Windows 7 / Networking

Configuring and Deploying Wireless Profiles

You can also manually configure wireless clients running Windows Vista on a wireless network by importing a wireless profile in XML format by running the netsh wlan add profile command. To create an XML-based wireless profile, configure a Windows Vista wireless client with a wireless network that has all the appropriate settings including the authentication method, encryption methods, and EAP type. Then, run the netsh wlan export profile command to write the wireless network profile to an XML file. You can also create, configure, and export an XML profile from a Windows Vista wireless policy.

Manually Configuring Wireless Clients

If you have a small number of wireless clients, you can manually configure wireless connections for each wireless client. For Windows Vista and Windows Server 2008 wireless clients, run the Set Up a Connection Wizard or the Network Wizard. For Windows XP with SP2 wireless clients, run the New Connection Wizard. The following sections describe how to manually configure the EAP-TLS, PEAP-TLS, and PEAP-MS-CHAP v2 authentication methods for Windows wireless clients.

EAP-TLS

To manually configure EAP-TLS authentication on a wireless client running Windows Vista or Windows Server 2008, do the following:

  1. In the Network and Sharing Center, click the Manage Wireless Networks task. In the Manage Wireless Networks window, double-click your wireless network name.
  2. On the Security tab, in the Security Type box, select WPA-Enterprise or WPA2- Enterprise. In the Choose A Network Authentication Method drop-down list, select Smart Card Or Other Certificate, and then click Settings.
  3. In the Smart Card Or Other Certificate Properties dialog box, to use a registry-based user certificate, select Use A Certificate On This Computer. For a smart card-based user certificate, select Use My Smart Card.
    If you want to validate the computer certificate of the NPS server, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect To These Servers and type the names. Click OK twice.

To manually configure EAP-TLS authentication on a wireless client running Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:

  1. Obtain properties of the wireless connection in the Network Connections folder. On the Wireless Networks tab, in the list of preferred networks, click the name of the wireless network, and then click Properties.
  2. On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X and the Smart Card Or Other Certificate EAP type. This is enabled by default.
  3. Click Properties. In the properties dialog box of the Smart Card or other Certificate EAP type, to use a registry-based user certificate, select Use A Certificate On This Computer. For a smart card-based user certificate, select Use My Smart Card.
    If you want to validate the computer certificate of the NPS server, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the authentication servers that must perform the TLS authentication, select Connect To These Servers and type the names.
  4. Click OK to save changes to the Smart Card or other Certificate EAP type.

PEAP-TLS

To manually configure PEAP-TLS authentication on a wireless client running Windows Vista, do the following:

  1. In the Network and Sharing Center, click the Manage Wireless Networks task. In the Manage Wireless Networks window, double-click your wireless network name.
  2. On the Security tab, in the Security Type drop-down list, select WPA-Enterprise or WPA2-Enterprise. In Choose A Network Authentication Method, select Protected EAP (PEAP), and then click Settings.
  3. In the Protected EAP Properties dialog box, if you want to validate the computer certificate of the NPS server for the PEAP authentication, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the PEAP authentication, select Connect To These Servers and type the names.
  4. In the Select Authentication Method drop-down list, click Smart Card Or Other Certificate. Click Configure. To use a registry-based user certificate, in the Smart Card Or Other Certificate Properties dialog box, select Use A Certificate On This Computer. For a smart card-based user certificate, select Use My Smart Card.
    If you want to validate the computer certificate of the NPS server for the user-level authentication, select the Validate Server Certificate check box (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect To These Servers and type the names.
  5. Click OK to save changes to the Smart Card or other Certificate PEAP type. Click OK to save the changes to the Protected EAP type. Click OK to save the changes to the wireless network configuration.

To manually configure PEAP-TLS authentication on a wireless client running Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:

  1. Obtain properties of the wireless connection in the Network Connections folder. On the Wireless Networks tab, in the list of preferred networks, click the name of the wireless network, and then click Properties. The Wireless Network's properties dialog box appears.
  2. On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X and the Protected EAP (PEAP) type.
  3. Click Properties. In the Protected EAP Properties dialog box, select the Validate Server Certificate check box to validate the computer certificate of the NPS server for the PEAP authentication (recommended and enabled by default). If you want to specify the names of the authentication servers that must perform PEAP authentication, select Connect To These Servers and type the names. In the Select Authentication Method drop-down list, click Smart Card Or Other Certificate.
  4. Click Configure. In the Smart Card Or Other Certificate Properties dialog box, to use a registry-based user certificate, select Use A Certificate On This Computer. For a smart card-based user certificate, select Use My Smart Card.
    If you want to validate the computer certificate of the NPS server for the user-level authentication, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect To These Servers and type the names.
  5. Click OK to save changes to the Smart Card or other Certificate PEAP type. Click OK to save the changes to the Protected EAP type. Click OK to save the changes to the wireless network configuration.

PEAP-MS-CHAP v2

To manually configure PEAP-MS-CHAP v2 authentication on a wireless client running Windows Vista, do the following:

  1. In the Network and Sharing Center, click the Manage Wireless Networks task. In the Manage Wireless Networks window, double-click your wireless network name.
  2. On the Security tab, in the Security Type drop-down list, select WPA-Enterprise or WPA2-Enterprise. In the Choose a network authentication method drop-down list, select Protected EAP (PEAP), and then click Settings.
  3. In the Protected EAP Properties dialog box, if you want to validate the computer certificate of the NPS server for the PEAP authentication, select the Validate Server Certificate check box (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the PEAP authentication, select Connect To These Servers and type the names.
  4. In Select Authentication Method, select Secured Password (EAP-MS-CHAP v2), and then click OK twice.

To manually configure PEAP-MS-CHAP v2 authentication on a wireless client running Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:

  1. Obtain properties of the wireless connection in the Network Connections folder. Click the Wireless Networks tab, click the name of the wireless network in the list of preferred networks, and then click Properties. The wireless network's properties dialog box appears.
  2. On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X and the Protected EAP (PEAP) EAP type.
  3. Click Properties. In the Protected EAP Properties dialog box, select Validate Server Certificate to validate the computer certificate of the NPS server (enabled by default). If you want to specify the names of the authentication servers that must perform validation, select Connect To These Servers and type the names. In Select Authentication Method, click Secured Password (EAP-MSCHAP v2), and then click OK twice.
[Previous] [Contents] [Next]

In this tutorial:

  1. IEEE 802.11 Wireless Networks
  2. Support for IEEE 802.11 Standards
  3. Wireless Security
  4. WPA
  5. Planning and Design Considerations
  6. Wireless Authentication Modes
  7. Intranet Infrastructure
  8. Wireless AP Placement
  9. Authentication Infrastructure
  10. Wireless Clients
  11. Windows Vista Wireless Policy
  12. Windows XP Wireless Policy
  13. Command-Line Configuration
  14. PKI
  15. 802.1X Enforcement with NAP
  16. Deploying Protected Wireless Access
  17. Configuring Active Directory for Accounts and Groups
  18. Deploying Wireless APs
  19. Configuring Wireless Clients
  20. Configuring and Deploying Wireless Profiles
  21. Maintenance for a Protected Wireless
  22. Troubleshooting Wireless Connections
  23. Network Diagnostics Framework Support for Wireless Connections
  24. Wireless Diagnostics Tracing
  25. NPS Event Logging
  26. Troubleshooting the Windows Wireless Client
  27. Troubleshooting the Wireless AP
  28. Common Wireless AP Problems
  29. Troubleshooting the Authentication Infrastructure
  30. Troubleshooting Certificate-Based Validation
  31. Troubleshooting Password-Based Validation