Designing for Manageability
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
For a large wireless deployment to be practical, it must be easy to manage. The combination of Windows XP and Windows Server 2003 allows for efficient management of your wireless network.
For optimal manageability of your wireless network, ensure that your wireless clients use Windows XP, which provides support for automatic switching between APs during roaming and support for zero configuration through the WZC. Although you can use other Windows operating systems with Microsoft 802.1X Authentication Client, they do not support zero configuration.
Automatic Switching Between APs During Roaming
Windows XP supports automatic switching between APs when roaming, autodetection of wireless networks, 802.1X, and automatic wireless configuration.
Windows XP has improved and built upon the wireless support for clients that Windows 2000 provides. In Windows 2000, media sense capability (the capability for detecting an attached network) is used to control the configuration of the network stack and inform the user and applications when the network is unavailable. With Windows XP, media sense capability is used to enhance the wireless roaming experience. This is done by detecting a move to a new AP and then forcing re-authentication and DHCP renewal to ensure appropriate network access during roaming. Windows XP in addition supports autodetection of a wireless network, and automatic wireless configuration with the Wireless Zero Configuration (WZC) service.
Distributing Certificates Through Autoenrollment
An IAS server, which acts as a RADIUS server and proxy, also supports EAP–TLS. Because both Windows XP and IAS in Windows Server 2003 support EAP-TLS, the combination gives you support for a strong authentication method and a per-session key management system. To ease deployment, you can distribute the computer and user certificates used for authentication through certificate autoenrollment. Autoenrollment is the automatic requesting and issuing of certificates based on Group Policy settings.
Table 11.2 lists the types of certificates (user, computer, or both) for which autoenrollment is supported with each combination of client and server operating system. When using any other clients, such as Windows NT or Windows 98, you must manually enroll each client or use a scripted solution.
Table 11.2 Support for Autoenrollment of Certificates Provided in Windows
| Client | Server | Computer | User |
|---|---|---|---|
Windows XP or Windows Server 2003 |
Windows Server 2003 |
.gif "Table Bullet") |
|
Windows XP or Windows Server 2003 |
Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition |
|
|
Windows XP or Windows Server 2003 |
Windows 2000 Server |
|
|
Windows 2000 |
Windows Server 2003 |
|
|
Windows 2000 |
Windows 2000 Server |
|
|
For more information about the design and deployment of IAS, see "Deploying Internet Authentication Service (IAS)" in this book.
Taking Advantage of Autoconfiguration
The addition of the Wireless Zero Configuration (WZC) service in Windows XP improves the manageability of your wireless network. The WZC service dynamically selects the wireless network to which to attempt connection based either on your preferences or on default settings. When a more preferred wireless network becomes available, the WZC service automatically selects and connects to that network. If none of the preferred wireless networks is found nearby, the WZC service configures the wireless adapter so that there is no accidental connection until the wireless client roams within the range of a preferred network.
To improve the roaming experience by automating the process of configuring the network adapter to associate with an available network, Microsoft partnered with 802.11 wireless adapter vendors. The wireless network adapter scans for available networks and passes them to Windows XP, which then configures the wireless network adapter with an available network. If you are not using a WZC-capable network adapter, you must configure the network adapter manually by using the configuration software that the manufacturer provides.
For improved manageability of your wireless network, ensure that your wireless clients are using Windows XP so the WZC service is available. Windows Server 2003 also provides this service, which is known in Windows Server 2003 as the Wireless Configuration service. The Microsoft 802.1X Authentication Client does not provide WZC and roaming support.
Managing APs Remotely
For better manageability, design your network so that you can manage your APs from a remote location. You can remotely manage APs by using the AP console port (serial port) and an asynchronous terminal server, a Telnet session, or a Web server that is integrated with the AP.
To configure an AP for network access by an asynchronous terminal server, use the two unused pairs of Ethernet cable to return the serial communication lines to the data closet where they can be connected to an asynchronous terminal server. This enables you to configure an AP remotely if necessary. If you arrange to switch power off remotely, you can also restart APs remotely when they are not responding to a signal from an Ethernet or console port.
Using these methods, you will be able to completely manage APs remotely except when an AP fails and must be repaired or replaced.
Using Active Directory-based Wireless Network Policies
To centrally manage the configuration of secure wireless connections for wireless client computers, you can create Active Directory-based wireless network policies that specify the types of networks that users can access, preferred networks, WEP settings, IEEE 802.X settings, and other settings for wireless connections. The settings are configured in Group Policy, in Wireless Network (IEEE 802.1) Policies. The wireless network policy is replicated to computers that are associated with the computer configuration Group Policy object. Users do not need to enter the configurations or select settings.
For example, you can configure the following items in the Wireless Network (IEEE 802.11) Policies settings:
Types of networks that users can access
For example, you might restrict users’ access to an AP (infrastructure) network only, or to a computer-to-computer (ad hoc) network only.
Network name (SSID)
WEP settings
Enabling of network access control using IEEE 802.1X
Authentication methods and settings
The Wireless Network (IEEE 802.1) Policies settings are only supported by wireless clients running Windows XP (SP1 and later) and Windows Server 2003.
For information about:
Opening the Group Policy Object Editor, see "Ways to open Group Policy Object Editor" in Help and Support Center for Windows Server 2003. (Click the Index button, and in the keyword box type Group Policy Object Editor; then select opening.)
Adding and defining wireless network policies, see "Define Active Directory-based wireless network policies" in Help and Support Center for Windows Server 2003.
Designing wireless network policies, see "Deploying Security Policy" in Designing a Managed Environment.