Wireless Access Deployment Planning

Published: September 1, 2010

Updated: October 4, 2010

Applies To: Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP

Before you deploy wireless access, you must plan the following items:

  • Installation of wireless access points (APs) on your network

  • Wireless client configuration and access

When you design your wireless network access solution, you must determine what standards your wireless APs must support, the areas where you want to provide wireless service, and where to locate wireless APs. Additionally, you must plan an IP address scheme for your wireless AP’s and wireless clients. See the section Plan the configuration of wireless AP’s in NPS below for related information.

For the purposes of consistency and ease of deployment and AP management, it is recommended that you deploy wireless APs of the same brand and model.

The wireless APs that you deploy must support the following:

  • IEEE 802.1X

  • RADIUS authentication

  • Wireless Authentication and Cipher. Listed in order of most to least preferred:

    1. WPA2-Enterprise with AES

    2. WPA2-Enterprise with TKIP

    3. WPA-Enterprise with AES

    4. WPA-Enterprise with TKIP

To deploy WPA2, use wireless network adapters and wireless APs that also support WPA2. Otherwise, use WPA-Enterprise.

In addition, to provide enhanced security for the network, the wireless APs must support the following options:

  • DHCP filtering. The wireless AP must filter on IP ports to prevent the transmission of DHCP broadcast messages in those cases in which the client is a DHCP server. The wireless AP must block the client from sending IP packets from UDP port 68 to the network.

  • DNS filtering. The wireless AP must filter on IP ports to prevent a client from performing as a DNS server. The wireless AP must block the client from sending IP packets from TCP or UDP port 53 to the network.

  • Client isolation If your wireless access point provides client isolation capabilities, it should be enabled to prevent possible Address Resolution Protocol (ARP) spoofing, exploits.

Use architectural drawings of each floor for each building to identify the areas where you want to provide wireless coverage. For example, identify the appropriate offices, conferences rooms, lobbies, cafeterias, or courtyards. On the drawings, indicate any devices that interfere with the wireless signals, such as medical equipment, wireless video cameras, cordless telephones that operate in the 2.4 through 2.5 GHz Industrial, Scientific and Medical (ISM) range, and Bluetooth-enabled devices. On the drawing, mark aspects of the building that might interfere with wireless signals; metal objects used in the construction of a building can affect the wireless signal. For example, the following common objects can interfere with signal propagation: Elevators, heating and air-conditioning ducts, and concrete support girders.

Refer to your AP manufacturer for information about sources that might cause wireless AP radio frequency attenuation. Most APs provide testing software that you can use to check for signal strength, error rate, and data throughput.

On the architectural drawings, locate your wireless APs close enough together to provide ample wireless coverage but far enough apart that they do not interfere with each other. The necessary distance between APs depends upon the type of AP and AP antenna, aspects of the building that block wireless signals, as well as other sources of interference. Typically, mark wireless APs placements so that each wireless AP is not more than 300 feet from any adjacent wireless AP. See the wireless AP manufacturer’s documentation for AP specifications and guidelines for placement.

Temporarily install wireless APs in the locations specified on your architectural drawings. Then using a laptop equipped with an 802.11 wireless adapter and the site survey software that is commonly supplied with wireless adapters, determine the signal strength within each coverage area. In coverage areas where signal strength is low, reposition the AP to improve signal strength for the coverage area, install additional wireless APs to provide the necessary coverage, relocate or remove sources of signal interference.

Update your architectural drawings to indicate the final placement of all wireless APs. Having an accurate AP placement map will assist later during troubleshooting operations or when you want to upgrade or replace APs.

NPS has the ability to configure wireless APs individually or in groups. If the following conditions are met, you can configure the wireless APs that you deploy in groups:

  1. If you are running NPS servers on computers running Windows Server 2008 R2 Enterprise or Datacenter edition

  2. If you have deployed wireless APs within the same IP address range

  3. And if the wireless APs are all configured with the same shared secret

The advantage of configuring your wireless APs in NPS by groups is that it cuts down on your administrative overhead; which is very useful feature if you have deployed a large number of wireless APs. If you have not deploy your NPS servers on computers running either Enterprise or Datacenter edition, then you must configure each wireless AP individually in NPS.

In an 802.1X infrastructure, wireless access points are configured as RADIUS clients to RADIUS servers. When PEAP fast reconnect is deployed, a wireless client that roams between two or more access points is not required to be authenticated with each new association. PEAP fast reconnect reduces the response time for authentication between client and authenticator because the authentication request is forwarded from the new access point to the NPS server that originally performed authentication and authorization for the client connection request. Because both the PEAP client and NPS server both use previously cached Transport Layer Security (TLS) connection properties (the collection of which is named the TLS handle), the NPS server can quickly determine that the client is authorized for a reconnect.

For fast reconnect to work, the APs must be configured as RADIUS clients of the same NPS server

If the original NPS server becomes unavailable, or if the client moves to an access point that is configured as a RADIUS client to a different RADIUS server, full authentication must occur between the client and the new authenticator.

The following list summarizes items commonly configured on 802.1X-capable wireless APs:

The item names can vary by brand and model and might be different from those in the following list. See your wireless AP documentation for configuration-specific details.

  • Service set identifier (SSID). This is the name of the wireless network (for example, ExampleWlan), and the name that is advertised to wireless clients. To reduce confusion, the SSID that you choose to advertise should not match the SSID that is broadcast by any wireless networks that are within reception range of your wireless network.

    In cases in which multiple wireless APs are deployed as part of the same wireless network, configure each wireless AP with the same SSID. In cases in which multiple wireless APs are deployed as part of the same wireless network, configure each wireless AP with the same SSID.

    In cases where you have a need to deploy different wireless networks to meet specific business needs, your wireless AP’s on one network should broadcast a different SSID than the SSID your other network(s). For example, if you need a separate wireless network for your employees and guests, you could configure your wireless APs for the business network with the SSID set to broadcast ExampleWLAN. For your guest network, you could then set each wireless AP’s SSID to broadcast GuestWLAN. In this way your employees and guests can connect to the intended network without unnecessary confusion.

    Some wireless AP’s have the ability to broadcast multiple SSID’s to accommodate multi-network deployments. Wireless AP’s that can broadcast multiple SSID’s can reduce deployment and operational maintenance costs.

  • Wireless authentication and encryption.

    Wireless authentication is the security authentication that is used when the wireless client associates with a wireless access point.

    Wireless encryption is the security encryption cipher that is used with wireless authentication to protect the communications that are sent between the wireless AP and the wireless client.

  • Wireless AP IP address (static). Each wireless AP, configure a unique static IP address that falls within the DHCP exclusion range as documented in the Windows Server 2008 R2 Core Network Guide procedure “Creating a new DHCP Scope.”

  • DNS name. Some wireless APs can be configured with a DNS name. Configure each wireless AP with a unique name. For example, if you have a deployed wireless APs in a multi-story building, you might name the first three wireless APs that are deployed on the third floor AP3-01, AP3-02, and AP3-03.

  • Wireless AP subnet mask. Configure the mask to designate which portion of the IP address that is the network ID and which portion of the IP address is the host.

  • AP DHCP service. If your wireless AP has a built-in DHCP service, disable it.

  • RADIUS shared secret. Use a unique RADIUS shared secret for each wireless AP. Each shared secret should be a random sequence at least 22 characters long of uppercase and lowercase letters, numbers, and punctuation. To ensure randomness, you can use a random character generation program to create your shared secrets. It is recommended that you record the shared secret for each wireless AP and store it in a secure location, such as an office safe. When you configure RADIUS clients in the NPS console you will create a virtual version of each AP. The shared secret that you configure on each virtual AP in NPS must match the shared secret on the actual, physical AP.

  • RADIUS server IP address. Type the IP address of the NPS server that you want to use to authenticate and authorize connection requests to this access point...

  • UDP port(s). By default, NPS uses UDP ports 1812 and 1645 for RADIUS authentication messages and UDP ports 1813 and 1646 for RADIUS accounting messages. It is recommended that you do not change the default RADIUS UDP ports settings.

  • VSAs. Some wireless APs require vendor-specific attributes (VSAs) to provide full wireless AP functionality.

  • DHCP filtering. Configure wireless APs to block wireless clients from sending IP packets from UDP port 68 to the network. See the documentation for your wireless AP to configure DHCP filtering.

  • DNS filtering. Configure wireless APs to block wireless clients from sending IP packets from TCP or UDP port 53 to the network. See the documentation for your wireless AP to configure DNS filtering.

When planning the deployment of 802.1X-authenticated wireless access, you must consider several client-specific factors:

  • Planning support for multiple standards.

    Determine whether your wireless computers are all using the same version of Windows. For example, determine whether all of your wireless client computers all running Windows 7, or whether your wireless deployment include have a mixture of computers running Windows 7, Windows Vista and Windows XP.

    Determine whether all of the wireless network adapters on all of the wireless client computers support the same wireless standards, or whether you need to support varying standards. For example, determine whether some network adapter hardware drivers support WPA2-Enterprise and AES, while others support only WPA-Enterprise and TKIP.

  • Planning client authentication mode. Authentication modes define how Windows clients process domain credentials. You can select from the following three network authentication modes in the wireless network policies.

    1. User re-authentication This mode specifies that authentication is always performed by using security credentials based on the computer's current state. When no users are logged on to the computer, authentication is performed by using the computer credentials. When a user is logged on to the computer, authentication is always performed by using the user credentials.

    2. Computer only Computer only mode specifies that authentication is always performed by using only the computer credentials.

    3. User authentication User authentication mode specifies that authentication is only performed when the user is logged on to the computer. When there are no users logged on to the computer, authentication attempts are not performed.

  • Planning wireless restrictions. Determine whether you want to provide all of your wireless users with the same level of access to your wireless network, or whether you want to restrict access for some of your wireless users. You can apply restrictions in NPS against specific groups of wireless users. For example, you can define specific days and hours that certain groups are permitted access the wireless network.

  • Planning methods for adding new wireless computers. For wireless-capable computers that are joined to your domain before you deploy your wireless network, if the computer is connected to a segment of the wired network that is not protected by 802.1X, the wireless configuration settings are automatically applied on those computers after you configure Wireless Network (IEEE 802.11) Policies and Group Policy is refreshed.

    For computers that are not already joined to your domain, however, you must plan a method to apply the settings that are required for 802.1X-authenticated access. For example, determine whether you want to join the computer to the domain by:

    1. Connecting the computer to a segment of the wired network that is not protected by 802.1X, the joining the computer to the domain

    2. Provide your wireless users with the steps and settings that they require to add their own wireless bootstrap profile, and the join the computer to the domain

    3. Having the configuration performed by members of your IT staff

In Windows Server 2008 R2, the Wireless Network (IEEE 802.11) Policies extension in Group Policy provides a wide range of configuration options to support a variety of deployment options. You can deploy wireless APs that are configured with the standards that you want to support, and then configuring multiple wireless profiles in Wireless Network (IEEE 802.11) Policies, with each profile specifying one of the required set of standards.

For example, if your network has wireless computers that support WPA2-Enterprise and AES, other computers that support WPA-Enterprise and AES, while other computers support only WPA-Enterprise and TKIP, you must determine whether you want to:

  • Configure a single profile to support all of the wireless computers using the weakest encryption but which all of your computer can use; in this case, WPA-Enterprise and TKIP.

  • Configure two profiles to provide the best possible security that is supported by each wireless computer. In this instance you would configure one profile that specifies the strongest encryption (WPA2-Enterprise and AES), and one profile that uses the weaker WPA-Enterprise and TKIP encryption. In this example, it is essential that you place the profile that uses WPA2-Enterprise and AES highest in the preference order. Computers that are not capable of using WPA2-Enterprise and AES will automatically skip to the next profile in the preference order and process the profile that specifies WPA-Enterprise and TKIP.

The profile with the most secure standards should be placed higher in the list because connecting computers will use the first profile that they are capable of using.

In many cases, you might want to provide wireless users with varying levels of access to the wireless network. For example, you might want to allow some users unrestricted access, any hour of the day, every day of the week. For other users, you might only want to allow access during core hours, Monday through Friday, and deny access on Saturday and Sunday.

This guide provides instructions to create an access environment that places all of your wireless users in a group with common access to wireless resources. You create one wireless users security group in the Active Directory Users and Computers snap-in, and then make every user for whom you want to grant wireless access – a member of that group. When you configure NPS network policies, you specify the wireless users security group as the object that NPS processes when determining authorization.

However, if your deployment requires support for varying levels of access you need only do the following:

  1. Follow the procedure Create a Wireless Users Security Group in this guide, to create additional wireless security groups in Active Directory Users and Computers, each security group specifying a unique name.

  2. Follow the procedure Add Users to the Wireless Users Security Group to make each user a member of the appropriate security group.

  3. Follow the procedure Create NPS Policies for 802.1X Wireless Using a Wizard to configure an additional set of NPS policies for each additional wireless security group. In step 9 of the procedure, in Specify User Groups, click Add, and then type the name of the security group that you configured in Active Directory Users and Computers.

The preferred method to join new wireless computers to the domain and then log on to the domain is by using a wired connection to a segment of the LAN that has access to domain controllers, and is not protected by an 802.1X authenticating Ethernet switch.

In some cases, however, it might not be practical to use a wired connection to join computers to the domain, or, for a user to use a wired connection for their first logon attempt by using computers that are already joined to the domain. To join a computer to the domain by using a wireless connection or for users to logon to the domain the first time by using a domain-joined computer and a wireless connection, wireless clients must first establish a connection to the wireless network on a segment that has access to the network domain controllers.

For more information about the steps to join computers to the domain by using a wired connection, and to log on to the domain by using a wired connection, see the Windows Server 2008 R2 Core Network Guide, in the section titled Joining computers to the Domain and Logging On. The Windows Server 2008 R2 Core Network Guide is available for download in Word formant at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=157742) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=154884).

This guide provides the following methods to configure wireless computers running Windows Vista with wireless profiles that users can use to either join the computer to the domain by using a wireless connection, or to log on to the domain by using a wireless connection and a computer that is already joined to the domain:

  1. A member of the IT staff joins a wireless computer to the domain, and then configures a Single Sign On bootstrap wireless profile. In this method, an IT administrator connects the wireless computer to the wired Ethernet network, and then joins the computer to the domain. Then the administrator distributes the computer to the user. When the user starts the computer, the domain credentials that they manually specify for the user logon process are used to both establish a connection to the wireless network and log on to the domain.

  2. The user manually configures wireless computer with bootstrap wireless profile, and then joins the domain. In this method, users manually configure their wireless computers with a bootstrap wireless profile based on instructions from an IT administrator. The bootstrap wireless profile allows users to establish a wireless connection, and then join the computer to the domain. After joining the computer to the domain and restarting the computer, the user can log on to the domain by using a wireless connection and their domain account credentials.

Community Additions