Configuring and Deploying Wireless Profiles
You can also manually configure wireless clients running Windows Vista on a wireless network by importing a wireless profile in XML format by running the netsh wlan add profile command. To create an XML-based wireless profile, configure a Windows Vista wireless client with a wireless network that has all the appropriate settings including the authentication method, encryption methods, and EAP type. Then, run the netsh wlan export profile command to write the wireless network profile to an XML file. You can also create, configure, and export an XML profile from a Windows Vista wireless policy.
Manually Configuring Wireless Clients
If you have a small number of wireless clients, you can manually configure wireless connections for each wireless client. For Windows Vista and Windows Server 2008 wireless clients, run the Set Up a Connection Wizard or the Network Wizard. For Windows XP with SP2 wireless clients, run the New Connection Wizard. The following sections describe how to manually configure the EAP-TLS, PEAP-TLS, and PEAP-MS-CHAP v2 authentication methods for Windows wireless clients.
EAP-TLS
To manually configure EAP-TLS authentication on a wireless client running Windows Vista or Windows Server 2008, do the following:
- In the Network and Sharing Center, click the Manage Wireless Networks task. In the Manage Wireless Networks window, double-click your wireless network name.
- On the Security tab, in the Security Type box, select WPA-Enterprise or WPA2- Enterprise. In the Choose A Network Authentication Method drop-down list, select Smart Card Or Other Certificate, and then click Settings.
- In the Smart Card Or Other Certificate Properties dialog box, to use a registry-based user certificate, select Use A Certificate On This Computer. For a smart card-based
user certificate, select Use My Smart Card.
If you want to validate the computer certificate of the NPS server, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect To These Servers and type the names. Click OK twice.
To manually configure EAP-TLS authentication on a wireless client running Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:
- Obtain properties of the wireless connection in the Network Connections folder. On the Wireless Networks tab, in the list of preferred networks, click the name of the wireless network, and then click Properties.
- On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X and the Smart Card Or Other Certificate EAP type. This is enabled by default.
- Click Properties. In the properties dialog box of the Smart Card or other Certificate EAP type, to use a registry-based user certificate, select Use A Certificate On This
Computer. For a smart card-based user certificate, select Use My Smart Card.
If you want to validate the computer certificate of the NPS server, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the authentication servers that must perform the TLS authentication, select Connect To These Servers and type the names. - Click OK to save changes to the Smart Card or other Certificate EAP type.
PEAP-TLS
To manually configure PEAP-TLS authentication on a wireless client running Windows Vista, do the following:
- In the Network and Sharing Center, click the Manage Wireless Networks task. In the Manage Wireless Networks window, double-click your wireless network name.
- On the Security tab, in the Security Type drop-down list, select WPA-Enterprise or WPA2-Enterprise. In Choose A Network Authentication Method, select Protected EAP (PEAP), and then click Settings.
- In the Protected EAP Properties dialog box, if you want to validate the computer certificate of the NPS server for the PEAP authentication, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the PEAP authentication, select Connect To These Servers and type the names.
- In the Select Authentication Method drop-down list, click Smart Card Or Other
Certificate. Click Configure. To use a registry-based user certificate, in the Smart Card
Or Other Certificate Properties dialog box, select Use A Certificate On This Computer. For a smart card-based user certificate, select Use My Smart Card.
If you want to validate the computer certificate of the NPS server for the user-level authentication, select the Validate Server Certificate check box (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect To These Servers and type the names. - Click OK to save changes to the Smart Card or other Certificate PEAP type. Click OK to save the changes to the Protected EAP type. Click OK to save the changes to the wireless network configuration.
To manually configure PEAP-TLS authentication on a wireless client running Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:
- Obtain properties of the wireless connection in the Network Connections folder. On the Wireless Networks tab, in the list of preferred networks, click the name of the wireless network, and then click Properties. The Wireless Network's properties dialog box appears.
- On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X and the Protected EAP (PEAP) type.
- Click Properties. In the Protected EAP Properties dialog box, select the Validate Server Certificate check box to validate the computer certificate of the NPS server for the PEAP authentication (recommended and enabled by default). If you want to specify the names of the authentication servers that must perform PEAP authentication, select Connect To These Servers and type the names. In the Select Authentication Method drop-down list, click Smart Card Or Other Certificate.
- Click Configure. In the Smart Card Or Other Certificate Properties dialog box, to use a
registry-based user certificate, select Use A Certificate On This Computer. For a smart
card-based user certificate, select Use My Smart Card.
If you want to validate the computer certificate of the NPS server for the user-level authentication, select Validate Server Certificate (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the TLS authentication, select Connect To These Servers and type the names. - Click OK to save changes to the Smart Card or other Certificate PEAP type. Click OK to save the changes to the Protected EAP type. Click OK to save the changes to the wireless network configuration.
PEAP-MS-CHAP v2
To manually configure PEAP-MS-CHAP v2 authentication on a wireless client running Windows Vista, do the following:
- In the Network and Sharing Center, click the Manage Wireless Networks task. In the Manage Wireless Networks window, double-click your wireless network name.
- On the Security tab, in the Security Type drop-down list, select WPA-Enterprise or WPA2-Enterprise. In the Choose a network authentication method drop-down list, select Protected EAP (PEAP), and then click Settings.
- In the Protected EAP Properties dialog box, if you want to validate the computer certificate of the NPS server for the PEAP authentication, select the Validate Server Certificate check box (recommended and enabled by default). If you want to specify the names of the NPS servers that must perform the PEAP authentication, select Connect To These Servers and type the names.
- In Select Authentication Method, select Secured Password (EAP-MS-CHAP v2), and then click OK twice.
To manually configure PEAP-MS-CHAP v2 authentication on a wireless client running Windows XP with SP2, Windows XP with SP1, or Windows Server 2003, do the following:
- Obtain properties of the wireless connection in the Network Connections folder. Click the Wireless Networks tab, click the name of the wireless network in the list of preferred networks, and then click Properties. The wireless network's properties dialog box appears.
- On the Authentication tab, select Enable Network Access Control Using IEEE 802.1X and the Protected EAP (PEAP) EAP type.
- Click Properties. In the Protected EAP Properties dialog box, select Validate Server Certificate to validate the computer certificate of the NPS server (enabled by default). If you want to specify the names of the authentication servers that must perform validation, select Connect To These Servers and type the names. In Select Authentication Method, click Secured Password (EAP-MSCHAP v2), and then click OK twice.
In this tutorial:
- IEEE 802.11 Wireless Networks
- Support for IEEE 802.11 Standards
- Wireless Security
- WPA
- Planning and Design Considerations
- Wireless Authentication Modes
- Intranet Infrastructure
- Wireless AP Placement
- Authentication Infrastructure
- Wireless Clients
- Windows Vista Wireless Policy
- Windows XP Wireless Policy
- Command-Line Configuration
- PKI
- 802.1X Enforcement with NAP
- Deploying Protected Wireless Access
- Configuring Active Directory for Accounts and Groups
- Deploying Wireless APs
- Configuring Wireless Clients
- Configuring and Deploying Wireless Profiles
- Maintenance for a Protected Wireless
- Troubleshooting Wireless Connections
- Network Diagnostics Framework Support for Wireless Connections
- Wireless Diagnostics Tracing
- NPS Event Logging
- Troubleshooting the Windows Wireless Client
- Troubleshooting the Wireless AP
- Common Wireless AP Problems
- Troubleshooting the Authentication Infrastructure
- Troubleshooting Certificate-Based Validation
- Troubleshooting Password-Based Validation