新增在 snap\ 中 NPS RADIUS 戶端示。On the Specify 802.1X Switches wizard page, in RADIUS clients, all 802.1X switches and wireless access points that you have added as RADIUS Clients in the NPS snap-in are shown. 執行下列其中一項:Do any of the following:

    • 中新增額外的網路存取伺服器 (NASs),例如 wireless Ap,RADIUS 戶端,按一下 [新增,然後在新 RADIUS client,輸入的資訊:易記名稱地址 (IP or DNS),和共用密碼To add additional network access servers (NASs), such as wireless APs, in RADIUS clients, click Add, and then in New RADIUS client, enter the information for: Friendly name, Address (IP or DNS), and Shared Secret.

    • 若要修改設定的任何 NAS,在RADIUS 戶端,選取您要修改設定,然後按一下 [的 AP編輯To modify the settings for any NAS, in RADIUS clients, select the AP for which you want to modify the settings, and then click Edit. 修改所需的設定。Modify the settings as required.

    • 中,從清單中移除 NAS RADIUS 戶端,選取 [NAS,,然後按移除To remove a NAS from the list, in RADIUS clients, select the NAS, and then click Remove.

      警告

      移除 RADIUS client 的設定 802.1 X精靈將 client 移除 NPS 伺服器設定。Removing a RADIUS client from within the Configure 802.1X wizard deletes the client from the NPS server configuration. 新增項目、修改,以及刪除,可以在設定 802.1 X中反映在 snap\ 中 NPS RADIUS 戶端精靈RADIUS 戶端下的節點NPS / RADIUS 戶端與伺服器All additions, modifications, and deletions that you make within the Configure 802.1X wizard to RADIUS clients are reflected in the NPS snap-in, in the RADIUS Clients node under NPS / RADIUS Clients and Servers. 例如,如果您使用移除使用 802.1 X 精靈切換,開關切換至也會從 NPS snap\ 中移除。For example, if you use the wizard to remove an 802.1X switch, the switch is also removed from the NPS snap-in.

  6. 按一下下一步Click Next. 設定的驗證方法精靈] 頁面上,在輸入 \(根據存取和網路 configuration\ 的方法),請選取Microsoft:受保護的 EAP (PEAP),,然後按一下設定On the Configure an Authentication Method wizard page, in Type (based on method of access and network configuration), select Microsoft: Protected EAP (PEAP), and then click Configure.

    提示

    如果您收到錯誤訊息,表示憑證找不到使用的驗證方法、,以及您已設定自動到網路上的 RAS 及 IAS 伺服器發行憑證的 Active Directory 憑證服務,請先確定您有遵循的步驟來登記 NPS,在 Active Directory Domain Services,然後使用下列步驟來更新群組原則:按一下[開始],按一下 [ Windows 系統,按一下 [執行,在開放,輸入gpupdate,然後按 ENTER 鍵。If you receive an error message indicating that a certificate cannot be found for use with the authentication method, and you have configured Active Directory Certificate Services to automatically issue certificates to RAS and IAS servers on your network, first ensure that you have followed the steps to Register NPS in Active Directory Domain Services, then use the following steps to update Group Policy: Click Start, click Windows System, click Run, and in Open, type gpupdate, and then press ENTER. 命令時傳回指出使用者和群組原則的電腦已順利更新的結果,請選取Microsoft:受保護的 EAP (PEAP),然後按一下 [設定When the command returns results indicating that both user and computer Group Policy have updated successfully, select Microsoft: Protected EAP (PEAP) again, and then click Configure.

    如果在重新整理您持續收到錯誤訊息,表示該憑證找不到使用的驗證方法的群組原則之後, 憑證會不會顯示因為它未符合最低伺服器憑證需求如核心網路小幫手節目表中所述:適用於 802.1 X 的有線和無線部署部署伺服器憑證If after refreshing Group Policy you continue to receive the error message indicating that a certificate cannot be found for use with the authentication method, the certificate is not being displayed because it does not meet the minimum server certificate requirements as documented in the Core Network Companion Guide: Deploy Server Certificates for 802.1X Wired and Wireless Deployments. 發生這種情形,如果您必須停止 NPS 設定、撤銷發給您 NPS server(s),並依照指示執行設定新的憑證來使用節目表伺服器的憑證部署。If this happens, you must discontinue NPS configuration, revoke the certificate issued to your NPS server(s), and then follow the instructions to configure a new certificate by using the server certificates deployment guide.

  7. 編輯保護 EAP 屬性中精靈頁面發行憑證,確定正確 NPS 伺服器的憑證已選取,然後執行下列動作:On the Edit Protected EAP Properties wizard page, in Certificate issued, ensure that the correct NPS server certificate is selected, and then do the following:

    注意

    確認中的值發行者是正確的憑證在選取發行憑證Verify that the value in Issuer is correct for the certificate selected in Certificate issued. 執行 Active Directory 憑證服務 (AD CS) 名 corp\DC1,網域 contoso.com,CA 發行憑證的預期的發行者不,例如corp\ DC1\ CAFor example, the expected issuer for a certificate issued by a CA running Active Directory Certificate Services (AD CS) named corp\DC1, in the domain contoso.com, is corp-DC1-CA.

    • 若要允許來將他到他們的 wireless 電腦的存取點而不需要每次重新驗證他們建立新的 ap 之間的使用者,請選取 [ (fast ring)讓重新連接To allow users to roam with their wireless computers between access points without requiring them to reauthenticate each time they associate with a new AP, select Enable Fast Reconnect.

    • 若要指定的連接 wireless 戶端會結束網路驗證程序是否 RADIUS 伺服器不會顯示加密 Type\ Length\ 價值 (TLV) 繫結,請選取 [中斷連接的戶端不加密繫結的To specify that connecting wireless clients will end the network authentication process if the RADIUS server does not present cryptobinding Type-Length-Value (TLV), select Disconnect Clients without Cryptobinding.

    • 若要修改原則設定 EAP 輸入,在Eap,按一下 [編輯,請在EAP MSCHAPv2 屬性,如有需要修改的設定,然後按一下[確定]To modify the policy settings for the EAP type, in EAP Types, click Edit, in EAP MSCHAPv2 Properties, modify the settings as needed, and then click OK.

  8. 按一下[確定]Click OK. 編輯保護 EAP 屬性會關閉對話方塊,讓您以返回設定 802.1 X精靈。The Edit Protected EAP Properties dialog box closes, returning you to the Configure 802.1X wizard. 按一下下一步Click Next.

  9. 指定使用者群組,按一下 [新增,然後輸入您設定的 Active Directory 使用者 snap\ 在電腦中 wireless 戶端安全性群組的名稱。In Specify User Groups, click Add, and then type the name of the security group that you configured for your wireless clients in the Active Directory Users and Computers snap-in. 例如,如果您名為您 wireless 安全性群組無線群組中,輸入群組無線For example, if you named your wireless security group Wireless Group, type Wireless Group. 按一下下一步Click Next.

  10. 按一下設定來設定 RADIUS 標準屬性和 vendor\ 特定屬性的 virtual 區域網路 (VLAN) 如有需要以及指定 wireless AP 硬體廠商提供的文件。Click Configure to configure RADIUS standard attributes and vendor-specific attributes for virtual LAN (VLAN) as needed, and as specified by the documentation provided by your wireless AP hardware vendor. 按一下下一步Click Next.

  11. 檢視設定摘要詳細資料,並再按完成Review the configuration summary details, and then click Finish.

現在建立 NPS 原則,以及您可以移至 wireless 電腦加入網域的。Your NPS policies are now created, and you can move on to joining wireless computers to the domain.

加入網域中的新 Wireless 電腦Join New Wireless Computers to the Domain

將新 wireless 電腦加入網域最簡單的方法就是實際中附加一段有線的區域網路電腦 \(不受 802.1 X switch\ 區段)之前加入網域的電腦。The easiest method to join new wireless computers to the domain is to physically attach the computer to a segment of the wired LAN (a segment not controlled by an 802.1X switch) before joining the computer to the domain. 這是最簡單,因為 wireless 群組原則設定的自動立即套用,如果您有部署自己 PKI,電腦將會收到 CA 憑證,並將它放在受信任的根憑證授權單位憑證存放區,可讓 wireless client 信任 NPS 伺服器伺服器的憑證 CA 您所發行的。This is easiest because wireless group policy settings are automatically and immediately applied and, if you have deployed your own PKI, the computer receives the CA certificate and places it in the Trusted Root Certification Authorities certificate store, allowing the wireless client to trust NPS servers with server certs issued by your CA.

同樣地,新 wireless 電腦已經加入網域之後,使用者來登入網域慣用的方法是使用有線的連接到網路上執行登入。Likewise, after a new wireless computer is joined to the domain, the preferred method for users to log on to the domain is to perform log on by using a wired connection to the network.

其他加入網域的方法Other domain-join methods

位置不實用加入網域的電腦使用有線乙太網路連結,或案例,使用者無法登入網域第一次使用有線的連結,您必須使用備用方法。In cases where it is not practical to join computers to the domain by using a wired Ethernet connection, or in cases where the user cannot log on to the domain for the first time by using a wired connection, you must use an alternate method.

  • IT 人員電腦設定IT Staff Computer Configuration. Wireless 電腦加入網域 IT 人員的成員,並設定單一登入開機 wireless 設定檔。A member of the IT staff joins a wireless computer to the domain and configures a Single Sign On bootstrap wireless profile. 使用此方法,IT 系統管理員 wireless 電腦連接到有線乙太網路,並加入網域的電腦。With this method, the IT administrator connects the wireless computer to the wired Ethernet network and joins the computer to the domain. 然後系統管理員散發給使用者的電腦。Then the administrator distributes the computer to the user. 當使用者開始,而不使用有線的連結,以手動方式使用者登入指定網域認證的電腦是用來兩連接 wireless 網路並登入網域。When the user starts the computer without using a wired connection, the domain credentials that they manually specify for the user logon are used to both establish a connection to the wireless network and to log on to the domain.

如需詳細資訊,請查看區段使用 IT 人員的電腦設定方法加入的網域和登入For more information, see the section Join the Domain and Log On by using the IT Staff Computer Configuration Method

  • 啟動使用者設定檔 Wireless 設定Bootstrap Wireless Profile Configuration by Users. 使用者手動設定 wireless 電腦開機 wireless 設定檔,並加入網域,根據 IT 系統管理員取得的指示操作。The user manually configures the wireless computer with a bootstrap wireless profile and joins the domain, based on instructions acquired from an IT administrator. Wireless 開機設定檔,可讓使用者加入網域,並將該名 wireless 連接。The bootstrap wireless profile allows the user to establish a wireless connection and then join the domain. 加入網域的電腦,開機之後使用者可以登入網域使用 wireless 連接與他們的網域 account 認證。After joining the computer to the domain and restarting the computer, the user can log on to the domain by using a wireless connection and their domain account credentials.

如需詳細資訊,請查看區段使用使用者開機無線設定檔設定加入的網域和登入For more information, see the section Join the Domain and Log On by using Bootstrap Wireless Profile Configuration by Users.

藉由 IT 人員的電腦設定方法加入的網域和登入Join the Domain and Log On by using the IT Staff Computer Configuration Method

網域成員 domain\ 加入 wireless client 電腦的使用者可以使用 wireless 暫時設定檔來連接 802.1X-不需要第一次都連接到有線的區域網路驗證 wireless 網路。Domain member users with domain-joined wireless client computers can use a temporary wireless profile to connect to an 802.1X-authenticated wireless network without first connecting to the wired LAN. 這個暫時 wireless 設定檔稱為啟動 wireless 設定檔This temporary wireless profile is called a bootstrap wireless profile.

使用者必須手動指定它們 domain 使用者 account 認證,開機 wireless 設定檔,並不驗證執行的網路原則伺服器 (NPS) 遠端驗證 Dial-In 使用者服務 (RADIUS) 伺服器的憑證。A bootstrap wireless profile requires the user to manually specify their domain user account credentials, and does not validate the certificate of the Remote Authentication Dial-In User Service (RADIUS) server running Network Policy Server (NPS).

建立 wireless 連接之後,套用群組原則 wireless client 在電腦上,並自動發行新的 wireless 設定檔。After wireless connectivity is established, Group Policy is applied on the wireless client computer, and a new wireless profile is issued automatically. 使用的電腦和使用者 account 認證 client 驗證新原則。The new policy uses the computer and user account credentials for client authentication.

此外,部分 PEAP-MS-CHAP v2 互加好友驗證使用新的設定檔開機設定檔,而 client 驗證 RADIUS 伺服器的憑證。Additionally, as part of the PEAP-MS-CHAP v2 mutual authentication using the new profile instead of the bootstrap profile, the client validates the credentials of the RADIUS server.

加入網域的電腦之後,請散布 domain\ 成員使用者 wireless 電腦之前,請先設定單一登入開機 wireless 設定檔,使用此程序。After you join the computer to the domain, use this procedure to configure a Single Sign On bootstrap wireless profile, before distributing the wireless computer to the domain-member user.

若要設定的單一登入開機 wireless 設定檔To configure a Single Sign On bootstrap wireless profile

  1. 建立開機設定檔名為本指南使用的程序設定為 PEAP-MS-CHAP v2 無線連接設定檔,使用下列設定:Create a bootstrap profile by using the procedure in this guide named Configure a Wireless Connection Profile for PEAP-MS-CHAP v2, and use the following settings:

    • PEAP-MS-CHAP v2 驗證PEAP-MS-CHAP v2 authentication

    • 驗證 RADIUS 伺服器的憑證已停用Validate RADIUS server certificate disabled

    • 單一的登入功能Single Sign On enabled

  2. 在屬性無線的網路原則中的新開機設定檔建立的一般索引標籤,選取開機設定檔,然後按一下 [匯出網路共用匯出個人檔案、USB 快閃磁碟機或其他輕鬆存取的位置。In the properties of the Wireless Network Policy within which you created the new bootstrap profile, on the General tab, select the bootstrap profile, and then click Export to export the profile to a network share, USB flash drive, or other easily accessible location. *.Xml 檔案的位置,指定為已儲存的設定檔。The profile is saved as an *.xml file to the location that you specify.

  3. Wireless 新電腦加入網域 \ (例如,透過在毋須 IEEE 802.1 乙太網路連接 X authentication) 並新增到電腦開機 wireless 設定檔,使用netsh wlan 新增設定檔命令。Join the new wireless computer to the domain (for example, through an Ethernet connection that does not require IEEE 802.1X authentication) and add the bootstrap wireless profile to the computer by using the netsh wlan add profile command.

    注意

    如需詳細資訊,請查看 Netsh 命令的區域網路無線 (WLAN) 在http:////technet.microsoft.com/library/dd744890.aspxFor more information, see Netsh Commands for Wireless Local Area Network (WLAN) at http://technet.microsoft.com/library/dd744890.aspx.

  4. 散發的新 wireless 電腦給使用者的程序「登入網域使用執行 Windows 10 的電腦」。Distribute the new wireless computer to the user with the procedure to “Log on to the domain using computers running Windows 10.”

當使用者開始電腦時,Windows 會提示輸入網域 account 的使用者名稱與密碼的使用者。When the user starts the computer, Windows prompts the user to enter their domain user account name and password. 因為支援單一登入時,電腦使用網域使用者 account 認證要先使用 wireless 網路,然後登入網域連接。Because Single Sign On is enabled, the computer uses the domain user account credentials to first establish a connection with the wireless network and then log on to the domain.

登入以使用執行 Windows 10 電腦的網域Log on to the domain using computers running Windows 10

  1. 登入電腦,或重新開機。Log off the computer, or restart the computer.

  2. 請按任意鍵,鍵盤上或在桌面上按一下。Press any key on your keyboard or click on the desktop. 登入畫面會顯示使用者的本機 account 名稱與密碼項目欄位名稱下方的顯示。The logon screen appears with a local user account name displayed and a password entry field below the name. 不要使用 [本機使用者 account 登入。Do not log on with the local user account.

  3. 中的畫面左下角,按一下以其他使用者In the lower left corner of the screen, click Other User. 其他使用者登入畫面出現兩個欄位,一的使用者名稱和密碼。The Other User log on screen appears with two fields, one for user name and one for password. 以下密碼欄位會是文字登入:和位置電腦所加入的網域名稱。Below the password field is the text Sign on to: and then the name of the domain where the computer is joined. 例如,如果您的網域名稱為 example.com,文字顯示 [登入:範例For example, if your domain is named example.com, the text reads Sign on to: EXAMPLE.

  4. 的使用者名稱,輸入您的使用者網域名稱。In User name, type your domain user name.

  5. 密碼、輸入您的網域密碼,然後按一下箭頭,或按下 ENTER。In Password, type your domain password, and then click the arrow, or press ENTER.

注意

如果其他使用者畫面中不包含文字登入:和您的網域名稱,您必須輸入您的使用者名稱的格式網域 \ 使用者If the Other User screen does not include the text Sign on to: and your domain name, you should enter your user name in the format domain\user. 來登入網域 example.com 名帳號,例如使用者 -01,輸入example\User-01For example, to log on to the domain example.com with an account named User-01, type example\User-01.

使用使用者開機無線設定檔設定加入的網域和登入Join the Domain and Log On by using Bootstrap Wireless Profile Configuration by Users

使用此方法,您完成一般步驟一節中的步驟,然後您 domain\ 成員使用者提供有關如何手動設定使用開機 wireless 設定檔的 wireless 電腦的指示進行。With this method, you complete the steps in the General steps section, then you provide your domain-member users with the instructions about how to manually configure a wireless computer with a bootstrap wireless profile. Wireless 開機設定檔,可讓使用者加入網域,並將該名 wireless 連接。The bootstrap wireless profile allows the user to establish a wireless connection and then join the domain. 加入網域的電腦並重新啟動之後,使用者可以透過 wireless 連接網域登入。After the computer is joined to the domain and restarted, the user can log on to the domain through a wireless connection.

一般步驟General steps

  1. 設定本機電腦的系統管理員帳號,在[控制台],為使用者。Configure a local computer administrator account, in Control Panel, for the user.

    重要

    若要將電腦加入網域,使用者必須登入本機電腦。To join a computer to a domain, the user must be logged on to the computer with the local Administrator account. 或者,使用者必須提供認證的本機電腦加入網域的程序期間。Alternatively, the user must provide the credentials for the local Administrator account during the process of joining the computer to the domain. 此外,使用者必須使用者帳號使用者想要將電腦加入的網域中。In addition, the user must have a user account in the domain to which the user wants to join the computer. 在的電腦加入網域過程中,將會提示使用者網域 account 認證 \(使用者名稱和 password\)。During the process of joining the computer to the domain, the user will be prompted for domain account credentials (user name and password).

  2. 您的網域使用者提供的指示來設定開機 wireless 設定檔,如下列程序中所述設定開機 wireless 設定檔以Provide your domain users with the instructions for configuring a bootstrap wireless profile, as documented in the following procedure To configure a bootstrap wireless profile.

  3. 此外,為使用者提供這兩個本機電腦的認證 \(使用者名稱和 password\),和網域認證 \(網域 account 的使用者名稱和 password\)在表單中DomainName\UserName,以及」將電腦加入網域,」的程序與「登入網域」與 Windows Server 2016 中的文件核心網路指南Additionally, provide users with both the local computer credentials (user name and password), and domain credentials (domain user account name and password) in the form DomainName\UserName, as well as the procedures to “Join the computer to the domain,” and to “Log on to the domain,” as documented in the Windows Server 2016 Core Network Guide.

將開機 wireless 設定檔To configure a bootstrap wireless profile

  1. 使用您的網路管理員或 IT 支援所提供的認證專業登入本機電腦的系統管理員 account 的電腦。Use the credentials provided by your network administrator or IT support professional to log on to the computer with the local computer's Administrator account.

  2. Right\ 按一下網路圖示桌面,然後按一下開放式網路和共用中心]Right-click the network icon on the desktop, and click Open Network and Sharing Center. 網路和共用中心]開啟。Network and Sharing Center opens. 變更您的網路設定,按一下 [設定的新連接或網路In Change your networking settings, click Set up a new connection or network. 設定連接或網路對話方塊。The Set Up a Connection or Network dialog box opens.

  3. 按一下以手動方式連接 wireless 網路,然後按一下 [下一步Click Manually connect to a wireless network, and then click Next.

  4. 以手動方式連接 wireless 網路,請在的網路名稱,輸入 SSID AP 的名稱。In Manually connect to a wireless network, in Network name, type the SSID name of the AP.

  5. 安全性類型,選取您的系統管理員所提供的設定。In Security type, select the setting provided by your administrator.

  6. 加密類型的安全性金鑰、選取或輸入您的系統管理員所提供的設定。In Encryption type and Security Key, select or type the settings provided by your administrator.

  7. 選取 [開始這個連接自動,然後按一下 [下一步Select Start this connection automatically, and then click Next.

  8. 成功新增您的網路 SSID,按一下 [變更連接設定In Successfully addedYour Network SSID, click Change connection settings.

  9. 按一下設定連接Click Change connection settings. 您的網路 SSID無線網路屬性]。The Your Network SSID Wireless Network property dialog box opens.

  10. 按一下安全性索引標籤,然後在選擇網路驗證方法,選取受保護的 EAP (PEAP)Click the Security tab, and then in Choose a network authentication method, select Protected EAP (PEAP).

  11. 按一下設定Click Settings. 受保護的 EAP (PEAP) 屬性認知。The Protected EAP (PEAP) Properties page opens.

  12. 受保護的 EAP (PEAP) 屬性頁面上時,請確定伺服器驗證憑證]是未選取,按一下 [ [確定]兩次,,然後按一下 [關閉In the Protected EAP (PEAP) Properties page, ensure that Validate server certificate is not selected, click OK twice, and then click Close.

  13. Windows 會再嘗試連接 wireless 網路。Windows then attempts to connect to the wireless network. 設定的設定檔開機 wireless 指定,您必須提供您的網域認證。The settings of the bootstrap wireless profile specify that you must provide your domain credentials. Windows 會提示您輸入系統 account 名稱和密碼時, 輸入您的網域 account 認證,如下所示:網域 Name\User 名稱網域密碼When Windows prompts you for an account name and password, type your domain account credentials as follows: Domain Name\User Name, Domain Password.

若要加入網域的電腦To join a computer to the domain
  1. 登入本機電腦。Log on to the computer with the local Administrator account.

  2. 在 [搜尋] 方塊中,輸入PowerShellIn the search text box, type PowerShell. 在搜尋結果中,以滑鼠右鍵按一下Windows PowerShell,然後按以系統管理員身分執行In search results, right-click Windows PowerShell, and then click Run as administrator. Windows PowerShell 開啟提升權限提示。Windows PowerShell opens with an elevated prompt.

  3. 在 Windows PowerShell 中,輸入下列命令,,然後按 ENTER 鍵。In Windows PowerShell, type the following command, and then press ENTER. 請確定您想要加入的網域名稱取代變數的網域名稱。Ensure that you replace the variable DomainName with the name of the domain that you want to join.

    Add-Computer 網域名稱Add-Computer DomainName

  4. 出現提示時,輸入您的網域使用者名稱和密碼,然後按一下[確定]When prompted, type your domain user name and password, and click OK.

  5. 電腦重新開機。Restart the computer.
  6. 上一節中的指示,請依照下列登入執行 Windows 10 電腦網域Follow the instructions in the previous section Log on to the domain using computers running Windows 10.