Wireless LAN Support in Windows: Frequently Asked Questions

See Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home Office or Small Organization Networks for a small office/home office (SOHO) or for a small organization that uses 802.1X authentication and a Windows domain.

See Configuring Windows XP IEEE 802.11 Wireless Networks for the Home and Small Business for a home or small business that does not use 802.1X authentication and a Windows domain.

Windows Server 2003 Service Pack 2 includes the following updates to the wireless client software:

• Support for configuration of Wi-Fi Protected Access 2 (WPA2) authentication settings.
• Support for configuration of non-broadcast wireless networks.
• Support for non-broadcast network and WPA2 authentication settings through the IEEE 802.11 (Wireless) Policies Group Policy extension.
• Windows will not automatically connect to a peer-to-peer network, even if it is in the preferred network list. You must manually connect to a peer-to-peer wireless network.

Wireless Provisioning Services (WPS) is a new capability of Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 that allows you to configure wireless network settings using Extensible Markup Language (XML). WPS can be used to automate the secure configuration and connection to public wireless networks, known as hotspots. For more information, see the Deploying Wireless Provisioning Services Technology white paper.

An alternative to WPS is the Wireless LAN API Update, a free download from Microsoft for computers running Windows XP with Service Pack 2. The Wireless LAN API Update allows you to use new application programming interfaces (APIs) to manage wireless profiles and connections with wireless auto configuration. The APIs in the Wireless LAN API Update are also supported in Windows Vista.

The wireless connection user interface has been redesigned and enhanced in Windows Vista to make wireless network connection and management easier. See Connecting to Wireless Networks with Windows Vista.

For an example of configuring Windows Vista wireless clients in a test lab, see the Windows Vista Wireless Networking Evaluation Guide.

Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 include Wireless Provisioning Services (WPS), which allows you to configure wireless network settings using Extensible Markup Language (XML). For more information, see the Deploying Wireless Provisioning Services (WPS) Technology white paper. You can also use the Wireless Network (IEEE 802.11) Policies Group Policy extension in Windows Server 2003 Active Directory® directory service domains to automate the configuration of wireless network settings for wireless client computers running Windows XP with Service Pack 1, Windows XP with Service Pack 2, or Windows Server 2003.

An alternative to WPS is the Wireless LAN API Update, a free download from Microsoft for computers running Windows XP with Service Pack 2. The Wireless LAN API Update allows you to use new application programming interfaces (APIs) to manage wireless profiles and connections with wireless auto configuration. The APIs in the Wireless LAN API Update are also supported in Windows Vista.

When connecting to a wireless network that does not require any encryption or that requires you to manually type a network key for encryption, make sure you clear the Enable 802.1X on this connection check box on the Authentication tab of either:

• The wireless network connection in Windows XP with no service packs installed (obtain the properties of the wireless network connection in the Network Connections folder).
• The wireless network in Windows XP Service Pack 1, Windows XP Service Pack 2, and Windows Server 2003 (obtain the properties of a new or preferred wireless network on the Wireless Networks tab from the properties of the wireless network connection in the Network Connections folder).

Windows XP Service Pack 2, Windows Server 2003 Service Pack 2, and Windows Server 2003 Service Pack 1 include tracing for the Wireless Zero Configuration service, which is the service that performs wireless auto configuration. To see the Wireless Zero Configuration service logs:

1. Type netsh ras set tracing * enabled at a command prompt to enable logging for all components
2. Disable and then enable your wireless network connection in the Network Connections folder.
3. View the Wzcdlg.log and Wzctrace.log files in the %SystemRoot%\Tracing folder.

To disable tracing for all components, type netsh ras set tracing * disabled at a command prompt.

Yes. To take advantage of user certificate autoenrollment, you must upgrade your Active Directory domain to Windows Server 2003, as it requires a Windows Server 2003 Active Directory schema. You can upgrade a Windows 2000 Active Directory domain to a Windows Server 2003 Active Directory schema using the Adprep.exe tool, located in the \I386 folder on the Windows Server 2003 product CD-ROM.

For user certificate autoenrollment, you must use a certification authority that is running Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition. Only these versions of Windows Server 2003 support the certificate templates required to configure user certificate auto enrollment.

Yes. To configure WPA2 authentication settings for wireless clients running Windows XP with SP2 using the Wireless Network (IEEE 802.11) Policies Group Policy extension, the client computers must be members of a Windows Server 2003 Active Directory domain and have the Wireless Client Update for Windows XP with Service Pack 2 installed. The WPA2 authentication settings in the Wireless Network (IEEE 802.11) Policies Group Policy extension must be configured from the Group Policy Object Editor snap-in on a computer running Windows Vista.

For an example configuration in a test lab, see the Windows Vista Wireless Networking Evaluation Guide.

The WPA2 authentication settings configured in this way for Windows XP with SP2 wireless clients also apply to Windows Vista and Windows Server 2003 with Service Pack 2 wireless clients.

Windows Vista supports an enhanced set of wireless Group Policy settings designed for use by Windows Vista and Windows Server 2008 wireless clients. Windows Vista supports both Windows XP-based Group Policy settings and Windows Vista-based Group Policy settings. The Windows Vista-based Group Policy settings include the ability to configure multiple profiles and their order, lists of wireless networks that are either allowed or denied, and Single Sign On settings. For more information, see Wireless Group Policy Settings for Windows Vista. When both types of wireless settings are configured, Windows Vista wireless clients use the Windows Vista settings. If the Windows Vista wireless settings are not configured, Windows Vista wireless clients use the Windows XP wireless settings.

The Windows Vista-based wireless settings can be configured in a Windows Server 2008 Active Directory domain using the Group Policy Object Editor snap-in from a computer running Windows Vista. However, Windows Server 2008 is currently in beta testing.

To configure and use Windows Vista-based wireless settings in a Windows Server 2003 Active Directory domain, you must extend your Windows Server 2003 Active Directory schema to support the new Windows Vista-based wireless settings. For more information and the directory extension file, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements. After extending your schema, configure Windows Vista-based wireless settings from the Group Policy Object Editor snap-in on a computer running Windows Vista.

For an example configuration in a test lab, see the Windows Vista Wireless Networking Evaluation Guide.

For information about using the enhanced Windows Vista wired Group Policy settings, see Frequently Asked Questions about Wired LAN Support in Windows.

For more information, see the following:

• Wireless Group Policy Settings for Windows Vista
• Configuring Wireless Settings Using Windows Server 2003 Group Policy

The most common reason for login scripts failing to execute or when computer configuration Group Policy setting updates are not applied is that computer authentication has failed. Computer authentication can fail for the following reasons:

• If you are using group-based remote access policies for wireless authorization, the computer account is not a member of the allowed groups.
• The computer is a member of a Windows NT 4.0 domain, which unlike an Active Directory domain, does not support 802.1X computer authentication.
• You are using a smart card for authentication, rather than locally installed certificates. When you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer authentication.
• Computer authentication is disabled on the wireless client. Ensure that the Authenticate as computer when computer information is unavailable check box is selected on the Authentication tab of either:
• The wireless network connection in Windows XP with no service packs installed
• The wireless network in Windows XP with SP1, Windows XP with SP2, and Windows Server 2003

If you are using Internet Authentication Service (IAS) as your Remote Authentication Dial-In User Service (RADIUS) server, check the System event log for an authentication attempt using the wireless client's computer to ensure that computer authentication is being tried.

Updates to Computer Configuration Group Policy occur when the computer starts, achieves network connectivity, and locates a domain controller. The computer attempts to download the latest Computer Configuration Group Policy based on the computer's placement in a domain system container.

If the wireless client computer cannot authenticate to a wireless AP to obtain wireless LAN network connectivity, the attempt to locate a domain controller and download the latest Computer Configuration Group Policy fails. This event is recorded in the event log.

The solution to this problem is to ensure that computer authentication is configured and is successful, so that wireless LAN network connectivity is present during the location of the domain controller and the download of the Computer Configuration Group Policy. When you are using EAP-TLS authentication, this means that each wireless client computer must have a computer certificate installed.

Updates to User Configuration Group Policy occur when a user supplies correct credentials and logs on to the domain. If the computer has not authenticated itself against the wireless AP, the logon uses cached credentials. After the user certificate in the user's certificate store becomes available, the Windows wireless client configured to use EAP-TLS authentication attempts to authenticate against the wireless AP. Depending on how long the wireless authentication takes, the download of the User Configuration Group Policy might also fail. This event is recorded in the event log.

The solution to this problem is to ensure that computer authentication is configured and is successful. With an installed computer certificate (for EAP-TLS) or a computer account password (for PEAP-MS-CHAP v2), the Windows wireless client has wireless LAN network connectivity during the entire logon process, and therefore should always be able to download the latest User Configuration Group Policy.

With Windows XP Service Pack 2 or Windows XP Service Pack 1 and the Wireless Update Rollup Package for Windows XP installed, the sequence of events is the following:

• Perform 802.1X authentication (the actual authentication method does not matter).
• Determine encryption keys and pass them to the wireless network adapter.
• Use DHCP to obtain an IP address configuration.

The AuthMode registry value (found at HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\AuthMode) affects the behavior of computer authentication and user authentication. The AuthMode value can be set to the following:

0 - Computer authentication is performed when the wireless client computer is started. When a user logs in, if the computer authentication was successful, user authentication is not performed. This setting has been deprecated and its use is discouraged. This is the default setting for Windows XP with no service packs installed.

1 - Computer authentication is performed when the wireless client computer is started. When a user logs in, user authentication occurs. When the user logs out, computer authentication occurs. This is the default setting for Windows XP SP1, Windows XP SP2, and Windows Server 2003.

2 - Computer authentication is performed when the wireless client computer is started. User authentication is never performed.

You can enable tracing for 802.1X connections at a Windows command prompt with the following commands:

1. Type netsh ras set tracing * enabled at a command prompt to enable logging for all components.
2. Attempt the authentication again. For example, disable and then enable your wireless network connection in the Network Connections folder
3. View the Eapol.log and Rastls.log files in the %SystemRoot%\Tracing folder.

To disable tracing for all components, type netsh ras set tracing * disabled at a command prompt. For information about how to interpret the log files, see A Support Guide for Wireless Diagnostics and Troubleshooting.

To add 802.1X functionality to the Windows 2000 platform, a subset of features was taken from Windows XP. The 802.1X authentication components are largely the same. For example, you configure 802.1X authentication settings from an Authentication tab from the properties of an Ethernet or wireless network adapter in the Network and Dial-up Connections folder. Here is a list of the differences for Microsoft 802.1X Authentication Client:

• Service state The Windows 2000 802.1X service is installed in a disabled state. You must manually set the service state to Automatic and start the service using the Services snap-in.
• Auto configuration functionality Microsoft 802.1X Authentication Client does not include wireless auto configuration functionality. This means that you must use a third-party, vendor-supplied configuration tool to configure your 802.11 wireless settings such as the wireless network name and encryption settings. Unlike Windows XP, which saves 802.11 settings on a per-user basis, many wireless configuration tools do not. This may permit multiple users to log on to the same computer and to configure a common profile instead of a user-specific profile.
• Group Policy Configuring 802.1X authentication settings by using Group Policy settings is not supported.
• Authorization status notification You can view the authorization status by moving the mouse pointer over the wireless connection icon in the notification area.
• Single wireless network adapter Microsoft 802.1X Authentication Client supports only one wireless network adapter at a time. Although it is technically possible to have a laptop computer with more than one wireless network adapter, Microsoft 802.1X Authentication Client works with only one at a time.
• Help There is no context-sensitive or online help that describes Microsoft 802.1X Authentication Client.

There is no built-in wireless LAN support in Windows Me, Windows 98, or Windows NT 4.0. Wireless network adapter manufacturers must supply all wireless and authentication functionality for these versions of Windows.

To configure a wireless client computer running Windows Me, Windows 98, or Windows NT 4.0, you must use the wireless configuration tool provided by your wireless network adapter manufacturer. Please see the instructions for the wireless configuration tool to configure 802.11 and 802.1X authentication settings.