Configure Computers Running Windows XP to Use PEAP-TLS

  • Article

Applies To: Windows Server 2008, Windows Vista

Follow these steps to configure a Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS) wireless configuration profile for wireless computers running Windows XP and Windows Server 2003.

Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.

To configure a PEAP-TLS profile for wireless client computers running Windows XP

  1. In New XP Wireless Network (IEEE 802.11) Policies Properties, on the General tab, do the following:

    1. In XP Policy Name, type a name for your wireless policy.

    2. In Description, type a brief description of the policy.

    3. In Networks to access, select Any available network (wireless AP preferred).

    4. Select Use Windows to configure wireless network settings for clients.

  2. Click the Preferred Networks tab, click Add, and then select Infrastructure. On the Network Properties tab, configure the following:

    1. In Network Name (SSID), type the service set identifier (SSID) for your network.

Note

The value that you enter in this field must exactly match the value configured on the access points that you have deployed on your network. 

2.  In **Description**, enter a description for this profile.  
      
3.  To specify that a network key is used for authentication to the wireless network, under **Select the security methods for this network**, in **Authentication**, select either **WPA2** (preferred), or **WPA**. In **Encryption**, specify either **AES** or **TKIP**.

Note

In the Windows XP Wireless Network (IEEE 802.11) Policies, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies WPA2-Enterprise and WPA-Enterprise settings, respectively.

Note

Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.

  1. Click the IEEE 802.1X tab. In EAP type, by default, Protected EAP (PEAP) is selected.

    The remaining default settings on the IEEE 802.1X tab are sufficient for most wireless deployments.

  2. Click Settings. In the Protected EAP Properties dialog box, do the following:

  3. Verify that Validate Server certificate is selected.

  4. In Trusted Root Certification Authorities, select the certification authority (CA) that issued the server certificate to your Network Policy Server (NPS).

    Security Note
    This setting limits the CAs that clients trust to the selected values. If no CAs in their Trusted Root Certification Authorities certificate store.

  5. To enable PEAP Fast Reconnect, make sure that Enable Fast Reconnect is selected.

  6. In Select Authentication Method, select Smart Card or other certificate, and then click configure. The Smart Card or other certificate dialog box opens.

  7. In When connecting, do one of the following:

    • For smart card deployments, select Use my smart card.

    • For deployments that use other certificates, select Use a certificate on this computer.

  8. Verify that Validate Server certificate is selected.

  9. In Trusted Root Certification Authorities, select the certification authority (CA) that issued the server certificate to your Network Policy Server (NPS).

  10. Click OK three times to return to the Preferred Networks tab. The PEAP-TLS profile is listed under Networks. Click OK, and then close the Group Policy Management Console (GPMC).