The Cable Guy - July 2003

Configuring Wireless Settings Using Windows Server 2003 Group Policy

By The Cable Guy

The configuration of wireless settings for Windows wireless clients running Windows XP and Windows Server 2003 is aided by the Windows Wireless Auto Configuration, which provides automatic configuration of wireless settings with three mouse clicks when the user is prompted to connect to a wireless network:

1. Click the "One or more wireless networks are available" message in the notification area of the desktop.
2. Click to select the wireless network in Connect to Wireless Network.
3. Click Connect.

This is the best scenario, in which the following default settings for a new preferred wireless network apply:

• The SSID of the network is determined from the wireless AP beacon.
• WEP encryption is enabled.
• Shared key authentication is disabled.
• The WEP key is determined automatically.
• IEEE 802.1X authentication is enabled using the EAP-TLS authentication method.

If the wireless network does not conform to these settings, the user must manually configure the wireless network settings. Although this might not be a problem in a small office/home office network with a small number of wireless client computers, leaving the manual configuration of critical wireless settings to the user in a medium to large organization with hundreds or thousands of wireless client computers is a significant network administration and troubleshooting issue.

To automate the configuration of wireless network settings for Windows XP with Service Pack 2 (SP2), Windows XP with Service Pack 1 (SP1), and Windows Server 2003 wireless client computers, Windows Server 2003 Active Directory domains support a new Wireless Network (IEEE 802.11) Policies Group Policy extension that allows you to configure wireless network settings that are part of Computer Configuration Group Policy for a domain-based Group Policy object.

Wireless Network (IEEE 802.11) Policies Group Policy Extension

Wireless network settings in the Wireless Network (IEEE 802.11) Policies Group Policy extension include global wireless settings, the list of preferred networks, WEP settings, and IEEE 802.1X settings. These settings encompass all of the items on the Association and Authentication tabs in the properties dialog box for a wireless network on a Windows XP with SP2, Windows XP with SP1, or Windows Server 2003 wireless client, as well as additional settings.

These settings are downloaded to Windows XP with SP2, Windows XP with SP1, and Windows Server 2003 wireless client computers that are members of a Windows Server 2003 Active Directory domain, making it much easier to deploy a specific configuration for secure wireless connections. You can configure wireless policies from the Computer Configuration/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies node in the Group Policy snap-in.

The following figure shows the location of the Wireless Network (IEEE 802.11) Policies node.

If your browser does not support inline frames, click here to view on a separate page.

Note These policy settings do not apply to Windows XP with no service packs installed or Windows 2000 with Service Pack 4 (SP4) wireless clients.

By default, there are no Wireless Network (IEEE 802.11) Policies. To create a new policy, right-click Wireless Network (IEEE 802.11) Policies in the console tree of the Group Policy snap-in and then click Create Wireless Network Policy. The Create Wireless Network Policy Wizard is started, from which you can configure a name and description for the new wireless network policy. You can create only a single wireless network policy for each Group Policy object. For more information about Windows Server 2003 Group Policy, see Introduction to Group Policy in Windows Server 2003.

To modify the settings of a wireless network policy, double-click its name in the details pane.

Wireless Network Policy Properties

The properties of a wireless network policy consist of a General tab and a Preferred Networks tab.

The following figure shows the General tab for a wireless network policy and its default settings.

On the General tab, you can view and configure the following:

• Name   Specifies a friendly name for the wireless network policy.
• Description   Provides a description for the wireless network policy.
• Check for policy changes every   Specifies the interval, in minutes, after which wireless clients that are domain members check for changes in the wireless network policy.
• Networks to access   Specifies the types of wireless networks with which the wireless client is allowed to create connections:
• Any available network (access point preferred)
• Access point (infrastructure) networks only
• Computer-to-computer (ad hoc) networks only
• Use Windows to configure wireless network settings for clients   Enables the Wireless Auto Configuration.
• Automatically connect to non-preferred networks   Enables automatic connections to wireless networks that are not configured as preferred networks.

The following figure shows the Preferred Networks tab for a wireless network policy.

On the Preferred Networks tab, you can view and configure the following:

• Networks   Displays the list of preferred wireless networks.
• Add/Edit/Remove   Creates, deletes, or modifies the settings of a new or selected preferred wireless network.
• Move Up/Move Down   Moves the selected preferred wireless network up or down in the Networks list.

Preferred Wireless Network Properties

The properties of a preferred wireless network consist of a Network Properties tab and an IEEE 802.1x tab.

The following figure shows the Network Properties tab for a preferred wireless network with default settings.

On the Network Properties tab, you can view and configure the following settings:

• Network name (SSID)   Specifies the wireless LAN network name, also known as the Service Set Identifier (SSID).
• Description   Provides a description of the wireless LAN network.
• Data encryption (WEP enabled)   Specifies whether WEP is enabled for this wireless LAN network.
• Network authentication (Shared mode)   Specifies whether IEEE 802.11 shared key authentication is used to authenticate the wireless client. If disabled, open system authentication is used.
• The key is provided automatically   Specifies whether a WEP key is provided through some means other than manual configuration, such as a key provided on the network adapter or through IEEE 802.1X authentication.
• This is a computer-to-computer (ad hoc) network   Specifies whether this wireless LAN network is operating in ad hoc mode.

For Windows Server 2003 Service Pack 1 and the 811233 update for Windows Server 2003 with no service packs installed, the Network Properties tab has been updated as shown in the following figure.

The Wireless network key area of the Network Properties tab has the following changes:

• It has been renamed Wireless network key (from Wireless network key (WEP)).
• The Network authentication (Shared mode) checkbox has been replaced with a Network Authentication drop-down box with the following selections: Open, Shared, WPA-None, WPA, WPA-PSK
• The Data encryption (WEP enabled) checkbox has been replaced with a Data encryption drop-down box that has the following selections: Disabled, WEP, AES, TKIP

These changes allow you to configure the same authentication and encryption options and in the same way as on the Association tab when configuring a Wi-fi Protected Access (WPA)-capable Windows wireless client. The new Group Policy settings for WPA authentication and encryption options are supported by computers running Windows XP with SP1 and the WPA Wireless Security Update in Windows XP, Windows XP with SP2, or Windows Server 2003 with SP1.

The following figure shows the IEEE 802.1x tab for a preferred wireless network and its default settings.

On the IEEE 802.1x tab, you can view and configure the following settings:

• Enable network access control using IEEE 802.1x   Specifies whether you want to use IEEE 802.1X to perform authentication for this wireless network. If you clear this check box, all of the other settings on this tab become unavailable.

• EAPOL-Start message   Specifies the transmission behavior of the EAPOL-Start message when authenticating. You can select from the following:

• Do not transmit   Specifies that EAPOL-Start messages are not sent.

• Transmit   Determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message.

• Transmit per 802.1x   Sends an EAPOL-Start message upon association to initiate the 802.1X authentication process.

• Max start   Specifies the number of successive EAPOL-Start messages that are sent out when no response to the initial EAPOL-Start messages is received.

• Start period   Specifies the interval, in seconds, between the retransmission of EAPOL-Start messages when no response to the previously sent EAPOL-Start message is received.

• Held period   Specifies the period, in seconds, for which the authenticating client will not perform any 802.1X authentication activity after it has received an authentication failure indication from the authenticator.

• Authentication period   Specifies the interval, in seconds, for which the authenticating client will wait before retransmitting any 802.1X requests after end-to-end 802.1X authentication has been initiated.

• EAP type   Lists the EAP types that correspond to EAP DLLs installed on the computer that are suitable for wireless access.

• Settings   Click to configure the properties of the selected EAP type.

• Authenticate as guest when user or computer information is unavailable   Specifies whether the computer will attempt to authenticate as a guest when either user or computer credentials are not available.

• Authenticate as computer when computer information is available   Specifies whether the computer will attempt to authenticate using computer credentials without the user logging on.

• Computer authentication   Specifies the way in which computer authentication works with user authentication.

  There are three possible settings:

• With user authentication   When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is maintained with the computer credentials. If a user travels to a new wireless access point, authentication is performed using the user credentials.

• With user re-authentication   When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting as it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context (computer credentials when no user is logged on and user credentials when a user is logged on).

• Computer only   Authentication is always performed by using the computer credentials. User authentication is never performed.

For More Information

For more information about 802.11 wireless LAN support in Windows, see the following resources:

• Microsoft Wireless Networks Web site
• Introduction to Group Policy in Windows Server 2003

For a list of all The Cable Guy articles, click here.