Configuring Active Directory for Accounts and Groups
To configure Active Directory for wireless access, do the following for the user and computer accounts that will be used to authenticate wireless connections:
- On the Dial-in tab, set the network access permission to Allow Access or Control Access Through NPS Network Policy. With this setting, the permission for access to the network is set by the Access Permission in the NPS network policy. By default, in native-mode domains, new user accounts and computer accounts have the network access permission set to Control Access Through NPS Network Policy.
- Organize the computer and user accounts into the appropriate universal and global groups to take advantage of group-based network policies.
Configuring NPS Servers
Configure and deploy your NPS servers taking the following steps:
- Install a computer certificate on each NPS server.
- Install the root CA certificates of the computer or user certificates of the wireless clients on each NPS server (if needed).
- Configure logging on the primary NPS server.
- Add RADIUS clients to the primary NPS server corresponding to each wireless AP.
- Create a new network policy on the primary NPS server that is customized for wireless connections using the universal group name for your wireless accounts.
- In the console tree of the Network Policy Server snap-in, click NPS.
- In the details pane, under Standard Configuration, select RADIUS Server For 802.1X Wireless Or Wired Connections from the drop-down list, and then click Configure 802.1X.
- In the Configure 802.1X wizard, on the Select 802.1X Connections Type page, click Secure Wireless Connections, and then type the name of the new NPS network policy. Click Next.
- On the Specify 802.1X Switches page, add RADIUS clients as needed that correspond to your wireless APs. Click Next.
- On the Configure An Authentication Method page, configure the EAP type to use for wireless connections.
To configure EAP-TLS, in the Type drop-down list, select Microsoft: Smart Card Or Other Certificate, and then click Configure. In the Smart Card Or Other Certificate Properties dialog box, select the computer certificate to use for wired connections, and then click OK. If you cannot select the certificate, the cryptographic service provider for the certificate does not support Secure Channel (SChannel). SChannel support is required for NPS to use the certificate for EAP-TLS authentication.
To configure PEAP-MS-CHAP v2, in the Type drop-down list, select Protected EAP (PEAP), and then click Configure. In the Edit Protected EAP Properties dialog box, select the computer certificate to use for wired connections, and then click OK. If you cannot select the certificate, the cryptographic service provider for the certificate does not support SChannel. SChannel support is required for NPS to use the certificate for PEAP authentication.
To configure PEAP-TLS, in the Type drop-down list, select Protected EAP (PEAP), and then click Configure. In the Edit Protected EAP Properties dialog box, select the computer certificate to use for wired connections. If you cannot select the certificate, the cryptographic service provider for the certificate does not support SChannel. Under EAP Types, click Secured Password (EAP-MSCHAP v2) and then click Remove. Click Add. In the Add EAP dialog box, click Smart Card Or Other Certificate, and then click OK. In the Edit Protected EAP Properties dialog box, under EAP Types, click Smart Card Or Other Certificate, and then click Edit. In the Smart Card Or Other Certificate Properties dialog box, select the computer certificate to use for wired connections, and then click OK. If you cannot select the certificate, the cryptographic service provider for the certificate does not support Secure Channel (SChannel). Click OK twice. - Click Next. On the Specify User Groups page, add the groups containing the wireless computer and user accounts (for example, WirelessAccounts).
- On the Configure A Virtual LAN (VLAN) page, click Configure if needed to specify the RADIUS attributes and their values that configure your wireless APs for the appropriate VLAN for this NPS network policy. Click Next.
- On the Completing New IEEE 802.1X Secure Wired And Wireless Connections And RADIUS Clients page, click Finish.
After you have configured the primary NPS server with the appropriate logging, RADIUS client, and network policy settings, copy the configuration to the secondary or other NPS servers.
In this tutorial:
- IEEE 802.11 Wireless Networks
- Support for IEEE 802.11 Standards
- Wireless Security
- WPA
- Planning and Design Considerations
- Wireless Authentication Modes
- Intranet Infrastructure
- Wireless AP Placement
- Authentication Infrastructure
- Wireless Clients
- Windows Vista Wireless Policy
- Windows XP Wireless Policy
- Command-Line Configuration
- PKI
- 802.1X Enforcement with NAP
- Deploying Protected Wireless Access
- Configuring Active Directory for Accounts and Groups
- Deploying Wireless APs
- Configuring Wireless Clients
- Configuring and Deploying Wireless Profiles
- Maintenance for a Protected Wireless
- Troubleshooting Wireless Connections
- Network Diagnostics Framework Support for Wireless Connections
- Wireless Diagnostics Tracing
- NPS Event Logging
- Troubleshooting the Windows Wireless Client
- Troubleshooting the Wireless AP
- Common Wireless AP Problems
- Troubleshooting the Authentication Infrastructure
- Troubleshooting Certificate-Based Validation
- Troubleshooting Password-Based Validation