Windows 7 / Networking

Windows Vista Wireless Policy

The properties dialog box of a Windows Vista wireless policy consists of a General tab and a Network Permissions tab.

On the General tab, you can configure a name and description for the policy, specify whether to enable the WLAN AutoConfig service (Wireless Auto Configuration), and configure the list of wireless networks and their settings (known as profiles) in preferred order. On the General tab, you can import and export profiles as files in XML format. To export a profile to an XML file, select the profile and click Export. To import an XML file as a wireless profile, click Import, and then specify the file's location.

The Network Permissions tab is new for Windows Vista and Windows Server 2008 and allows you to specify wireless networks by name that are either allowed or denied access. For example, you can create allow or deny lists.

With an allow list, you can specify the set of wireless networks by name to which a Windows Vista or Windows Server 2008 wireless client is allowed to connect. This is useful for network administrators who want an organization's laptop computers to connect to a specific set of wireless networks, which might include the organization's wireless network in addition to wireless Internet service providers.

With a deny list, you can specify the set of wireless networks by name to which the wireless clients are not allowed to connect. This is useful to prevent managed laptop computers from connecting to other wireless networks that are within range of the organization's wireless network-for example, when an organization occupies a floor of a building and there are other wireless networks of other organization on adjoining floors- or to prevent managed laptop computers from connecting to known unsecured wireless networks.

On the Network Permissions tab, there are also settings to prevent connections to either ad-hoc or infrastructure mode wireless networks, to allow the user to view the wireless networks in the list of available networks that have been configured as denied, and to allow any user to create an all-user profile. An all-user profile can be used to connect to a specific wireless network by any user with an account on the computer. If this setting is disabled, only users in the Domain Admins or Network Configuration Operators groups can create all-user wireless profiles on the computer. Last, there is a setting to require that the wireless client use Group Policy-based profiles for allowed profiles, rather than local profiles of the same name.

To manage a wireless network profile from the General tab of the New Windows Vista Wireless Policy Properties dialog box, either select an existing profile and click Edit, or click Add and then specify whether the new wireless profile is for an infrastructure or ad-hoc mode wireless network. The profile properties dialog box of a Windows Vista wireless network profile consists of a Connection tab and a Security tab.

On the Connection tab, you can configure a name for the profile and a list of wireless network names to which this profile applies. You can add new names by typing the name in the Network Name(s) (SSID) box and clicking Add. You can also specify whether the wireless client using this profile will automatically attempt to connect to the wireless networks named in the profile when in range (subject to the preference order of the list of wireless profiles on the General tab for the Windows Vista policy), whether to automatically disconnect from this wireless network if a more preferred wireless network comes within range, and to indicate that the wireless networks in this profile are nonbroadcast networks (also known as hidden networks).

On the Security tab, you can configure the authentication and encryption methods for the wireless networks in the profile. For authentication methods, you can select Open, Shared, Wi-Fi Protected Access (WPA)-Personal, WPA-Enterprise, WPA2-Personal, WPA2- Enterprise, and Open with 802.1X. For encryption methods, you can select Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), and Advanced Encryption Standard (AES). The choice of encryption methods depends on your choice of authentication method.

If you select Open with 802.1X, WPA-Enterprise, or WPA2-Enterprise as the authentication method, you can also configure the network authentication method (the EAP type), the authentication mode (user re-authentication, computer authentication, user authentication, or guest authentication), the number of times authentication attempts can fail before authentication is abandoned, and whether to cache user information for subsequent connections. If you configure this last setting not to cache the user information, when the user logs off, the user credential data is removed from the registry. The result is that when the next user logs on, that user will be prompted for credentials (such as user name and password).

To configure advanced security settings for the WPA-Enterprise, WPA2-Enterprise, or Open with 802.1X authentication methods, in the New Profile Properties Dialog Box, on the Security tab, click Advanced.

In the IEEE 802.1X section, there are settings to specify the number of successive EAP over LAN (EAPOL)-Start messages that are sent out when no response to the initial EAPOL-Start messages is received, the time interval between the retransmission of EAPOL-Start messages when no response to the previously sent EAPOL-Start message is received, the period for which the authenticating client will not perform any 802.1X authentication activity after it has received an authentication failure indication from the authenticator, and the interval for which the authenticating client will wait before retransmitting any 802.1X requests after end-to-end 802.1X authentication has been initiated.

In the Single Sign On section, there are settings to perform wireless authentication immediately before or after the user logon process, specify the number of seconds of delay for connectivity before the user logon process begins, choose whether to prompt the user for additional dialog boxes, and choose whether the wireless networks for this profile use a different virtual LAN (VLAN) for computer or user authentication and to perform a DHCP renewal when switching from the computer-authenticated VLAN to the user-authenticated VLAN. For information about when to use Single Sign On, see the section "Wireless Authentication Modes" in this tutorial.

In the Fast Roaming section, you can configure Pairwise Master Key (PMK) caching and preauthentication options. The Fast Roaming section appears only when you select WPA2- Enterprise as the authentication method on the Security tab. With PMK caching, wireless clients and wireless APs cache the results of 802.1X authentications. Therefore, access is much faster when a wireless client roams back to a wireless AP to which the client already authenticated. You can configure a maximum time to keep an entry in the PMK cache and the maximum number of entries. With preauthentication, a wireless client can perform an 802.1X authentication with other wireless APs in its range while it is still connected to its current wireless AP. If the wireless client roams to a wireless AP with which it has preauthenticated, access time is substantially decreased. You can configure the maximum number of times to attempt preauthentication with a wireless AP.

Note:
Fast roaming for WPA2 is different than fast reconnect. Fast reconnect minimizes the connection delay in wireless environments when a wireless client roams from one wireless AP to another when using PEAP. With fast reconnect, the Network Policy Server service caches information about the PEAP TLS session so that when reauthenticating, the wireless client does not have to perform PEAP authentication, only TLS or MS-CHAP v2 authentication. Fast reconnect is enabled by default for Windows wireless clients and for NPS network policies.

A final check box allows you to specify whether to perform AES encryption in a Federal Information Processing Standard (FIPS) 140-2 certified mode. FIPS 140-2 is a U.S. government computer security standard that specifies design and implementation requirements for cryptographic modules. Windows Vista and Windows Server 2008 are FIPS 140-2 certified. When you enable FIPS 140-2 certified mode, Windows Vista or Windows Server 2008 will perform the AES encryption in software, rather than relying on the wireless network adapter.

[Previous] [Contents] [Next]

In this tutorial:

  1. IEEE 802.11 Wireless Networks
  2. Support for IEEE 802.11 Standards
  3. Wireless Security
  4. WPA
  5. Planning and Design Considerations
  6. Wireless Authentication Modes
  7. Intranet Infrastructure
  8. Wireless AP Placement
  9. Authentication Infrastructure
  10. Wireless Clients
  11. Windows Vista Wireless Policy
  12. Windows XP Wireless Policy
  13. Command-Line Configuration
  14. PKI
  15. 802.1X Enforcement with NAP
  16. Deploying Protected Wireless Access
  17. Configuring Active Directory for Accounts and Groups
  18. Deploying Wireless APs
  19. Configuring Wireless Clients
  20. Configuring and Deploying Wireless Profiles
  21. Maintenance for a Protected Wireless
  22. Troubleshooting Wireless Connections
  23. Network Diagnostics Framework Support for Wireless Connections
  24. Wireless Diagnostics Tracing
  25. NPS Event Logging
  26. Troubleshooting the Windows Wireless Client
  27. Troubleshooting the Wireless AP
  28. Common Wireless AP Problems
  29. Troubleshooting the Authentication Infrastructure
  30. Troubleshooting Certificate-Based Validation
  31. Troubleshooting Password-Based Validation