Configure Wireless Clients running Windows XP for EAP-TLS Authentication

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Use this procedure to configure an Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) wireless configuration profiles for wireless computers running Windows XP and Windows Server 2003.

Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure.

To configure an EAP-TLS wireless profile for computers running Windows XP

  1. Open the Windows XP Wireless Network (IEEE 802.11) Policies Properties dialog box.

    On the General tab, do the following:

    1. In XP PolicyName , type a name for your wireless policy.

    2. In Description , type a description of the policy.

    3. In Networks to access , select either Any available network (access point preferred) or Access Point (infrastructure) network only .

    4. Select Use Windows to configure wireless network settings for clients .

  2. On the Preferred Networks tab, click Add , and then select Infrastructure . On the Network Properties tab, configure the following:

    1. In Network Name (SSID) , type the service set identifier (SSID) for your network.

Note

The value you enter in this field must match the value configured on the access points you have deployed on your network.

2.  In **Description** , enter a description for the **New Preferred Setting Properties** .  
      
3.  In **Select the security methods for this network** , in **Authentication** , select either **WPA2** (preferred), or **WPA** . In **Encryption** , specify either **AES** or **TKIP** .  
      

Note

In Windows XP Wireless Network (IEEE 802.11) Policies, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies WPA2-Enterprise and WPA-Enterprise settings, respectively.

Note

Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.

  1. Click the IEEE 802.1X tab. In EAP type , select Smart Card or other Certificate .

    The remaining default settings on the IEEE 802.1X tab are typically sufficient for wireless deployments.

  2. Click Settings . In the Smart Card or other Certificate Properties dialog box, do the following:

    1. In When connecting , select either Use my smart card , or select both Use a certificate on this computer and Use simple certificate selection (Recommended) .

    2. Verify that Validate Server certificate is selected.

    3. In Trusted Root Certification Authorities , select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS).

Note

This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store.

4.  To specify that clients use an alternate name for the access attempt, select **Use a different user name for the connection** .

5.  For improved security and a better user experience, select **Do not prompt user to authorize new servers or trusted certification authorities** .
  1. Click OK two times. The EAP-TLS profile is listed under Networks . Click OK , and then close the Group Policy Management Console.