Designing a Wireless Network Access Solution

In designing your wireless network access solution, determine where to locate wireless APs and plan how to deploy the APs; design security for wireless access; if needed, design for unauthenticated access and for a public space WLAN; and, finally, optimize your design for manageability. Figure 11.3 shows the process for designing your wireless network access solution.

Figure 11.3: Designing Your Wireless Network Access Solution

Designing Wireless AP Location

After designing and verifying that the services needed for your network infrastructure to support an enterprise WLAN are in place, begin the design process for the location of the wireless APs.

To determine where to locate your wireless APs:

• Identify the areas of coverage for wireless users.

• Determine how many wireless APs to deploy.

• Determine where to place wireless APs.

• Select the channel frequencies for wireless APs.

Identifying the Areas of Coverage for Wireless Users

To identify the areas of coverage for wireless users:

1. Obtain or create scaled architectural drawings of each floor for each building, in each geographic location in your organization that has wireless users.

2. On the drawing, identify the offices, conferences rooms, lobbies, or other areas where you want to provide wireless coverage.

   It might be useful to enable wireless coverage for a building in its entirety rather than for specific locations within the building. For example, this can prevent connectivity problems that might result from undocking a laptop from an office for use in a different part of your building.

3. Indicate any devices that interfere with the wireless signals.

   Any device that operates on the same frequencies as your wireless devices (in the 2.4 through 2.5 GHz ISM range) might interfere with the wireless signals. Devices that operate on the same frequency include:

   • Existing Bluetooth-enabled devices

   • Microwave ovens

   • Some models of cordless telephones

   • Wireless video cameras

   • Medical equipment

4. Indicate any building construction materials that interfere with wireless signals.

   Metal objects used in the construction of a building can affect the wireless signal. For example, the following common objects interfere with signal propagation:

   • Support girders

   • Elevator shafts

   • Rebar reinforcement in concrete

   • Heating and air-conditioning ventilation ducts

   • Wire mesh that reinforces plaster or stucco in walls

Note

Radio frequency attenuation (the reduction of signal strength), shielding, and reflection can affect how you deploy your APs. Refer to the manufacturer of your APs for information regarding the different scenarios that might increase the radio frequency attenuation. Testing software is available with most APs to check for signal strength, error rate, and data throughput. This can be very beneficial during the deployment of your APs.

Determining How Many Wireless APs to Deploy

To determine how many wireless APs to deploy, following these guidelines:

• Include enough wireless APs to ensure that wireless users have sufficient signal strength from anywhere in the area of coverage.

  Wireless APs typically have an indoor range within a 150-foot radius. Include enough wireless APs to ensure signal overlap between the wireless APs.

• Determine the maximum number of simultaneous wireless users per coverage area.

• Estimate the data throughput that the average wireless user requires.

Add additional wireless APs to:

• Improve wireless client network bandwidth capacity.

• Increase the number of wireless users supported within a coverage area

  Based on the total data throughput of all users, determine the number of users that you can connect through a wireless AP. Obtain a clear picture of throughput before deploying the network or making changes. Some wireless vendors provide an 802.11 simulation tool, which you can use to model traffic in a network and view throughput levels under various conditions.

• Ensure redundancy, in the event that a wireless AP fails.

Determining Where to Place Wireless APs

It is important to locate the APs close enough together to provide ample wireless coverage but far enough apart to not interfere with each other and increase the error rate. The actual distance needed between any two APs depends upon the combination of the type of AP, the type of AP antenna, and the construction of the building, as well as on sources of signal degradation, shielding, and reflection. For specifications and guidelines for placing wireless APs, see the manufacturer's documentation for the APs and the antennas used with them.

Maintain the best average ratio of wireless clients to APs. The greater the number of wireless clients that are associated with the AP, the lower the effective data transmission rate. Too many wireless clients attempting to use the same AP degrade the effective throughput or available bandwidth for each wireless client. By adding APs, you can increase throughput. To increase the number of APs per wireless client, you must increase the number of APs in a given coverage area. You can move APs closer together up to a point before they start to interfere with each other.

To determine where to place the wireless APs:

1. On the architectural drawings, place wireless APs so that each wireless AP is no further than 300 feet from an adjacent wireless AP.

2. To test the wireless AP placement, perform a site survey:

   • Temporarily place wireless APs in the locations specified on the architectural drawings.

   • Using a laptop equipped with an 802.11 wireless adapter and site survey software (site survey software ships with most wireless adapters), determine the signal strength within each coverage area.

3. In coverage areas where signal strength is low, make any of the following adjustments:

   • Reposition existing APs to increase the signal strength for that coverage area.

   • Reposition or eliminate devices that interfere with signal strength (such as Bluetooth devices or microwave ovens).

   • If possible, reposition or eliminate metal obstructions that interfere with signal propagation (such as filing cabinets and appliances).

   • Add additional wireless APs to compensate for the weak signal strength.

     It is important to remember that radio frequency is three-dimensional. It can be conceptualized as a sphere of signal.

   • Purchase antennas to meet the requirements of your building infrastructure.

     For example, to eliminate interference between APs located on adjoining floors in your building, you can purchase directional antennas that flatten the signal (forming a donut-shaped signal distribution) to increase the horizontal range and decrease the vertical range.

4. Update the architectural drawings to reflect the final number and placement of the wireless APs.

Example: An Enterprise Corporation Determines AP Location

An enterprise corporation used information from the manufacturer of its APs and from internal testing to determine the best locations for their APs when using IEEE 802.11b. They determined that a 30-foot radius for each AP (with 60 feet between adjacent APs) would provide the best coverage without interference between the APs.

To assist them in designing AP locations, the IT staff created a plan view of the building, with one drawing per floor. The floor plans displayed the location, name, IP address, and channel information for each AP. Based on the information in the floor plans, the IT staff determined that they could locate their APs in the plenum area between the lowered ceiling and the next floor up, which simplified troubleshooting for the AP equipment.

Selecting Channel Frequencies for Wireless APs

Direct communication between an 802.11 wireless network adapter and an AP occurs over a common channel corresponding to a frequency range in the S-Band ISM frequency range. You set the channel in the AP, and the wireless network adapter automatically tunes to the channel of the AP with the strongest signal. The wireless network adapter continues communication with the AP until the signal gets weak, at which time it attempts to locate another AP with a stronger signal.

To reduce interference between wireless APs, ensure that wireless APs with overlapping signals use unique channel frequencies. The 802.11b standard reserves 14 frequency channels for use with wireless APs. Within the United States, the Federal Communications Commission (FCC) allows channels 1 through 11. In most of Europe, you can use channels 1 through 13. In Japan, you have only one choice: channel 14.

Figure 11.4 shows the 11 802.11b frequency channels available in the United States. Notice that the 802.11b signals overlap with adjacent channel frequencies. As a result, you can only use three channels (in the United States, channels 1, 6, and 11) without causing interference between adjacent APs.

Figure 11.4: Channel Overlap for 802.11b APs in the United States

To select the channel frequencies for the wireless APs:

1. Identify any wireless networks owned by other organizations in the same building. Find out the placement of their wireless APs and the channel frequencies assigned to the APs.

   Radio waves travel through floors and ceilings, so APs located near each other on different floors need to be set to non-overlapping channels. If another organization located on a floor adjacent to your organization's offices has a wireless network, the wireless APs for that organization might interfere with the wireless APs in your network. Contact the other organization to determine the placement and frequencies of their wireless APs so that you can ensure that any of your own wireless APs that provide overlapping coverage use a different channel frequency.

2. Identify overlapping wireless signals on adjacent floors within your own organization.

3. After identifying overlapping coverage areas outside and within your organization, assign channel frequencies for your wireless APs.

   1. Assign channel 1 to the first wireless AP.

   2. Assign channels 6 and 11 to any wireless APs that overlap coverage areas with the first wireless AP, to ensure that those APs do not interfere with one another.

   3. Continue assigning channel frequencies to the wireless APs, ensuring that any two wireless APs with overlapping coverage are assigned different channel frequencies.

Example: An Enterprise Corporation Determines IEEE 802.11b Channels

An enterprise corporation occupies multiple floors in a building. Because of this, they had to pay attention to both the horizontal and vertical dimensions when determining which IEEE 802.11b channel to assign to each AP. For example, if a certain spot on the first floor used channel 1, they assigned channel 6 to the same location on the second floor, and assigned channel 11 to the same location on the third floor. They did not use channel 1 again until the fourth floor.

Figure 11.5 illustrates the selection of channels for the wireless APs on a building floor. The wireless AP channels were selected to ensure that no two overlapping areas of coverage have the same channel (frequency).

Figure 11.5: Example of 802.11b Channel Allocation

Planning the Deployment of APs

After determining where to locate APs, you need to make additional decisions about how you will deploy the APs. These decisions affect the types of equipment required, where the equipment should be located, and how the equipment will be installed

Will you install the APs on the walls of your building or in the plenum area?

If you place your APs in the plenum area, you must determine the best method for powering the APs. Consult with the AP manufacturer to determine how to meet the power requirements for the APs. Some wireless APs can receive electrical power through the Ethernet cable.

The plenum area is regulated by fire codes. Therefore, for plenum placement, you must purchase APs that are fire-rated.

Will you preconfigure APs before installing them or configure them remotely?

Preconfiguring the APs before installing them on location can speed up the deployment process and can save labor costs, because less skilled workers can perform the physical installation. You can preconfigure APs by using the console port (serial port), Telnet, or a Web server that is integrated with the AP. If you will use a terminal server for console configuration of APs, decide where to locate the terminal server. Regardless of whether you decide to preconfigure the APs, make sure that you can access them remotely, particularly if you deploy many APs. This enables you to configure or upgrade the APs remotely by using scripts.

The terminal server can be located on the same subnet as the APs, or elsewhere.

It is helpful to physically locate the terminal server in the same wiring closet as the hub or patch panel connecting the AP. With this arrangement, you can pull together the Ethernet and console (serial) wires at the same time. This is only possible if the wires are run to and from the same place. You can then complete the configuration of many APs from a central location.

What model of antenna will you use for the APs?

For example, in a building with multiple floors, an omnidirectional antenna — which propagates the signal equally in all directions except the vertical — might work best. For information about which type of antenna will work best for your WLAN deployment, see the documentation for your APs.

What model of AP will you purchase?

The AP must be able to be configured as a RADIUS client and must support Wired Equivalent Privacy (WEP) and 802.1X authentication.

Example: An Enterprise Corporation Mounts APs in the Plenum Area

An enterprise corporation learned that mounting its APs in the plenum area would resolve some of the issues raised during their pilot test of their wireless network deployment.

For instance, users often disconnected data and power cables from the APs in order to plug their portable computers into the network. The unavailable APs prompted many service calls to the Help desk.

In addition, the IT staff found that by mounting APs in the plenum area, they could install APs in doorways and halls, avoiding users' offices. Though the initial installation cost was higher, they believe the placement will pay off in the long term in decreased user interference during working hours.

The enterprise corporation worked closely with the manufacturer of the APs to ensure that all procedures were followed and that the wireless APs were fire-rated for plenum placement.

Designing for Wireless Security

In designing security for your wireless LAN, choose the appropriate level of basic security available under IEEE 802.11 and 802.1X. Then, to close inherent security risks associated with wireless networking, require authorization and authentication of wireless clients before they exchange data with the network attached to the wireless APs, and encrypt the data sent between wireless clients and APs.

Choosing the Right Basic Security for Your WLAN

IEEE 802.11 open system or shared key authentication does not scale appropriately for a large, infrastructure mode wireless network (corporate offices and public places, such as airports and malls). In a large enterprise environment, you should not deploy 802.11 without also deploying 802.1X and RADIUS support.

To ensure the highest level of security for a WLAN in a corporate enterprise environment, use 802.1X with EAP-TLS authentication, a PKI, and RADIUS. The wireless clients must support 802.1X in a WLAN deployment using EAP-TLS.

Microsoft 802.1X Authentication Client provides 802.1X support for computers running any of the following Windows operating systems: Microsoft Windows 2000, Windows 98, and Windows NT version 4.0 Workstation. For more information, see Microsoft 802.1X Authentication Client link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Note

The Microsoft 802.1X Authentication Client is only available for Windows 98 and Windows NT version 4.0 Workstation to customers who have Microsoft Premier Support.

Windows XP provides 802.1X support and additional wireless support, including automatic wireless configuration.

Closing Inherent Security Risks for WLANs

While providing convenience, wireless networking technologies and wireless APs present security risks. In wireless networks, the signals can be intercepted because the data is broadcast using an antenna. Furthermore, if the signals are not encrypted, an eavesdropper outside the premises can view the packets sent on a wireless network.

Wireless networking technologies and wireless APs present two security risks:

• Any person with a compatible wireless network adapter can associate with your wireless APs and attach to your network.

• Because wireless networking signals use radio waves to send and receive information, anyone within a certain distance of a wireless AP can detect and receive all data sent to and from the wireless AP.

Enforcing authorization and authentication

To counter the first security risk, wireless APs must require authentication and authorization of the wireless client before data can be sent to, and received from, the network attached to the wireless AP.

The solution is to use the combination of an 802.1X-enabled wireless client, such as Windows XP; an IEEE 802.1X-enabled and RADIUS-capable wireless AP; and EAP-capable RADIUS servers such as Windows Server 2003 IAS.

With this combination, wireless APs can send connection requests and accounting messages to central RADIUS servers. The RADIUS servers have access to a user accounts database, such as Active Directory, and a set of rules for granting authorization, such as IAS remote access policies. The RADIUS server processes the wireless AP connection request, and either accepts or rejects it.

Encrypting data

To counter the second security risk, encrypt the data sent between the wireless clients and the wireless APs. The method of encryption defined by the IEEE 802.11b standard is Wired Equivalent Privacy (WEP). To provide per-session strong cryptographic keys for WEP encryption, use EAP-TLS, PEAP-TLS, or PEAP-MS-CHAP v2 as the authentication method. IAS has been enhanced to support both PEAP-MS-CHAP v2 and EAP-TLS.

EAP-TLS, as defined in RFC 2716, is the TLS authentication scheme as an EAP type. TLS is used in certificate-based security environments. EAP-TLS is a secure channel (SChannel) authentication protocol that provides for mutual authentication, integrity-protected cipher-suite negotiation, and key exchange between the two endpoints by means of public key cryptography.

PEAP-MS-CHAP v2 provides a secure wireless authentication solution for small businesses without requiring a certificate infrastructure (PKI) and the installation of a user or computer certificate on each wireless client. With PEAP, you can use a password-based authentication method to securely authenticate wireless connections. PEAP creates an encrypted channel before the password-based authentication occurs. Therefore, password-based authentication exchanges such as occur in MS-CHAP v2 are not subject to offline dictionary attacks.

Note

PEAP with MS-CHAP v2 is provided with Windows XP Service Pack 1 (SP1) and later, Windows Server 2003, and Microsoft 802.1X Authentication Client.

Designing Unauthenticated Access

Unauthenticated EAP-TLS access can be useful in both corporate and public space environments.

In a corporate environment, this feature can be used to grant guest access to visitors such as consultants. The unauthenticated users are redirected to a specific virtual LAN (VLAN), which provides only limited network access, such as access to the Internet.

In a public space environment, a wireless Internet service provider (ISP) can use this feature to give potential subscribers access to a restricted VLAN with local information. When the person subscribes for Internet access, the ISP provides connectivity to the Internet.

EAP-TLS unauthenticated access provides a means to grant guest access for a wireless client that does not have a certificate installed. EAP-TLS supports one-way authorization or unauthenticated access when a client does not send credentials. If a network access client does not provide credentials, IAS determines whether unauthenticated access is enabled in the remote access policy that matched the connection attempt.

Windows Server 2003 and IAS support unauthenticated wireless connections. For more information about unauthenticated wireless access, see "Wireless access" in Help and Support Center for Windows Server 2003.

Designing a Public Space WLAN

If you plan to deploy a public space WLAN in a venue such as an airport or shopping mall, you need to design your WLAN to meet some additional requirements.

• Plan for a single wireless network infrastructure that multiple service providers can share and access.

  A single wireless network infrastructure eliminates radio frequency interference. Because of the finite number of non-overlapping channels available in 802.11b, multiple wireless network infrastructures in the same location cause interference among wireless APs with overlapping channel frequencies.

• Make sure that the APs support VLANs, the capability for beaconing multiple Service Set Identifiers (SSIDs, also known as network names), and the capability for binding each SSID to a separate VLAN.

  Enhanced APs are necessary in a public space WLAN deployment. VLAN support enables the AP to route the wireless client to the correct network path. The capability for beaconing multiple SSIDs enables multiple service providers to share the same wireless network infrastructure. After the wireless client associates with the correct SSID, the AP must bind that SSID to the correct VLAN in order to route the network traffic to the correct destination. The AP maintains a table that maps each SSID to its respective VLAN number. The public space WLAN also must allow non-802.1X wireless clients access. To support this, you must assign a VLAN number for all non-802.1X wireless clients. The VLAN number routes the non-802.1X clients to a VLAN that is configured to provide non-802.1X clients with 802.1X credentials.

• To provide security, you need an IEEE 802.1X and RADIUS-capable wireless AP, and an EAP-capable RADIUS server such as Windows Server 2003 IAS.

• You might need to provide billing and accounting for services provided to customers connecting through the public space WLAN.

  A public space WLAN must provide a means for charging for services provided, typically by an ISP, to customers connecting through the public space WLAN. An ISP can charge the customer for this service in several ways. It can bill for the total time connected, the quantity of data transferred, or a combination of the two methods.

  You can configure the same IAS server that is used for the authorization of wireless users to capture this connection data and save it to an accounting log file. The log file contains the connection time, the amount of data transferred during a session, and other data that can be used to produce billing records for ISP customers. Database exporting can convert the log files into a format that can be read and interpreted to provide the billing records. IAS for Windows Server 2003 can also be configured to send accounting information to a SQL server database.

  In addition, third-party software is available to create billing solutions.

• Provide sufficient bandwidth to support the volume of users likely to use a public space WLAN.

  In designing a public space WLAN, consider how many users need to connect simultaneously through each AP. For example, if you design for an average bandwidth of 56 kilobits per second (Kbps), approximating a 56K modem, more users will be able to associate with the network than if you design the average bandwidth to be more than 56 Kbps.

Figure 11.6 shows the infrastructure for a public space WLAN with 802.1X designed for an airport. This public space WLAN enables ISPs to provide Internet access for general and corporate users with wireless devices that are 802.11b-capable.

Figure 11.6: Example of a Public Space WLAN Infrastructure in an Airport

Example: Public Space WLAN Access

A user with a computer running Windows XP (with the Wireless Zero Configuration [WZC] service and IEEE 802.1X) starts his computer. The wireless adapter attempts to authenticate with an AP, but can only associate with VLAN 0 since it has no authorization for VLAN 1, the ISP network for the airport. When associated with VLAN 0, the wireless device is directed to the airport's ISP Web server.

The Web server queries the user about access to the Internet or another company's network. As a free service, the ISP's Web site provides local travel information, including arrival and departure times and restaurants. If the user chooses to set up an account, the ISP creates the account for billing purposes and provides the wireless user with a certificate to join VLAN 1.

The wireless user now has a certificate and can access VLAN 1. The user is authenticated using IAS, which simultaneously creates or appends a log file. The log file and new user account are both used for billing purposes. The wireless user is granted permission to access the Internet.

If the user decides to access his own corporate network across the Internet, a virtual private network (VPN) connection can be created from the wireless client to a VPN server in the perimeter network.

Note

As an alternative to a VLAN, a public space wireless network can support IP filtering. This requires the use of APs that are capable of IP filtering and can be configured to restrict access to only the IP addresses for the ISP's certificate, DHCP, and Web servers. These servers provide the minimum connectivity and services that are required in order to obtain authenticated access. If an AP is associated with repeatedly when you use IP filtering for authentication, the AP can consume the allotted quantity of IP addresses that the DHCP server has set aside, preventing additional wireless clients from obtaining an IP address. Although the infrastructure for IP filtering is less costly, because IP filtering saves a switch and a server, IP filtering is less secure. For these reasons, it is better to use a VLAN than IP filtering for a public space wireless network.

Designing for Manageability

For a large wireless deployment to be practical, it must be easy to manage. The combination of Windows XP and Windows Server 2003 allows for efficient management of your wireless network.

For optimal manageability of your wireless network, ensure that your wireless clients use Windows XP, which provides support for automatic switching between APs during roaming and support for zero configuration through the WZC. Although you can use other Windows operating systems with Microsoft 802.1X Authentication Client, they do not support zero configuration.

Automatic Switching Between APs During Roaming

Windows XP supports automatic switching between APs when roaming, autodetection of wireless networks, 802.1X, and automatic wireless configuration.

Windows XP has improved and built upon the wireless support for clients that Windows 2000 provides. In Windows 2000, media sense capability (the capability for detecting an attached network) is used to control the configuration of the network stack and inform the user and applications when the network is unavailable. With Windows XP, media sense capability is used to enhance the wireless roaming experience. This is done by detecting a move to a new AP and then forcing re-authentication and DHCP renewal to ensure appropriate network access during roaming. Windows XP in addition supports autodetection of a wireless network, and automatic wireless configuration with the Wireless Zero Configuration (WZC) service.

Distributing Certificates Through Autoenrollment

An IAS server, which acts as a RADIUS server and proxy, also supports EAP-TLS. Because both Windows XP and IAS in Windows Server 2003 support EAP-TLS, the combination gives you support for a strong authentication method and a per-session key management system. To ease deployment, you can distribute the computer and user certificates used for authentication through certificate autoenrollment. Autoenrollment is the automatic requesting and issuing of certificates based on Group Policy settings.

Table 11.2 lists the types of certificates (user, computer, or both) for which autoenrollment is supported with each combination of client and server operating system. When using any other clients, such as Windows NT or Windows 98, you must manually enroll each client or use a scripted solution.

Table 11.2: Support for Autoenrollment of Certificates Provided in Windows

Client	Server	Computer	User
Windows XP or Windows Server 2003	Windows Server 2003	•
Windows XP or Windows Server 2003	Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition	•	•
Windows XP or Windows Server 2003	Windows 2000 Server	•
Windows 2000	Windows Server 2003	•
Windows 2000	Windows 2000 Server	•

For more information about the design and deployment of IAS, see "Deploying IAS" in this book.

Taking Advantage of Autoconfiguration

The addition of the Wireless Zero Configuration (WZC) service in Windows XP improves the manageability of your wireless network. The WZC service dynamically selects the wireless network to which to attempt connection based either on your preferences or on default settings. When a more preferred wireless network becomes available, the WZC service automatically selects and connects to that network. If none of the preferred wireless networks is found nearby, the WZC service configures the wireless adapter so that there is no accidental connection until the wireless client roams within the range of a preferred network.

To improve the roaming experience by automating the process of configuring the network adapter to associate with an available network, Microsoft partnered with 802.11 wireless adapter vendors. The wireless network adapter scans for available networks and passes them to Windows XP, which then configures the wireless network adapter with an available network. If you are not using a WZC-capable network adapter, you must configure the network adapter manually by using the configuration software that the manufacturer provides.

For improved manageability of your wireless network, ensure that your wireless clients are using Windows XP so the WZC service is available. Windows Server 2003 also provides this service, which is known in Windows Server 2003 as the Wireless Configuration service. The Microsoft 802.1X Authentication Client does not provide WZC and roaming support.

Managing APs Remotely

For better manageability, design your network so that you can manage your APs from a remote location. You can remotely manage APs by using the AP console port (serial port) and an asynchronous terminal server, a Telnet session, or a Web server that is integrated with the AP.

To configure an AP for network access by an asynchronous terminal server, use the two unused pairs of Ethernet cable to return the serial communication lines to the data closet where they can be connected to an asynchronous terminal server. This enables you to configure an AP remotely if necessary. If you arrange to switch power off remotely, you can also restart APs remotely when they are not responding to a signal from an Ethernet or console port.

Using these methods, you will be able to completely manage APs remotely except when an AP fails and must be repaired or replaced.

Using Active Directory-based Wireless Network Policies

To centrally manage the configuration of secure wireless connections for wireless client computers, you can create Active Directory-based wireless network policies that specify the types of networks that users can access, preferred networks, WEP settings, IEEE 802.X settings, and other settings for wireless connections. The settings are configured in Group Policy, in Wireless Network (IEEE 802.1) Policies. The wireless network policy is replicated to computers that are associated with the computer configuration Group Policy object. Users do not need to enter the configurations or select settings.

For example, you can configure the following items in the Wireless Network (IEEE 802.11) Policies settings:

• Types of networks that users can access

  For example, you might restrict users' access to an AP (infrastructure) network only, or to a computer-to-computer (ad hoc) network only.

• Network name (SSID)

• WEP settings

• Enabling of network access control using IEEE 802.1X

• Authentication methods and settings

The Wireless Network (IEEE 802.1) Policies settings are only supported by wireless clients running Windows XP (SP1 and later) and Windows Server 2003.

For information about:

• Opening the Group Policy Object Editor, see "Ways to open the Group Policy Object Editor" in Help and Support Center for Windows Server 2003. (Click the Index button, and in the keyword box type Group Policy Object Editor; then select opening.)

• Adding and defining wireless network policies, see "Define Active Directory-based wireless network policies" in Help and Support Center for Windows Server 2003.

• Designing wireless network policies, see "Deploying Security Policy" in Designing a Managed Environment.