Windows 7 / Networking

Deploying Protected Wireless Access

To deploy a protected wireless network using Windows Vista and Windows Server 2008, follow these steps:

  1. Deploy certificates.
  2. Configure Active Directory for user accounts and groups.
  3. Configure NPS servers.
  4. Deploy wireless APs.
  5. Configure wireless clients.

Deploying Certificates

Each wireless client in the following authentication configurations needs a computer certificate:

  • Computer authentication with EAP-TLS or PEAP-TLS and computer certificates: Each wireless client computer needs a computer certificate.
  • User authentication with EAP-TLS or PEAP-TLS and either smart cards or registry-based user certificates: Each wireless user needs a smart card or each wireless client computer needs a user certificate.
  • User or computer authentication with PEAP-MS-CHAP v2: Each wireless client needs the root CA of the issuing CA of the NPS server's computer certificate.

Deploying Computer Certificates

To install computer certificates for EAP-TLS or PEAP-TLS authentication, a PKI must be present to issue certificates. Once the PKI is in place, you can install a computer certificate on wireless clients and NPS servers in the following ways:

  • By configuring autoenrollment of computer certificates to computers in an Active Directory domain (recommended)
  • By using the Certificates snap-in to request a computer certificate
  • By using the Certificates snap-in to import a computer certificate
  • By executing a CAPICOM script that requests a computer certificate

Deploying User Certificates

You can install a user certificate on wireless clients in the following ways:

  • By configuring autoenrollment of user certificates to users in an Active Directory domain (recommended)
  • By using the Certificates snap-in to request a user certificate
  • By using the Certificates snap-in to import a user certificate
  • By requesting a certificate over the Web
  • By executing a CAPICOM script that requests a user certificate

Deploying Root CA Certificates

If you use PEAP-MS-CHAP v2 authentication, you might need to install the root CA certificates of the computer certificates that are installed on your NPS servers on your wireless clients. If the root CA certificate of the issuer of the computer certificates that are installed on the NPS servers is already installed as a root CA certificate on your wireless clients, no other configuration is necessary. For example, if your root CA is a Windows Server 2008-based online root enterprise CA, the root CA certificate is automatically installed on each domain member computer through a group policy.

To verify whether the correct root CA certificate is installed on your wireless clients, you need to determine:

  • The root CA of the computer certificates installed on the NPS servers.
  • Whether a certificate for the root CA is installed on your wireless clients.
To determine the root CA of the computer certificates installed on the NPS servers
  1. In the console tree of the Certificates snap-in for the NPS server computer account, open Certificates (Local Computer or Computer Name), open Personal, and then click Certificates.
  2. In the details pane, double-click the computer certificate that is being used by the NPS server for PEAP-MS-CHAP v2 authentication.
  3. In the Certificate properties dialog box, on the Certification Path tab, note the name at the top of the certification path. This is the name of the root CA.
To determine whether a certificate for the root CA is installed on your wireless client
  1. In the console tree of the Certificates snap-in for the wireless client computer account, open Certificates (Local Computer or Computer Name), open Trusted Root Certification Authorities, and then click Certificates.
  2. Examine the list of certificates in the details pane for a name matching the root CA for the computer certificates issued to the RADIUS servers.

You must install the root CA certificates of the issuers of the computer certificates of the NPS servers on each wireless client that does not contain them. The easiest way to install a root CA certificate on all your wireless clients is through Group Policy.

[Previous] [Contents] [Next]

In this tutorial:

  1. IEEE 802.11 Wireless Networks
  2. Support for IEEE 802.11 Standards
  3. Wireless Security
  4. WPA
  5. Planning and Design Considerations
  6. Wireless Authentication Modes
  7. Intranet Infrastructure
  8. Wireless AP Placement
  9. Authentication Infrastructure
  10. Wireless Clients
  11. Windows Vista Wireless Policy
  12. Windows XP Wireless Policy
  13. Command-Line Configuration
  14. PKI
  15. 802.1X Enforcement with NAP
  16. Deploying Protected Wireless Access
  17. Configuring Active Directory for Accounts and Groups
  18. Deploying Wireless APs
  19. Configuring Wireless Clients
  20. Configuring and Deploying Wireless Profiles
  21. Maintenance for a Protected Wireless
  22. Troubleshooting Wireless Connections
  23. Network Diagnostics Framework Support for Wireless Connections
  24. Wireless Diagnostics Tracing
  25. NPS Event Logging
  26. Troubleshooting the Windows Wireless Client
  27. Troubleshooting the Wireless AP
  28. Common Wireless AP Problems
  29. Troubleshooting the Authentication Infrastructure
  30. Troubleshooting Certificate-Based Validation
  31. Troubleshooting Password-Based Validation