Define 802.1X authentication for wireless networks in Group Policy

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To define 802.1X authentication for wireless networks in Group Policy

  1. In Wireless Network (IEEE 802.11) Policies, double-click the wireless network policy for which you want to configure 802.1X authentication.

  2. On the Preferred Networks tab, under Networks, choose whether to configure 802.1X authentication for an existing wireless network or for a new wireless network:

    • To configure 802.1X authentication for an existing wireless network, click the wireless network for which you want to configure 802.1X authentication, and then click Edit.

    • To configure 802.1X authentication for a new wireless network, click Add.

  3. On the IEEE 802.1x tab, do one of the following:

    • To enable IEEE 802.1X authentication for this wireless network, select the Enable network access control using IEEE 802.1x check box. This check box is selected by default.

    • To disable IEEE 802.1X authentication for this wireless network, clear the Enable network access control using IEEE 802.1x check box.

  4. In EAPOL-Start message, specify whether to transmit Extensible Authentication Protocol over LAN (EAPOL)-Start message packets and, if so, how to transmit them.

  5. In Parameters (seconds), specify EAPOL-Start message packet parameters.

  6. In EAP type, click the EAP type to be used with this wireless network.

  7. If you select Smart Card or other certificate in EAP type, click Settings and, in Smart Card or other Certificate Properties, do the following:

    • To allow wireless clients to use the certificate that resides on their smart card for authentication, click Use my smart card.

    • To allow wireless clients to use the certificate that resides in the certificate store on their computer for authentication, click Use a certificate on this computer, and then specify whether to use simple certificate selection.

    • To verify that the server certificate presented to client computers is still valid, select the Validate server certificate check box, click the Connect to these servers check box, specify the server or servers to which client computers will automatically connect, and then specify the trusted root certification authorities.

    • To view detailed information about the selected root certification authority, click View Certificate.

    • To allow users to specify a different user name when the user name in their smart card or certificate is not the same as the user name in the domain to which they are logging on, select the Use a different user name for the connection check box.

  8. If you select Protected EAP (PEAP) in EAP type, click Settings, and then do the following:

    To verify that the server certificate presented to client computers is still valid, select the Validate server certificate check box, click the Connect to these servers check box, specify the server or servers to which client computers will automatically connect, and then specify the trusted root certification authorities.

    In Select Authentication Method, click the authentication method that clients are to use within PEAP, and then click Configure.

    • If you selected Secured password (EAP-MSCHAP v2), in EAP MSCHAPv2 Properties, specify whether to use the user name and password (and domain, if applicable) that users on client computers type in the Windows logon screen for authentication, and then click OK.

    • If you selected Smart Card or other certificate, in Smart Card or other Certificate Properties, configure the settings as needed by following the instructions in step 7, and then click OK.

    To enable fast reconnect for wireless clients, select the Enable Fast Reconnect check box. For more information about PEAP fast reconnect, see Notes.

  9. On the IEEE 802.1x tab, do the following:

    To specify that client computers attempt authentication to the network if user information or computer information is not available, select the Authenticate as guest when user or computer information is unavailable check box.

    To specify that client computers attempt authentication to the network if a user is not logged on, select the Authenticate as computer when computer information is available check box, and in Computer authentication, click an option to specify how the computer should attempt authentication. For information about each of the options that you can select for Computer authentication, see Notes.

Important

  • It is highly recommended that you use 802.1X authentication whenever you connect to an 802.11 wireless network. 802.1X is an IEEE standard that enhances security and deployment by providing support for centralized user identification, authentication, dynamic key management, and accounting.

  • For enhanced security, in Windows XP Service Pack 1 and in the Windows Server 2003 family, 802.1X authentication is available only for access point (infrastructure) networks that require the use of a network key (WEP). WEP provides data confidentiality by encrypting the data that is sent between wireless clients and wireless access points. For additional information about security for wireless networks, see Related Topics.

Notes

  • To perform this procedure, you must be a member of the Domain Admins group in Active Directory, or you must have permission to edit Group Policy objects (for more information, see Related Topics). As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

  • To open Wireless Network (IEEE 802.11) Policies, you must access Active Directory-based wireless network policies. For more information, see Related Topics.

  • To define 802.1X authentication, you must select an existing preferred wireless network, or you must define a new preferred wireless network. For information about how to define preferred wireless networks, see Related Topics.

  • PEAP fast reconnect allows roaming users to maintain continuous wireless network connectivity when traveling between different wireless access points on the same network, as long as each wireless access point is configured as a client of the same IAS (RADIUS) server. In addition, both the wireless client and the RADIUS server must have fast reconnect enabled.

  • If you select the Authenticate as computer when computer information is available check box, you can select one of the following options:

    • With user authentication. When this option is selected, when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained using the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials.

    • With user re-authentication (recommended). When this option is selected, when users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed using the computer credentials.

    • Computer only. When this option is selected, authentication is always performed using the computer credentials. User authentication is never performed.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Group Policy (pre-GPMC)
Add, edit, or remove Active Directory-based wireless network policies
Access Active Directory-based wireless network policies
Define preferred wireless networks in Group Policy
Security information for wireless networks
Understanding 802.1X authentication for wireless networks