Configuring Windows Wireless Clients

Configuring Windows Wireless Clients

Windows wireless clients can be configured either manually or with Group Policy configuration, as described in the following sections.

Manual Configuration

Manual configuration of Windows wireless clients that support the WZC service Windows XP and Windows Server 2003 with an appropriate wireless network adapter driver consists of selecting the correct network in the Connect To Wireless Network dialog box and configuring custom settings on the Wireless Networks tab of the properties of a wireless connection.

For Windows 2000 wireless clients or wireless clients with network adapter drivers that do not support the WZC service, you must configure wireless settings with a configuration tool provided by the wireless network adapter vendor.

Group Policy Configuration

The manual configuration of wireless settings is aided by the WZC service, which provides automatic configuration of wireless settings with three mouse clicks:

1. One click for the One Or More Wireless Networks Are Available message in the notification area.

2. One click to select the wireless network in the Connect To Wireless Network dialog box.

3. One click for the Connect button in the Connect To Wireless Network dialog box.

This is the best-case scenario, in which the default settings for a new preferred wireless network apply, as follows:

• The SSID of the network is determined from the wireless AP beacon.

• WEP encryption is enabled.

• Shared key authentication is disabled.

• The WEP key is determined automatically.

• IEEE 802.1X authentication is enabled using the EAP-TLS authentication method.

If the wireless network does not conform to these settings, the user must manually configure the wireless network settings. Although this might not be a problem in a Small Office/Home Office network with a small number of wireless client computers, leaving the manual configuration of critical wireless settings to the user in a medium to large organization with hundreds or thousands of wireless client computers is a network administration and troubleshooting issue.

To automate the configuration of wireless network settings for Windows XP (SP1 and later) and Windows Server 2003 wireless client computers, Windows Server 2003 Active Directory domains support a new Wireless Network (IEEE 802.11) Policies Group Policy extension that allows you to configure wireless network settings that are part of Computer Configuration Group Policy.

Wireless network settings include the list of preferred networks, WEP settings, and IEEE 802.1X settings. These settings encompass all the items on the Association and Authentication tab of the properties of a wireless network and additional settings. These settings are downloaded to Windows XP (SP1 and later) and Windows Server 2003 wireless client computers that are members of a Windows Server 2003 Active Directory domain, making it much easier to deploy a specific configuration for secure wireless connections. You can configure wireless policies from the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node in the Group Policy snap-in. Figure 3-13 shows the location of the Wireless Network (IEEE 802.11) Policies node.

Figure 3-13. The location of the Wireless Network (IEEE 802.11) Policies node.

NOTE
These policy settings do not apply to Windows XP (prior to SP1) or Microsoft 802.1X Authentication Client wireless clients.

By default, there are no Wireless Network (IEEE 802.11) Policies. To create a new policy, right-click Wireless Network (IEEE 802.11) Policies in the console tree of the Group Policy snap-in and then click Create Wireless Network Policy. The Create Wireless Network Policy Wizard is launched. The main page of the wizard, the Wireless Network Policy Name page, allows you to configure a name and description for the new wireless network. You can create only a single wireless network policy for each Group Policy object.

To modify the settings of the wireless network policy, right-click its name in the details pane and then click Properties. The properties of a wireless network policy consist of a General tab and a Preferred Networks tab.

Figure 3-14 shows the General tab for a wireless network policy.

Figure 3-14. The General tab for a wireless network policy.

On the General tab, you can view and configure the following:

• Name

  This option allows you to type a friendly name for the wireless network policy.

• Description

  This option allows you to type a description for the wireless network policy.

• Check For Policy Changes Every

  This option allows you to type the interval in minutes after which wireless clients that are Active Directory members check for changes in the wireless network policy.

• Networks To Access

  This option selects the types of wireless networks with which the wireless client is allowed to create connections:

  • Any Available Network (Access Point Preferred)

  • Access Point (Infrastructure) Networks Only

  • Computer-To-Computer (Ad Hoc) Networks Only

• Use Windows To Configure Wireless Network Settings for Clients

  This option enables the WZC service.

• Automatically Connect to Non-preferred Networks

  This option enables automatic connections to wireless networks that are not configured as preferred networks.

Figure 3-15 shows the Preferred Networks tab for a wireless network policy.

Figure 3-15. The Preferred Networks tab for a wireless network policy.

On the Preferred Networks tab, you can view and configure the following:

• Networks

  This option displays the list of preferred wireless networks.

• Add/Edit/Remove

  These buttons create a new preferred wireless network, modify the settings of the selected preferred wireless network, and delete the selected preferred wireless network.

• Move Up/Move Down

  These buttons move the selected preferred wireless network up or down in the Networks list.

The properties of a preferred wireless network consist of a Network Properties tab and an IEEE 802.1x tab.

Figure 3-16 shows the Network Properties tab for a preferred wireless network.

Figure 3-16. The Network Properties tab for a preferred wireless network.

On the Network Properties tab, you can view and configure the following settings (which are equivalent to the settings of a wireless network for a Windows wireless client that supports the WZC service):

• Network Name (SSID)

• Data Encryption (WEP Enabled)

• Network Authentication (Shared Mode)

• The Key Is Provided Automatically

• This Is A Computer-to-Computer (Ad Hoc) Network; Wireless Access Points Are Not Used

NOTE
Microsoft is investigating the inclusion of an update to the Network Properties tab in Windows Server 2003 SP1 that includes configuration options for WPA authentication and encryption settings. An example of the final Network Properties tab was not available at the time of the printing of this book. Microsoft is also investigating the inclusion of an update in Windows XP SP2 so that the new WPA encryption and authentication settings in the Wireless Network (IEEE 802.11) Policies Group Policy extension are recognized and configured.

Figure 3-17 shows the IEEE 802.1x tab for a preferred wireless network.

Figure 3-17. The IEEE 802.1x tab for a preferred wireless network.

On the IEEE 802.1x tab, you can view and configure the following settings (which are equivalent to the authentication settings of a Windows wireless client):

• Enable Network Access Control Using IEEE 802.1x

• EAP Type and Settings

• Authenticate As Guest When User Or Computer Information Is Unavailable

• Authenticate As Computer When Computer Information Is Available

The following are additional settings on the IEEE 802.1x tab that do not appear on authentication settings of a Windows wireless client:

• EAPOL-Start Message

  This option allows you to specify the transmission behavior of the EAPOL-Start message when authenticating. You can select from the following:

  • Do Not Transmit

  • Transmit

  • Transmit Per 802.1x

• Max Start

  This option allows you to specify the number of successive EAPOL-Start messages that are sent out when no response is received to the initial EAPOL-Start messages.

• Start Period

  This option allows you to specify the interval, in seconds, between the retransmission of EAPOL-Start messages when no response is received to the previously sent EAPOL-Start message.

• Held Period

  This option allows you to specify the period, in seconds, for which the authenticating client will not perform any 802.1X authentication activity after it has received an authentication failure indication from the authenticator.

• Authentication Period

  This option allows you to specify the interval, in seconds, for which the authenticating client will wait before retransmitting any 802.1X requests after end-to-end 802.1X authentication has been initiated.

• Computer Authentication

  This option allows you to specify how computer authentication works with user authentication. There are three possible settings:

  • With User Authentication

    When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials.

  • With User Re-Authentication

    When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer s current security context (computer credentials when no user is logged on and user credentials when a user is logged on).

  • Computer Only

    Authentication is always performed using the computer credentials. User authentication is never performed.