Windows Vista Wireless Networking Evaluation Guide

Applies To: Windows Vista

This document outlines deployment scenarios to support wireless networking with the Microsoft® Windows Vista® operating system. The evaluation scenarios presented in this document rely on a test network that uses Microsoft® Windows Server® 2003 Active Directory, Internet Authentication Service (IAS), Dynamic Host Configuration Protocol (DHCP), an IEEE 802.1X-compliant wireless access point (AP) to provide 802.1X authenticated network access, and one client running Windows Vista with an IEEE 802.3 wired Ethernet connection to the test network.

The test lab configuration is neither designed to reflect best practices nor is it designed to reflect a desired or recommended configuration for a production network. For more information about deploying secure wireless, see the Microsoft Wi-Fi Web site.

The scenarios cover a range of features that are new in Windows Vista and Microsoft® Windows Server® 2008.

The evaluation scenarios in this guide provide methods to configure wireless clients running Windows Vista and Windows Server® 2008, and demonstrate the following new wireless features in Windows Vista:

  • Windows Server 2003 Active Directory with schema extension for Windows Vista Wireless (and Wired) Group Policy - This new extension updates your existing Windows Server 2003 Active Directory schema, to support a Wireless Network (IEEE 802.11) Policy for wireless clients running Windows Vista, and Windows Server 2008. Deploying the schema extension will not affect an existing Wireless Network (IEEE 802.11) Policy for Windows XP. The schema enables you to configure one wireless policy for wireless computers running Windows Vista that is separate from the wireless policy for wireless computers running Microsoft® Windows XP.

    The schema extension enables you to takes advantage of wireless enhancements available in wireless clients running Windows Vista, and Windows Server 2008, such as: Wi-Fi Protected Access 2 (WPA2), fast reconnect, fast roaming, and profile management using Active Directory Group Policy.

  • Wireless Network (IEEE 802.11) Policy The Windows Vista Wireless Network Policy enables you to provide and manage multiple wireless profiles which your wireless clients can use to connect to wireless networks. This document examines the configuration and management of both PEAP-MS-CHAP v2 profiles and EAP-TLS profiles. Additionally, this document contains information about the following management features in the Wireless Network (IEEE 802.11) Policy:

    • Allow and deny lists - An allow/deny list enables you to specify the set of wireless networks - by service set identifier (SSID) - to which the wireless client running Windows Vista or Windows Server 2008 is allowed or denied connections. This is useful for network administrators that want an organization's wireless computers to connect to a specific set of wireless networks, or prevent managed wireless computers from connecting to other wireless networks that are within range of the organization’s wireless network.

    • Allow everyone to create "all user" profiles - Specifies whether any user to which the Wireless Network (IEEE 802.11) Policy applies can create all user profiles on the computer.

    • Prevent connections to ad hoc or infrastructure networks - administrators can specify whether wireless clients running Windows Vista are permitted to connect to infrastructure networks, ad hoc networks, or both.

    • Use the WLAN AutoConfig Service for clients - The Wireless Network (IEEE 802.11) Policy enables administrators to specify that the WLAN AutoConfig Service is used to configure and connect wireless clients running Windows Vista to the wireless network. The WLAN AutoConfig Service enumerates WLAN adapters, and manages WLAN connections and profiles.

    • Import and export profiles - This new features enables administrators to easily incorporate an existing wireless network profile into the list of policy-defined available networks. The export feature enables administrators to save a configured profile as an Extensible Markup Language (XML) file.

  • Wireless diagnostics - The primary objective for wireless diagnostics is to diagnose and help troubleshoot wireless connectivity issues, including failed connections and intermittent connectivity issues. Wireless diagnostics works with the Network Diagnostics Framework (NDF), which in turn plugs into Windows Diagnostics Infrastructure (WDI). The role of wireless diagnostics is to simplify correction of wireless connectivity issues by collecting and analyzing information about wireless connectivity, and then providing the results of the analysis with repair options to WDI through the NDF.

  • Netsh wlan - The Windows Vista netsh commands for wireless local area network (WLAN) provide methods for configuring connectivity and security settings and for gathering information about client configuration settings. As a troubleshooting tool, netsh wlan provides useful configuration details about client wireless configuration, and about wireless network adaptor configuration.

In this document, IEEE 802.3 wired Ethernet is referred to as "wired," IEEE 802.11 is referred to as "wireless."

In this guide

This section provides an overview of each of the main sections contained within the remainder of this document:

  • Who should use Windows Vista wireless networking, and why?

    This section presents information about the target audience for this evaluation guide. Additionally, a sample of the Windows Vista wireless enhancements is provided to show the benefits of wireless networking in Windows Vista.

  • Prerequisites for testing wireless networking in Windows Vista

    This section presents information about test lab deployment decisions that you need to make before you begin your wireless test network deployment.

  • Deploying your test network

    This section presents general information about extending the Active Directory Group Policy schema in Windows Server 2003 to support Windows Vista wireless Group Policy. A link to the detailed instructions for extending the schema is also provided.

    The last portion of this section provides the step-by-step instructions to configure the computer, user, and administrator accounts that are required before you can configure the Windows Vista wireless Group Policy.

  • Configure Windows Vista Group Policy Management Console and the basic Windows Vista Wireless Network Policy

    This section provides the detailed steps to configure Group Policy Management Console, and to activate the default Wireless Network (IEEE 802.11) Policy for Windows Vista.

  • Configure wireless clients running Windows Vista by using Wireless Network (IEEE 802.11) Policy

    This section provides step-by-step instructions to configure Windows Vista wireless profiles for both the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) for the wireless test network in the example.com test domain.

  • Configure wireless clients running Windows XP by using Wireless Network (IEEE 802.11) Policy

    This section provides step-by-step instructions to configure Windows XP wireless profiles for both the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) for the wireless test network in the example.com test domain.

  • Using wireless profile management features

    Using step-by-step procedures, this section provides an evaluation of the Windows Vista profile management features that enable you to prioritize, export, import, add, and delete profiles.

  • Perform wireless diagnostics to troubleshoot connection problems

    The diagnostics section of this document provides several tests that you can perform to evaluate how Windows Vista responds to various wireless connectivity errors. The tests in this section represent only a small sample of the capabilities of Windows Vista wireless diagnostics.

    Additionally, this section contains examples demonstrating several ways that netsh wlan is used for troubleshooting Windows Vista wireless connectivity problems.

Who should use Windows Vista wireless networking, and why?

This guide is for the following audiences:

  • IT professionals who are considering deployment of Windows Vista in their existing Windows Server 2003 wireless infrastructure

  • IT managers and IT administrators who need to configure wireless settings on multiple clients

  • IT managers who want to configure enhanced security settings, such as WPA2, on multiple computers running Windows XP with SP2

  • IT planners and analysts who are evaluating Windows Vista

  • Enterprise IT planners and designers

  • Security architects who are responsible for implementing trustworthy computing

Why should you use Windows Vista wireless networking?

There are numerous reasons to use Windows Vista and Windows Server 2008 wireless networking. The following section highlights some of the more compelling reasons.

Native Wi-Fi Architecture
  • The Native Wi-Fi Architecture, the software infrastructure for 802.11 wireless connections in Windows Vista and Windows Server 2008, has been redesigned to:

  • Allow independent hardware vendors (IHVs) more flexibility in supporting advanced features of IEEE 802.11 networks, such as a larger frame size than Ethernet.

  • Perform authentication, authorization, and management of 802.11 connections, reducing the burden on IHVs to incorporate these functions into their wireless network adapter drivers.

  • Support APIs that allow independent software vendors (ISVs) and IHVs to extend wireless services and customize capabilities.

Wireless Group Policy enhancements
  • Group Policy enhancements for wireless include the following:

  • Separation of wired 802.1X and wireless services

  • Support for individual Windows XP and Windows Vista wireless policies

  • Better security using Wi-Fi Protected Access 2 (WPA2) authentication options for Windows Vista, Windows Server 2008, and Windows XP with Service Pack 2

  • WPA2 fast roaming settings

  • Configuration of preferred wireless networks for automatic or manual connection

  • Configuration of allow and deny lists to specify whether wireless network clients can view or attempt to connect to other wireless networks that are not controlled by the network administrator.

  • Support for multiple profiles using the same SSID, but different network security and authentication methods.

  • Support for connecting to non-broadcast networks

  • Support for importing of IHV profiles

  • User experience improved (parity with client UI)

Windows Server 2003 Active Directory Schema Extensions for Windows Vista wireless and wired Group Policy

You can configure Wireless Network (IEEE 802.11) Policy for clients running Windows Vista by using Group Policy on either:

  • Domain controllers running Windows Server 2008

  • Domain controllers running Windows Server 2003 with SP1 (or R2), when combined with the Active Directory schema extensions for Windows Vista wireless Group Policy

User interface improvements for wireless connections

The function of wireless configuration, and the user interface (UI) has been improved in several ways:

  • ISVs or IHVs can add custom wireless configuration dialog boxes or wizards to the built-in Windows wireless client, allowing the configuration of custom wireless features and capabilities.

  • Non-broadcast wireless networks can be marked as hidden. In Windows Vista and Windows Server 2008, you can indicate that a preferred wireless network is hidden by configuring it as a non-broadcast network. This reduces the confusing behavior in earlier versions of Windows when automatically connecting to hidden wireless networks.

  • Windows Vista and Windows Server 2008 prompt the user when connecting to an unsecured wireless network and allow them to confirm the connection attempt.

  • By default, the Network Connection wizard sets security to the highest security level supported by the wireless network adapter.

Integration with Network Access Protection
  • When using 802.1X authentication, 802.1X wireless networks can be combined with Network Access Protection to block wireless clients that do not meet system health requirements from gaining unlimited access to the private network.
New default EAP authentication method
  • To leverage the account name and password-based authentication infrastructure that already exists in Active Directory, in Windows Vista and Windows Server 2008, the EAP authentication method for 802.1X-authenticated wireless connections uses PEAP-MS-CHAP v2 by default.
Wireless diagnostics

Wireless diagnostics helps troubleshoot wireless connectivity issues, including failed connections & intermittent connectivity. In Windows Vista, when a user experiences a network problem, wireless diagnostics will provide the user with the ability to diagnose and repair the problem within the context of that problem. Diagnostics are implemented through the following features:

  • The new Network Diagnostics Framework is an extensible architecture that helps users recover from and troubleshoot problems with network connections.

  • The Windows event log stores new information specific to failed wireless connection attempts. IT professionals can use these event records to perform further troubleshooting when wireless diagnostics cannot fix the problem, or when the problem is not specific to the wireless client and therefore cannot be fixed by changing wireless client settings.

  • Windows error reporting prompts users who have wireless connection problems to send information to Microsoft for analysis. Successful diagnostics can also be sent to Microsoft through the Software Quality Metrics (SQM) infrastructure (known as the Customer Experience Improvement Program in Windows XP). The reports contain no personal information about the computer or the user. Microsoft will use this information to identify the top root causes for wireless connection failures, and take appropriate actions to either improve the wireless client software in Windows or work with wireless vendors to help improve wireless hardware products.

Netsh wlan command

The Windows Vista netsh commands for wireless local area network (WLAN) provide methods to configure connectivity and security settings. You can use the Netsh wlan commands to view configuration settings, configure the local computer, or to configure multiple computers by using a logon script. You can also use the netsh wlan commands to view wireless Group Policy settings.

The wireless netsh interface has the following benefits:

  • Easier wireless deployment: Provides a light-weight alternative to Group Policy to configure wireless connectivity and security settings.

  • Mixed mode support: Allows administrators to configure clients to support multiple security options. For example, a client can be configured to support both the WPA2 and the WPA authentication standard. This allows the client to use WPA2 to connect to networks that support WPA2 and use WPA to connect to networks that only support WPA.

  • Blocked networks: Administrators can block and hide access to non-corporate wireless networks by adding specific networks or network types to the list of denied networks. Similarly, administrators can allow access to corporate wireless networks.

  • An easy method to gather configuration details for administration and troubleshooting purposes.

Prerequisites for testing wireless networking in Windows Vista

This section presents information and considerations that you need before deploying your test network.

The tests contained within this document are designed to work in conjunction with a test environment using Windows Server 2003 Active Directory - as documented in "Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab" on the Microsoft Web site at https://go.microsoft.com/fwlink/?linkid=28117.

The test lab document describes how to configure secure IEEE 802.1X authenticated wireless access using either PEAP-MS-CHAP v2 or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). The test lab hardware consists of a wireless access point (AP) and four computers. Of the four computers, one is a wireless client; one is a domain controller that is also a certification authority (CA), Dynamic Host Configuration Protocol (DHCP) server, and Domain Name System (DNS) server; one is a Web and file server; and one is an Internet Authentication Service (IAS) server that is acting as a Remote Authentication Dial-In User Service (RADIUS) server.

Note

For the remainder of this document, the "Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab" document is referred to as the "Step-by-Step Test Lab."

Before you deploy your test network

Before you configure your test network:

  • Review the information presented in the Step-by-Step Test Lab documentation to get a general understanding of the deployment requirements.

  • Determine whether you want to deploy authentication by using PEAP-MS-CHAP v2 or smart card or other certificates (EAP-TLS).

    PEAP-MS-CHAP v2 is very secure, and is easier to deploy than EAP-TLS. Because only the RADIUS server must have a certificate for authentication, you can purchase a RADIUS server certificate from a third party, rather then deploying a public key infrastructure. PEAP-MS-CHAP v2 is the most user-friendly method for wireless clients, because they need only to provide their account credentials (user name and password) for authentication.

    EAP-TLS is even more secure than PEAP-MS-CHAP v2, but it is more difficult to deploy because it requires deployment of a public key infrastructure. EAP-TLS requires certificates to authenticate the RADIUS server and smart cards or other certificates to authenticate wireless clients.

  • Your wireless AP and client wireless adapters must provide the same level of support for 802.1X and WPA2, WPA or WEP.

Deviations and adjustments to the test lab

The Step-by-Step Test Lab was designed to evaluate Windows XP wireless in a Windows Server 2003 domain environment. The configuration presented in this evaluation guide extends the test lab deployment, and requires several adjustments to accommodate Windows Vista.

The Step-by-Step Test Lab provides instructions to configure computer, user, and administrator accounts. This evaluation guide provides complete configuration steps for a different set of user and administrator accounts. This is done intentionally to clarify and isolate Windows Vista configuration from the Windows XP configuration presented in the Step-by-Step Test Lab. Specifically:

  • Wireless computer running Windows XP with Service Pack 2 (SP2) - The Windows Vista Group Policy Management Console exposes enhanced settings, such as WPA2, for computers running Windows XP with SP2.

    The test lab specifies a wireless computer running Windows XP, named CLIENT1. This document provides steps to use the Windows Vista Group Policy Management Console to configure computers running Windows XP with SP2. Therefore, you must deploy a computer running Windows XP with SP2, to test wireless connectivity. Follow all of the deployment steps in Step-by-Step Test lab for configuring the computer running Windows XP with SP2 (named CLIENT1), including the associated user and computer accounts, in order to test the enhanced features of the Wireless Network (IEEE 802.11) for Windows XP (recommended).

    If you do not intend to test connectivity for Windows XP computers that are configured using the Windows Vista Group Policy Management Console's enhanced configuration capabilities, deployment of the wireless computer running Windows XP is not required.

  • Computer running Windows Server 2003 providing IIS service - The test lab specifies a computer running Windows Server 2003, named IIS1. This computer is optional. The IIS1 computer is used to demonstrate connectivity to the intranet, and shared resources; however, it is not required in this Windows Vista evaluation guide. Alternately, to test connectivity, you can configure a shared folder on DC1, and connect to that share to demonstrate wireless connectivity.

  • Wired computer running Windows Vista - Configuration of the Windows Vista Wireless Network (IEEE 802.11) Policy in a Windows Server 2003 Active Directory environment must be performed from a domain member computer running Windows Vista. Therefore, the scenarios presented in this document require one client computer with a new installation of Windows Vista Release Candidate 1 (RC 1) or later, which is physically attached to the wired test network, but not joined to the test network example.com domain.

  • Wireless computer running Windows Vista - The main scenarios in this document require one wireless computer with a new installation of Windows Vista RC 1 or later, that is not joined to the test network example.com domain. The following figure lists the computers described in the Step-by-Step Test Lab, and the additional required computers running Windows Vista.

  • Consolidated Step-by-Step Test Lab deployment - The Step-by-Step Test Lab specifies 3 individual computers running Windows Server 2003: one as a domain controller (DC1), one IAS RADIUS server (IAS1), and one IIS server (IIS1). Optionally, the domain controller and IAS server can be combined on a single computer, as shown in the following figure:

    If you consolidate the domain controller and IAS server on a single computer, your wireless AP must specify the IP address of DC1, 172.16.0.1 for the RADIUS server.

  • Additional wireless computers running Windows Vista - Some ad-hoc and profile management tests described in this evaluation guide require one additional wireless client running Windows Vista RC 1 or later that is not joined to the test network example.com domain. The additional wireless computer is necessary only if you intend to test ad hoc networking features and connectivity.

Deploying your test network

Deploying the base structure for your test network involves two main steps:

  1. Deploy all of the services for your test network, including PEAP-MS-CHAP v2 or EAP-TLS authentication, as documented in the Step-by-Step Guide for Setting Up Secure Wireless Access in a Test Lab on the Microsoft Web site at https://go.microsoft.com/fwlink/?linkid=28117.

  2. After you have deployed your test network, you must extend the Windows Server 2003 Active Directory Group Policy schema to configure Group Policy for wireless clients running Windows Vista.

Extending the Windows Server 2003 Active Directory Group Policy schema

Before you can configure wireless or wired clients running Windows Vista by using Group Policy in Windows Server 2003 Active Directory, you must first extend the Windows Server 2003 Group Policy schema. To update your Windows Server 2003 Group Policy schema, carefully follow the procedures documented in Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=70195.

Note

After extending the schema, the Windows Vista Group Policy extensions are not exposed on the computer running Windows Server 2003. You must use the computer running Windows Vista that is attached to the wired segment of your test network to configure the Wireless Network (IEEE 802.11) Policy. Before you can configure the Wireless Network (IEEE 802.11) Policy, you must first configure the necessary accounts and set up the Windows Vista Group Policy Management Console, as documented in the next two sections.

Configuring Computer, User, and Administrator Accounts

Configuration of the Windows Vista wireless policy in a Windows Server 2003 Active Directory environment must be performed from a wired domain member computer running Windows Vista, and using an account that is a member of the Domain Admins group in Active Directory. Before configuring the wireless Group Policy object, you must first configure the administrator account that you will use to configure the wireless policy.

This section provides the steps to configure the necessary administrator and user accounts, on the Windows Server 2003 domain controller, and on the computer running Windows Vista that is attached to the network with a wired connection. After configuring the necessary accounts, this section provides the instructions to rename your wired computer and join it to the example.com test domain.

To reduce redundancy in steps, this section also includes configuration steps to configure user accounts on your wireless computer running Windows Vista.

Adding the GPAdmin account for administering Group Policy

This procedure adds the account that you will use to configure the Windows Vista Group Policy objects.

To add the GPAdmin account for administering Group Policy

  1. On your domain controller named DC1, in the Active Directory Users and Computers console tree, right-click Users, as shown in the following figure.

  2. Click New, and then click User.

  3. In the New object – User dialog box, type GPAdmin in First name, and then type GPAdmin in User logon name. This is shown in the following figure.

  4. Click Next. In the New object – User dialog box, type a password of your choice in the Password and Confirm password fields. Clear the User must change password at next logon check box, as shown in the following figure.

Note

Remember the password associated with this account; in a procedure that follows, it is required to configure the GPAdmin account on the WiredV computer.

  1. Click Next. In the final New object – User dialog box, click Finish.
Adding groups to the domain

This procedure adds the group named WirelessUsers in Active Directory Users and Computers. If you already configured the group named WirelessUsers as part of the Step-by-Step Test Lab, advance to the next procedure.

To add groups to the domain

  1. On your domain controller, in the Active Directory Users and Computers console tree, right-click Users, click New, and then click Group.

  2. In the New object – Group dialog box, type WirelessUsers in Group name, and then click OK.

Adding users to the WirelessUsers group

This procedure adds the GPAdmin account to the WirelessUsers group.

Add users to the WirelessUsers group

  1. On your domain controller, in the details pane of Active Directory Users and Computers, double-click WirelessUsers. This is shown in the following figure.

  2. Click the Members tab, shown in the following figure.

  3. Click Add. In the Select Users, Contacts, Computers, or Groups dialog box, type GPAdmin in Enter the object names to select.

  4. Click OK. The GPAdmin user account is added to the WirelessUsers group, This is shown in the following figure.

  5. Click OK to save changes to the WirelessUsers group.

Adding the GPAdmin account to the Domain Admins Group

This procedure adds your GPAdmin account to the Domain Admins group. Adding GPAdmin to this group provides the necessary administrative privileges to allow GPAdmin to configure wireless and wired policies.

To add the GPAdmin account to the Domain Admins group

  1. On your domain controller, in the Active Directory Users and Computers console tree, open the domain container Example.com, and then click Users.

  2. In the details pane, right-click Domain Admins, shown in the following figure.

  3. Click Properties, and then select the Members tab.

  4. Click Add, and in Enter the object names to select, type GPAdmin. This is shown in the following figure.

  5. Click OK. GPAdmin is added as a member of the Domain Admins group. Click OK again, and then close the Active Directory Users and Computers snap-in.

Naming your wired computer running Windows Vista

This procedure provides the steps to name your wired and wireless computers running Windows Vista.

To name your wired computer running Windows Vista

  1. Log on to your wired computer that is running Windows Vista by using a local administrator account.

Note

By default, the first account that you named while installing and configuring Windows Vista is an administrator on the local computer.

  1. Click Start, right-click Computer, and then click Properties.

  2. In Computer name, domain and workgroup settings, click Change settings. This is shown in the following figure.

  3. In the System Properties dialog box, on the Computer Name tab, click Change. This is shown in the following figure.

  4. In Computer name, type WiredV, and then click OK. The result is shown in the following figure.

  5. Click OK when you receive the message indicating you must restart the computer to apply the changes, as shown in the following figure.

  6. Close the System Properties dialog box, and then click Restart Now. This is shown in the following figure.

  7. Repeat steps 1 - 7 of this procedure to rename your primary wireless computer running Windows Vista, substituting WirelessV for the computer name in step 5.

  8. (Optional) Repeat steps 1 - 7 of this procedure to rename any additional wireless computers running Windows Vista substituting a name of your choice in step 5.

Configuring the GPAdmin account on your computers running Windows Vista

This procedure configures the GPAdmin account on the computer Windows Vista, named WiredV, and on your primary wireless computer running Windows Vista, named WirelessV. In procedures that follow, you will log on to the WiredV computer using the GPAdmin account to administer the Wireless Network (IEEE 802.11) Policy for your wireless computers running Windows Vista.

To configure the GPAdmin account on the computer named WiredV

  1. Log on to the wired computer named WiredV by using the local computer administrator account.

  2. Click Start, click Control Panel.

  3. Double-click User Accounts, click Add or remove user accounts, and then click Create a new account.

  4. In Name the account and choose an account type, type GPAdmin, and then select Administrator, as shown in the following figure.

  5. Click Create Account. In Choose the account you would like to change, select GPAdmin, and in Make changes to GPAdmin's account, click Create a password. This is shown in the following figure.

  6. On the Create a password for GPAdmin's account page, in New password, type the password that you specified in Active Directory when you created the GPAdmin account in the procedure "To add the GPAdmin account for administering Group Policy" earlier in this guide.

  7. Confirm the password, and optionally, type a password reminder in Type a password hint, and then click Change password.

  8. Close the console, and then log off the current account.

  9. Repeat these steps on your primary wireless computer, named WirelessV.

Joining the computer named WiredV to the example.com domain

This procedure joins your wired computer running Windows Vista to the example.com test domain. You will use this computer to administer the Wireless Network (IEEE 802.11) policy for your wireless computers running Windows Vista.

To join the computer named WiredV to the example.com domain

  1. Log on to the WiredV computer by using the GPAdmin account.

  2. Click Start, right-click Computer, and then click Properties.

  3. In Computer name, domain and workgroup settings, click Change settings.

  4. In System Properties, on the Computer Name tab, click Change.

  5. In Member of, select Domain, and then type example.com, as shown in the following figure.

  6. Click OK. In the Windows Security dialog box, in User name, type the name of the administrator account for your domain controller running Windows Server 2003. In Password, type the password for that account, as shown in the following figure.

  7. Click OK. The Computer Name/Domain Changes dialog box opens and welcomes you to the example.com domain. This is shown in the following figure.

  8. Click OK. Click OK again when you receive the message indicating that you must restart the computer to apply the changes. This is shown in the following figure.

  9. Close the System Properties dialog box, and then click Restart Now.

  10. When the computer restarts, press CTRL + ALT + DELETE to start the logon process, but do not log on to the computer.

  11. Click Switch User, and then click Other User.

  12. In User name, type example\GPAdmin. In Password, type the password for the GPAdmin account, and then log on to the computer.

This concludes this section. You have named your computers, and joined the computer named WiredV to the example.com domain. Additionally, you have configured the Domain Admins account that you will use to administer the Windows Vista Wireless Network (IEEE 802.11) Policy. You now have the necessary infrastructure in place to open the Windows Vista Group Policy Management Console, and access the Group Policy Management Console to configure the Wireless Network (IEEE 802.11) Policy using your wired computer running Windows Vista.

Configure Windows Vista Group Policy Management Console and New Vista Wireless Network Policy

This section provides the detailed steps needed to open the Windows Vista Group Policy Management Console, and link it to the Windows Server 2003 Group Policy object. Additionally, you will activate the unconfigured Windows Vista Wireless Network (IEEE 802.11) Policy.

Adding the basic Wireless Network (IEEE 802.11) Policy

This procedure describes how to open the GPOE, and activate the unconfigured New Vista Wireless Network Policy in the Group Policy Management Console console.

The procedures to configure the Wireless Network (IEEE 802.11) Policy will be provided in the next section of this document. The policy configuration is intentionally separated from this section to demonstrate how to access the policy once you have activated it.

To add the basic Wireless Network (IEEE 802.11) Policy

  1. On the computer named WiredV, click Start, and in Start Search, type gpmc.msc, and then press ENTER.

Note

This operation opens the GPMC, which is contained within the Console Root of Console1.

  1. In the GPMC, open Forest: example.com, open Domains, open the domain container example.com. This is shown in the following figure.

  2. Select Default Domain Policy. The Group Policy Management Console dialog box opens, indicating that you have selected a link to a Group Policy object (GPO). This is shown in the following figure.

  3. Click OK. In the GPMC, click Action, and then click Edit, to open the Group Policy Management Console (GPOE).

  4. In Default Domain Policy, open Computer Configuration, open Windows Settings, and then open Security Settings. This is shown in the following figure.

  5. Right-click Wireless Network (IEEE 802.11) Policies, and then click Create a New Windows Vista Policy, shown in the following figure.

Note

After configuring a New Vista Wireless Network Policy the first time, it is removed from the list of options when you right-click Wireless Network (IEEE 802.11) Policies, and is added in the details pane of the Group Policy Management Console when you select the Wireless Network (IEEE 802.11) Policy node. To access the policy properties, right-click New Vista Wireless Network Policy, and then click Properties. This state will remain until such time that the policy is deleted, at which time the Create a New Windows Vista Policy option is added back to the menu when you right-click Wireless Network (IEEE 802.11) Policies.

  1. On the New Vista Wireless Network Policy Properties page, on the General tab, in Vista Policy Name, type Vista Wireless Policy. In Description, type Wireless Policy for WIR_TST_Lab for the description of your Windows Vista wireless policy. This is shown in the following figure.

  2. Click OK, to save the Vista Wireless Policy, and then close both the GPOE, and the GPMC.

This concludes this section. You have opened the Group Policy Management Console, and linked the GPOE to the Windows Server 2003 Group Policy object. Additionally, you have activated the basic Wireless Network (IEEE 802.11) Policy. You next configure the specific settings in the Windows Vista Wireless Network (IEEE 802.11) Policy.

Configure wireless clients running Windows Vista by using the Wireless Network (IEEE 802.11) Policy

The Windows Vista Wireless Network (IEEE 802.11) Policy enables you to configure multiple profiles, using different profile names and different settings, while same using the same SSID. For example, you can configure two (or more) profiles using the same SSID; one profile to use Smart Cards and one profile to use PEAP-MS-CHAP v2, or one using WPA2-Enterprise and one using WPA-Enterprise. The ability to configure mix-mode deployments using a common SSID is one of the enhancements in the Windows Vista Wireless Network (IEEE 802.11) Policy.

This section contains procedures that will demonstrate the features provided in Wireless Network (IEEE 802.11) Policy for Windows Vista. You can use these features to configure security and authentication settings, manage wireless profiles, and specify permissions for wireless networks that are not configured as preferred networks.

The following procedures are all conducted using the GPAdmin user account on the computer named WiredV.

Opening the Wireless Network (IEEE 802.11) Policy properties

This procedure provides the steps to access the Wireless Network (IEE 802.11) Policy after the policy has been activated in the Group Policy Management Console.

To open the Wireless Network (IEEE 802.11) Policy properties

  1. Click Start, and in Start Search, type gpmc.msc, and then press ENTER.

  2. In GPMC, open Forest: example.com, open Domains, open the domain container example.com, right-click Default Domain Policy, and then click Edit, to open the Group Policy Management Console.

  3. In Default Domain Policy, open Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policy. The Vista Wireless Policy is listed in the details pane, as shown in the following figure.

  4. Right-click Vista Wireless Policy, and then click Properties to open the Wireless Network (IEEE 802.11) Policy.

Configure PEAP-MS-CHAP v2 and EAP-TLS wireless infrastructure profiles

The procedures in this section provide the steps to use the Windows Vista Wireless Network (IEEE 802.11) Policy to configure two wireless profiles that wireless clients running Windows Vista can use to connect to the WIR_TST_Lab wireless network. The first profile is a PEAP-MS-CHAP v2 profile that will connect your wireless clients if you deployed PEAP-MS-CHAP v2 when you configured the Step-by-Step Test Lab. The second profile configured is a smart card or other certificate (EAP-TLS) profile that will connect your wireless clients if you deployed EAP-TLS when you configured the Step-by-Step Test Lab. Configure both profiles, regardless of which authentication method you deployed when you configured the Step-by-Step Test Lab. The two profiles are necessary for profile management procedures that follow this section.

Finally, in this section, you will configure an ad hoc wireless profile. You will use the ad hoc profile in the profile management section that follows. You can also use the ad hoc wireless profile to create an ad hoc network, if you have two or more wireless computers running Windows Vista.

Note

PEAP-MS-CHAPv2 is easier to deploy than other authentication methods, such as EAP-TLS, for several reasons. First, PEAP does not require the deployment of a public key infrastructure (PKI); only the RADIUS server is required to provide a certificate. Second, PEAP does not require the deployment of an infrastructure, such as smart cards or another type of client certificates, to validate connecting clients.
The result is a user-friendly experience; network clients need only provide their account credentials (user name and password) for authentication. The account credentials are then verified against the user account records that exist in the user accounts database (such as Active Directory).

Note

By default, Windows Server 2003 supports the EAP methods: PEAP-MS-CHAP v2, EAP-TLS, and PEAP-TLS. If you need to manage an EAP method other then the three default methods, you must first install that EAP method on the server.

Configuring a PEAP wireless profile for the WIR_TST_Lab infrastructure network

This section provides the steps required to configure a PEAP-MS-CHAP v2 wireless profile for the wireless infrastructure test network WIR_TST_Lab, specified in the Step-by-Step Test Lab.

To configure a PEAP-MS-CHAP v2 wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policy Properties, on the General tab, click Add, and then select Infrastructure.

Note

For conceptual information about the settings on any tab, press F1 while viewing that tab.

  1. On the Connection tab, do the following:

    1. In Profile Name, type PEAP Profile

    2. In Network Name(s) (SSID), type WIR_TST_Lab, and then click Add

    3. Select NEWSSID, and then click Remove.

    4. If your wireless access point is configured to suppress its broadcast beacon frames, select Connect even if the network is not broadcasting.

Note

Enabling this option can create a security risk because wireless clients will probe for and attempt connections to any wireless network. By default, this setting is not enabled.

    ![](images\Cc749533.0a94daba-ed62-469a-bf83-2f9a21f74e39(WS.10).gif)
  1. (Optional) Select the Security tab, click Advanced, and then configure the following:

    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.

Note

When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, and Auth Period are typically sufficient for the WIR_TST_Lab deployment.

2.  In **Single Sign On**, select **Enable Single Sign On for this network**.  
      

Note

The remaining default values in Single Sign On are typically sufficient for the WIR_TST_Lab deployment.

3.  In **Fast Roaming**, select **This network uses pre-authentication** if your wireless AP is configured for pre-authentication.  
      
    These settings are shown in the following figure.  
      
    ![](images\Cc749533.37764eff-bbff-4476-8a09-87ea45442e2a(WS.10).gif)
  1. Click OK to return to the Security tab, and then configure the following:

    1. In Select the security methods for this network, for Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client adapters. Otherwise, select WPA-Enterprise.

    2. In Encryption, select AES, if it is supported by your wireless AP and wireless client adapters. Otherwise, select TKIP.

Note

The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are typically sufficient for the WIR_TST_Lab deployment.

    These settings are shown in the following figure.  
      
    ![](images\Cc749533.f5022e56-f182-4475-87bc-44d7f28ee80b(WS.10).gif)
  1. In Select a network authentication method, select Protected EAP (PEAP), and then click Properties. In the Protected EAP Properties dialog box, configure the following:

    1. Verify that Validate server certificate is selected.

    2. In Trusted Root Certification Authorities, select Example CA.

    3. In the Select Authentication Method list, select Secured password (EAP-MS-CHAP v2).

    4. Select Enable Fast Reconnect.

    5. Clear Enable Quarantine checks.

      These settings are shown in the following figure.

  2. Click Configure. In the EAP MSCHAPv2 Properties dialog box, verify Automatically use my Windows logon name and password (and domain if any) is selected, click OK, and then click OK to close Protected EAP Properties.

  3. Click OK to close the Security tab.

Configuring an EAP-TLS wireless profile for the infrastructure WIR_TST_Lab network

This section provides the steps required to configure an EAP-TLS wireless profile for the wireless infrastructure test network WIR_TST_Lab.

To configure an EAP-TLS wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policy Properties, on the General tab, click Add, and then select Infrastructure.

Note

For conceptual information about the settings on any tab, press F1 while viewing that tab.

  1. On the Connection tab, do the following:

    1. In Profile Name, type EAP-TLS Profile.

    2. In Network Name(s) (SSID), type WIR_TST_Lab, and then click Add.

    3. Select NEWSSID, and then click Remove.

    4. If your wireless access point is configured to suppress its broadcast beacon frames, select Connect even if the network is not broadcasting.

  2. (Optional) Select the Security tab, click Advanced, and then configure the following:

    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.

Note

When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held period, Start Period, and Auth Period are typically sufficient for the WIR_TST_Lab deployment.

2.  In **Single Sign On**, select **Enable Single Sign On for this network**.  
      

Note

The remaining default values in Single Sign On are typically sufficient for the WIR_TST_Lab deployment.

3.  In **Fast Roaming**, select **This network uses pre-authentication** if your wireless AP is configured for pre-authentication.  
      
  1. Click OK to return to the Security tab, and then configure the following:

    1. In Select the security methods for this network, for Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client adapters. Otherwise, select WPA-Enterprise.

    2. In Encryption, select AES (preferred) if it is supported by your wireless AP and wireless client adapters. Otherwise, select TKIP.

Note

The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are typically sufficient for the WIR_TST_Lab deployment.

  1. In Select a network authentication method, select Smart Card or other certificate (EAP-TLS). This is shown in the following figure.

  2. On the Security tab, click Properties, and then configure the following:

    1. In When connecting, verify that Use a certificate on this computer and Use simple certificate selection are selected.

    2. Verify that Validate server certificate is selected.

    3. In Trusted Root Certification Authorities, select Example CA.

      These settings are shown in the following figure.

  3. Click OK, to close Smart Card or other Certificate Properties, and then click OK again, to close the EAP Profile.

Configure wireless clients running Windows XP by using the Wireless Network (IEEE 802.11) Policy

You can use the Group Policy Management console in Windows Vista to configure a new Windows XP Wireless Network (IEEE 802.11) Policy, or to modify an existing Windows XP Wireless Network (IEEE 802.11) Policy. Additionally, in the Windows Vista console, the settings are exposed that allow you to configure WPA2 on client computers running Windows XP with SP2. Similar to the Wireless Network (IEEE 802.11) Policy for Windows Vista, you can configure multiple profiles by using the Wireless Network (IEEE 802.11) Policy for Windows XP. However, with Wireless Network (IEEE 802.11) Policy for Windows XP, each profile must specify a unique SSID.

This section provides the steps to configure a Windows XP profile for the WIR_TST_Lab using either PEAP-MS-CHAP v2 or Smart Cards or other certificates.

The following procedures are all conducted using the GPAdmin user account on the computer named WiredV. These procedure rely on the management accounts and services that were documented in previous procedures:

  • To add the GPAdmin account for administering Group Policy

  • To add the GPAdmin account to the Domain Admins group

  • To name your wired computer running Windows Vista

  • To configure the GPAdmin account on the computer named WiredV

  • To join the computer named WiredV to the example.com domain

  • To add the basic Wireless Network (IEEE 802.11) Policy

To configure wireless clients running Windows XP by using the Wireless Network (IEEE 802.11) Policy

  1. Click Start, and in Start Search, type gpmc.msc, and then press ENTER.

  2. In GPMC, open Forest: example.com, open Domains, open the domain container example.com, right-click Default Domain Policy, and then click Edit, to open the Group Policy Management console.

  3. In Default Domain Policy, open Computer Configuration, open Windows Settings, open Security Settings, and then select Wireless Network (IEEE 802.11) Policy.

Note

For conceptual information about the settings on any tab in the Wireless Network (IEEE 802.11) Policy, press F1 while viewing that tab.

**If you have already configured XP Policy**, it will be listed in the details pane with the **Type** specified as **XP**. Right-click the policy, click **Properties**, and on the **Preferred Networks** tab, select **WIR\_TST\_Lab**, click **Edit**, and then advance to step 4 of this procedure.

**If you do not already have an XP policy**, do the following:

In the console tree, right click **Wireless Network (IEEE 802.11) Policies**, select **Create A New Windows XP Policy**, and then do the following:

1.  On the **General** tab of the policy properties, in **XP PolicyName**, type **WirelessGroup Policy**. In **Description**, type a brief description of the policy.  
      
2.  Select either **Any available network (wireless AP preferred)** or **Access Point (infrastructure) network only**  
      
3.  Select **Use Windows to configure wireless network settings for clients**  
      
    An example is shown in the figure below.  
      
    ![](images\Cc749533.0a843c80-40b7-4190-b0f6-53374565e98c(WS.10).gif)
4.  On **Preferred Networks** tab, click **Add**, and then select **Infrastructure**. This is shown in the following figure.  
      
    ![](images\Cc749533.75569260-3882-4fff-a665-81546a81a3cc(WS.10).gif)
5.  On the **Network Properties** tab, configure the following:  
      
    In **Network Name (SSID)**, type **WIR\_TST\_Lab**  
      
    In **Description**, enter a description for the **New Preferred Setting Properties**.  
      
  1. On the Network Properties tab, to specify that a network key is used for authentication to the wireless network, under Select the security methods for this network, in Authentication, select either WPA2 (preferred), or WPA. In Encryption, specify either AES or TKIP.

Note

In the XP Wireless Network (IEEE 802.11) Policy, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policy WPA2-Enterprise and WPA-Enterprise settings, respectively.

Note

Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are typically sufficient for the test lab deployment.

The configuration for WPA2 with AES is shown in the following figure.

![](images\Cc749533.dfe25a4c-a1a3-4e21-985f-17a46c8c0453(WS.10).gif)

Note

Although available in the drop down list, do not select Shared or WPA-PSK. Shared is not recommended for this scenario. WPA-PSK is intended for small office and home office networks, and should not be used in this scenario.

  1. Click the IEEE 802.1X tab. In EAP type, select one of the following:

    For deployments using PEAP-MS-CHAP v2, do the following:

    1. By default, Protected EAP (PEAP) is selected. This is shown in the following figure:

      The remaining default settings on the IEEE 802.1X tab are typically sufficient for the test lab deployment.

    2. Click Settings. On the Protected EAP Properties dialog box, do the following:

      Verify that Validate Server certificate is selected.

      In Select Authentication Method, select Secured password (EAP-MS-CHAP v2).

      In Trusted Root Certification Authorities, select Example CA.

      To enable PEAP Fast Reconnect, ensure that Enable Fast Reconnect, is selected.

      These settings are shown in the following figure:

    3. Click OK two times. The PEAP profile for WIR_TST_Lab is listed under Networks. This is shown in the following figure.

    4. Click OK, and then close the Group Policy Management Console.

      This concludes configuration for PEAP-MS-CHAP v2.

    For deployments using Smart Card or other certificates (EAP-TLS) do the following:

    1. Select Smart Card or other Certificate. This is shown in the following figure:

      The remaining default settings on the IEEE 802.1X tab are typically sufficient for the test lab deployment.

    2. Click Settings. On the Smart Card or other Certificate Properties dialog box, do the following:

      For smart card deployments, select Use my smart card, for other certificate deployments, select Use a certificate on this computer.

      Verify that Validate Server certificate is selected.

      In Trusted Root Certification Authorities, select Example CA.

      An Example of these settings are shown in the following figure.

    3. Click OK two times. The EAP-TLS profile for WIR_TST_Lab is listed under Networks. This is shown in the following figure.

    4. Click OK, and then close the Group Policy Management Console.

      This concludes configuration for Smart Card or other certificates.

Connect Windows XP CLIENT1 to WIR_TST_Lab

To connect CLIENT1 to WIR_TST_LAb

  1. Update computer and user configuration Group Policy settings and obtain a computer and user certificate for the wireless client computer immediately, by typing gpupdate at a command prompt; otherwise, logging off and then logging on performs the same function as gpupdate. You must be logged on to the domain, by using your previously-created wireless PEAP connection or by connecting to the domain with a wired connection.

  2. Log off and then log on by using the WirelessUser account in the example.com domain.

  3. Wait until you are prompted to select the wireless network in the notification area of the desktop.

  4. Right-click the wireless network connection icon, and then click View Available Wireless Networks.

  5. On the Choose a wireless network page, click WIR_TST_LAB, and then click the Connect button. When connected, the Choose a wireless network page will display the status of the WIR_TST_Lab connection as Connected.

Configure an ad hoc profile

This section provides the steps to configure an ad hoc profile for a wireless peer-to-peer network. You will use this profile in profile management procedures that follow this section.

You can also use this profile to create ad hoc wireless network connections, if you have a second wireless computer running Windows Vista.

To configure an ad hoc profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policy Properties, on the General tab, click Add, and then select Ad Hoc.

  2. On the Connection tab, in Profile Name, type Ad Hoc, and then in Network Name (SSID), type Ad Hoc again. This is shown in the following figure.

  3. Click the Security tab. For Authentication and Encryption, select from the following:

Authentication Encryption

WPA2-Personal (preferred)

AES

Shared

WEP

Open

WEP

Note

WPA2-Personal is preferred over both shared and open authentication. Shared is preferred over open authentication. Most computers that are capable of running Windows Vista support WPA2-Personal. By default, infrastructure profiles are configured to use WPA2 authentication with AES encryption and PEAP-MS-CHAP v2 for network authentication. The following figure shows the authentication and encryption settings configured for WPA2-Personal and AES.

![](images\Cc749533.70301839-48c6-48ad-8b0d-ee0e25d492a1(WS.10).gif)
  1. Click OK, to close the Ad Hoc profile.

Connect to the WIR_TST_Lab Wireless Network

In 802.1X-authenticated wireless networks, wireless clients need to provide security credentials that are authenticated by a RADIUS server. These credentials can be based on user account credentials (user name and password) for PEAP-MS-CHAP v2, or certificates for EAP-TLS. For either PEAP-MS-CHAP v2 or EAP-TLS, the wireless client - by default - also validates a computer certificate sent by the RADIUS server during the authentication process.

In the case of the WIR_TST_Lab deployment, the RADIUS server is using computer certificates from Windows Server 2003 Certificate Services, a private PKI that is integrated with Active Directory. Any wireless client that has not yet joined the domain does not have the root "Example CA" certificate and so the authentication process - by default - will fail.

One way to obtain the Example CA certificate is to make a wired connection to the network and join the domain. When the wireless client joins the domain, the root Example CA certificate is automatically installed in the Trusted Root Certification Authorities store.

Note

If your deployment used a certificate from a commercial public key infrastructure (PKI), such as VeriSign, Inc., and the root certification authority certificate for the RADIUS server's computer certificate is already installed on the wireless client, the wireless client can validate the RADIUS server's computer certificate, regardless of whether the wireless client has joined the Active Directory domain.

Joining the computer named WirelessV to the example.com domain

This procedure joins your wireless computer running Windows Vista to the example.com test domain.

To join WirelessV to the example.com domain

  1. Log on to the WirelessV computer by using the GPAdmin account.

  2. Click Start, right-click Computer, and then click Properties.

  3. In Computer name, domain and workgroup settings, click Change settings.

  4. In System Properties, on the Computer Name tab, click Change.

  5. In Member of, select Domain, type example.com, and then click OK.

  6. In the Windows Security dialog box, in User name, type the name of the administrator account for your domain controller running Windows Server 2003. In Password, type the password for that account, and then click OK.

  7. When the Computer Name/Domain Changes dialog box opens and welcomes you to the example.com domain, click OK.

  8. Click OK when you receive the message indicating you must restart the computer to apply the changes.

  9. Close the System Properties dialog box, and then click Restart Now.

  10. When the computer restarts, press CTRL + ALT + DELETE to start the logon process, but do not log on to the computer.

  11. Click Switch User, and then click Other User.

  12. In User name, type example\GPAdmin. In Password, type the password for the GPAdmin account, and then log on to the computer and the example.com domain.

  13. Unplug WirelessV from the wired network. WirelessV can now automatically connect to the wireless WIR_TST_Lab network.

Manually connecting to WIR_TST_Lab

This section demonstrates how to manually connect wireless clients running Windows Vista that are configured with profiles that are not configured to automatically connect to the wireless network.

Because the EAP and PEAP WIR_TST_Lab profiles were configured in previous procedures to connect automatically, the WirelessV computer will typically connect to WIR_TST_Lab (using either the PEAP profile or the EAP-TLS profile) before you can manually open the connection. Therefore, you must temporarily disable automatic connections so that clients will not automatically connect before you can complete a manual connection.

To disable automatic connections

  1. On the computer named WiredV, access Windows Vista Wireless Network (IEEE 802.11) Policy Properties.

  2. Select either the PEAP or EAP-TLS profile that corresponds to your wireless test lab deployment, and then click Edit.

  3. On the Connection tab, clear Connect even if the network is not broadcasting.

  4. Click OK two times to accept the changes.

To refresh the wireless policy on the WirelessV computer

  1. On the WirelessV computer, establish a connection to the test network by using either the PEAP or EAP-TLS profile.

  2. Open a command prompt, type gpupdate, and then press ENTER, to refresh the wireless policy.

Disconnecting from WIR_TST_Lab

Because your computer is already connected to example.com domain, you must disconnect the WIR_TST_Lab connection, before you can manually connect to the network.

To disconnect from WIR_TST_Lab

  1. Click Start, click Connect to, and in Select a network to connect to, select the wireless network profile that is listed as Connected, and then click Disconnect.

Note

The three profiles created in your wireless policy appear in the Connect to a Network list. The profiles appear in the order specified in the wireless policy.

  1. Click Disconnect again. The wizard will indicate that it is attempting to disconnect from the specified profile. When the connection is closed, the wizard indicates that it successfully disconnected from the network.

  2. When disconnected, click Close.

Manually connecting to a network

This procedure demonstrates how to connect to the WIR_TST_Lab, when profiles are not configured to automatically connect wireless clients.

To manually connect to WIR_TST_Lab

  1. Click Start, click Connect to, and in Select a network to connect to, do the following:

    • If you deployed smart card or other certificate (EAP-TLS) on your network, select EAP-TLS Profile.

    • If you deployed PEAP-MS-CHAP v2 on your network, select PEAP Profile. This is shown in the following figure.

Note

Note that the three profiles created in your wireless policy appear in the Connect to a network list. The profiles appear in the order specified in the wireless policy.

  1. Click Connect. The wizard will indicate that it is attempting a connection using the specified profile. When the connection is established, the wizard indicates that it successfully connected to the network.
Alternate methods to connect wireless clients to 802.1X networks

In some cases, physically attaching the computer to the network and joining the domain is not the method you want to use to configure wireless connectivity on wireless clients. This can be true for several reasons. For example, it might not be practical to type the administrator credentials for your domain controller running Windows Server 2003 in the Windows Security dialog box every time you want to join a new computer to the domain. Wireless computers running Windows Vista provide an alternate way to accomplish this task.

Wireless client computers running Windows Vista can use a temporary wireless profile to obtain connectivity to a secure wireless network and join the Active Directory domain. This temporary wireless profile, known as a bootstrap wireless profile, requires the connecting user to manually specify their domain user account credentials and does not validate the certificate of the RADIUS server.

Note

Instructions for configuring bootstrap profiles are not provided in this document. For information about bootstrap profiles, and configuration instructions, see: Joining a Windows Vista Wireless Client to a Domain on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=73123.

Using wireless profile management features in Group Policy

This section provides steps for testing the Windows Vista profile management features. The procedures in this section demonstrate the direct effect of the management features in the Vista Wireless Policy (controlled by the WiredV computer) on the WirelessV computer.

Specifying the connection preference order for wireless networks

Wireless clients running Windows Vista attempt to connect to wireless networks in the order specified in Vista Wireless Policy. This procedure demonstrates how to specify the order of wireless profiles to which domain clients running Windows Vista will attempt to connect.

The following procedure is conducted using both the WiredV and WirelessV computers.

To specify the order of wireless networks

  1. Log on to the computer named WirelessV, open a command prompt, type gpupdate, and then press ENTER, to refresh the Vista Wireless Policy Group Policy settings on the computer.

  2. Click Start, click Connect to, and then click Open Network and Sharing Center. In Tasks, click Manage wireless networks. In Networks you can view, the profiles are listed in the same order specified in the Vista Wireless Policy on the WiredV computer:

    • PEAP Profile

    • EAP-TLS Profile

    • Ad Hoc

  3. Log on to the computer named WiredV, open the Windows Vista Wireless Network (IEEE 802.11) Policy Properties. On the General tab, in Connect to available networks in the order of profiles listed below, select Ad Hoc, and then click the "up arrow" two times to move the profile up to the top of the list. Select PEAP Profile, and then click the "down arrow" to move that profile to the bottom of the priority order. This is shown in the following figure.

  4. Click OK to save the change, and then close the Vista Wireless Policy.

  5. On the WirelessV computer, open a command prompt, and then run the gpupdate command to refresh the Vista Wireless Policy.

  6. Repeat step 2 to open Manage wireless networks, if it is not already open. The profiles are now listed in the order specified in the Vista Wireless Policy. This is shown in the following figure.

  7. On WirelessV, disconnect from the wireless network. Click Start, click Connect to, and if any networks are listed as Connected in Select a network to connect to, select that wireless network profile, and then click Disconnect.

  8. Click Disconnect again. When disconnected, click Close.

  9. Log off from the WirelessV computer, and then log back on.

  10. Open Connect to a network. In a few moments, Windows will process all of the profiles configured in the IEEE 802.11 Wireless policy and automatically connect to the network by using the PEAP or EAP-TLS profile that matches your deployment.

Note

If you deployed PEAP-MS-CHAP v2 in your test network (and depending on how quickly logon occurs), you might receive a message in the notification area indicating that you cannot connect to the EAP-TLS network. This occurs because the EAP-TLS profile is now configured in the Vista Wireless Policy with a higher connection priority than the PEAP profile; before attempting to connect by using the PEAP profile, Windows attempts to connect by using the EAP-TLS profile. If the lab deployment is configured for PEAP-MS-CHAP v2, the WirelessV computer cannot connect to the network by using the EAP-TLS profile. Windows reports that it cannot connect using the EAP-TLS profile before it processes the PEAP profile.

This concludes this section of the Windows Vista Wireless Network (IEEE 802.11) Policy management section. In this section you prioritized wireless profiles, and then verified the results on your wireless computer running Windows Vista.

Define network permissions

You can configure the following on the Network Permissions tab to specify network permissions:

  • To deny your domain members running Windows Vista access to ad hoc networks, select Prevent connections to ad-hoc networks.

  • To deny your domain members running Windows Vista access to infrastructure networks, select Prevent connections to infrastructure networks.

  • To allow your domain members running Windows Vista to view network types (ad hoc or infrastructure) to which they are denied access, select Allow user to view denied networks.

Note

The Remove button on the Network Permissions tab allows you to remove only those networks that you have defined by using the Add feature. Networks that are defined on the General tab, in Connect to available networks in the order of profiles listed below, cannot be removed from the permissions list.

You can prevent your network clients from attempting connections to a wireless network by specifying the following on the New Permission Entry dialog box:

  • In Network Name (SSID), type the wireless network SSID. For example, if a neighboring network is broadcasting its SSID, Rogue, type Rogue.

  • In Network Type, select either Infrastructure or Ad-hoc.

  • In Permission, select either Deny or Allow.

Denying connections to wireless networks

For a variety of reasons, you might want to prevent managed wireless computers from connecting to other wireless networks that are within range of the organization’s wireless network. This procedure demonstrates how to use the Windows Vista Wireless Network (IEEE 802.11) Policy to allow or deny permissions for wireless networks.

For example, an adjoining building might have a wireless AP broadcasting the SSID WSUA-EAP, which can be seen on your network wireless client computers running Windows Vista. This is shown in the following figure.

The following procedure requires a wireless AP that is broadcasting its SSID, and is within reception range of the WirelessV computer.

The example in the following procedure uses a wireless AP that is broadcasting WSUA-EAP. You can substitute the SSID of any broadcasting wireless AP (except WIR_TST_Lab) in the following procedure, or set up an additional AP with the SSID set to WSUA-EAP.

To add a wireless network to the Deny list

  1. When the wireless AP is configured, log on to WirelessV and open Connect to a network. Verify that the client can view the network broadcasting SSID, for example WSUA-EAP, as shown in the previous figure.

  2. Log on to the WiredV computer, and open the Vista Wireless Policy.

  3. On the Network Permissions tab, click Add.

  4. On the New Permission Entry dialog box, configure the following:

    • In Network Name (SSID) type WSUA-EAP.

    • In Network Type, select Infrastructure.

Note

If you are unsure whether the broadcasting network is an infrastructure or ad hoc network, you can configure a network permission entry for both types.

  - In **Permission**, select **Deny**.  
      
    This is shown in the following figure.  
      
    ![](images\Cc749533.e981886c-64a2-480e-a2c5-1d53b15514ae(WS.10).gif)
  1. Click OK. On the Network Permissions tab, select Allow user to view denied networks, and then click OK.

  2. Log back on to the WirelessV computer, open a command prompt, and then run the gpupdate command, to refresh the applied Vista Wireless Policy.

  3. Open Connect to a network. In the list of networks, the WSUA-EAP network displays the following information:

    Your network administrator has blocked you from connecting to this network

In some cases, you might want to prevent users from seeing broadcasting networks to which you want to deny access. The following procedure demonstrates how to prevent your wireless clients from displaying wireless networks to which you have denied access.

The following procedure is conducted by using both the WiredV and WirelessV computers.

To prevent users from viewing networks in the Deny list

  1. Log on to the WiredV computer, and then open the Vista Wireless Policy.

  2. On the Network Permissions tab, clear the Allow user to view denied networks check box, and then click OK.

  3. Log back on to the WirelessV computer, open a command prompt, and then run the gpupdate command to refresh the applied Vista Wireless Policy.

  4. Open Connect to a network. The WSUA-EAP network cannot be seen in the list of networks. In the following figure, the denied network WSUA-EAP is not visible to WirelessV.

Exporting wireless profiles

In addition to creating a backup of configured profiles, the export and import features are used to support IHV extensibility. An administrator can include IHV-specific connectivity or security settings in an XML profile and then import this profile to wireless Group Policy. Because these settings do not display onscreen in Windows Vista, importing them is the only way that a profile can include these settings in wireless Group Policy.

The following procedures are conducted on the WiredV computer.

To configure a test profile for export

  1. In Windows Vista Wireless Network (IEEE 802.11) Policy Properties, on the General tab, click Add, and then select Infrastructure.

  2. On the Connection tab, do the following:

    • In Profile Name, type Test.

    • In Network Name(s) (SSID), type test.

  3. Click Add, select NEWSSID, click Remove, and then click OK.

This procedure demonstrates how to export a wireless profile and delete a profile.

To export and delete a wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policy Properties, on the General tab, in Connect to available networks in the order of profiles listed below, select the profile named Test, and then click Export.

  2. In the Save exported profile as dialog box, verify that Save as type is (*.xml), and then click Save.

Note

By default, the profile is saved as an XML file in the Documents folder of the current user. The profile name is automatically provided in its file name. If you specify a different name for the exported file, such as "backup.xml" when imported, the profile will appear in Connect to available networks in the order of profiles listed below with the original profile name (Test) and the original SSID (test).

  1. To confirm that the profile was correctly saved, click Start, and then click Documents. In the Documents folder, open the GPAdmin folder to view the profile XML file.

  2. In Windows Vista Wireless Network (IEEE 802.11) Policy Properties, on the General tab, in Connect to available networks in the order of profiles listed below, select the profile named Test, and then click Remove.

  3. When you receive the message asking if you are sure you want to remove the profile, click Yes.

Importing a wireless profile

This procedure demonstrates how to import a wireless profile. You can use the import feature to restore profiles that have been deleted. You can also use import to restore a profile that was changed after a backup copy was exported.

In the procedure "To export and delete a wireless profile," you saved the profile named Test, then removed it from Connect to available networks in the order of profiles listed below. This procedure restores the original Test profile in its original state.

To import a wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policy Properties, on the General tab, in Connect to available networks in the order of profiles listed below, click Import.

  2. In Import a profile, select Test, and then click Open.

Note

By Default, the Open to import a profile dialog box opens the most recent directory that has been accessed using the import and export features.

  1. Select Test, and then click Open.

This concludes this section of the Windows Vista wireless evaluation. In this section you configured wireless clients by using the Wireless Network (IEEE 802.11) Policy. You have configured a wireless profile for the WIR_TST_Lab wireless network and an ad hoc profile. You have also used profile management features to:

  • Specify the connection priority for wireless networks

  • Define network permissions

  • Export a wireless profile

  • Delete a wireless profile

  • Import a wireless profile

Perform wireless diagnostics and troubleshooting

In and Windows Vista, troubleshooting wireless connections is made much easier through the new Diagnostics Support for Wireless Connections component, and through information rendered by running select netsh wlan commands.

Wireless diagnostics

Windows Vista wireless diagnostics will help you to resolve many common issues that arise with wireless networks, such as:

  • The network adapter radio is turned off.

  • The wireless AP is not powered.

  • Configuration between the wireless AP and client result in missing or mismatched security and encryption types or network keys.

  • Disconnected media

  • Missing certificates

With Windows Vista, when a user experiences a network problem, Windows provides a method to diagnose and repair problems within the context of that problem. During the diagnosis, Windows analyzes why the connection attempt has failed, and then presents either a solution or a list of possible causes and prescriptions that the user can use to correct the problem. The solution might be automatically run by Windows or it might involve manually performing configuration changes.

Wireless diagnostic exercises

This section contains examples of a few diagnostics that Windows Vista can perform. This section is not intended to be an exhaustive list of all diagnostic possibilities of Windows Vista wireless diagnostics.

The following exercises deliberately create wireless connection errors that cause the wireless diagnostics to run.

Diagnostic prerequisite

Before proceeding with the diagnostic exercises, reconfigure the Vista Wireless Policy so that the profile matching your wireless deployment, PEAP-MS-CHAP v2 or EAP-TLS, is placed at the highest connection priority.

To set connection priority for wireless profiles

  1. Log on to the computer named WiredV, and then open Windows Vista Wireless Network (IEEE 802.11) Policy Properties.

  2. On the General tab, in Connect to available networks in the order of profiles listed below, select either PEAP Profile, or EAP-TLS Profile, depending on your deployment, and then click the "up arrow" to move the profile up to the top of the list.

  3. Click OK, to save the change.

  4. Log on to the WirelessV computer, and then run gpupdate at the command prompt.

Start the Windows network diagnostics tool

You can start wireless diagnostics from several locations on a client running Windows Vista:

Starting the Windows network diagnostics tool by using the Network and Sharing Center notification area icon

The icon for the Network and Sharing Center is located to the left of the clock in the notification area.

Note

If you hover the mouse pointer over the Network and Sharing Center icon, the Currently connected to notification will appear. If the computer running Windows Vista is not connected to a network or another computer, the Network and Sharing Center notification area icon is displayed with an X, and indicates that your computer is Not Connected.

To start diagnostics by using the " Diagnose and repair " option of the Network and Sharing Center notification area icon

  • Right-click the Network and Sharing Center icon in the notification area, and then click Diagnose and repair to start the Windows network diagnostic tool.
Starting the Windows network diagnostics tool by using the "Diagnose network problems" option in Network and Sharing Center

To start diagnostics by using "Diagnose and repair" in Network and Sharing Center

  1. Click Start, click Network, and in the menu click Network and Sharing Center.

  2. In the left-hand pane, click Diagnose and repair to start the Windows network diagnostics tool.

Starting the Windows network diagnostics tool by using the "Diagnose and repair" option in Network and Sharing Center (option 2)

To start diagnostics by using "Diagnose and repair" in Network and Sharing Center

  1. Click Start, click Connect to, and in Connect to a network, click Open Network and Sharing Center.

  2. In Network and Sharing Center, in the left-hand pane, click Diagnose and repair to start the Windows network diagnostics tool.

Starting the Windows network diagnostics tool by using the "Repair" option for a network connection icon in Network Connections

Network Connections provides several methods to start diagnostics.

To start diagnostics by using the "Diagnose" options for a network connection icon

  1. Open Network Connections, using one of the following methods:

    • Click the Network and Sharing Center icon in the notification area, click Network and Sharing Center, and then in the left-hand pane of Network and Sharing Center, click Manage network connections.

    • Click Start, click Network, click Network and Sharing Center, and then click Manage network connections.

    • Click Start, click Connect to, click Open Network and Sharing Center, and then click Manage network connections.

  2. In LAN or High-Speed Internet, select the network connection you want, and then do one of the following:

    1. Click Diagonse this connection.

    2. Right-click the connection item, and then click Diagnose.

    3. For wireless connections, attempt to connect to the network you want. Right-click the connection icon, and then click Connect/Disconnect. In Select a network to connect to, select the desired wireless network, and then click Connect.

      If the connection attempt is unsuccessful, the Connect to a network dialog box provides an option to diagnose the problem. Click Diagnose the problem to start the diagnostics tool.

Use wireless diagnostics

In this section, you will use Windows Vista wireless diagnostics to perform the following tasks:

  • Diagnose a stopped WLAN AutoConfig Service

  • Diagnose no visible networks

  • Diagnose a wireless radio that is turned off

  • Diagnose 802.1X network failures

  • Diagnose certificate-based connection errors

Diagnose a stopped WLAN AutoConfig Service

The WLAN AutoConfig service lists wireless adapters and the corresponding configuration details, and manages wireless connections and profiles.

To diagnose a stopped WLAN AutoConfig Service service

  1. On the WirelessV computer, use either the PEAP or EAP-TLS profile to connect to the WIR_TST_Lab network.

  2. Stop the WLAN AutoConfig Service. Click Start, and then click Control Panel. In Control Panel Home, switch to Classic View. Double-click Administrative Tools, and then in the details pane, double-click Services. In the Services (Local) details pane, right-click WLAN AutoConfig Service (wlansvc), and then click Stop.

  3. Navigate to the Network Connections folder. In a few moments, you should see that wireless is not connected. Right-click the connection, and then click Diagnose. Windows Network Diagnostics renders a message indicating the Windows Wireless Service is not running on this computer. This is shown in the following figure.

  4. Click Start Windows Wireless Service. In a few moments, the connection is repaired.

Diagnose no visible networks

This exercise demonstrates Windows wireless diagnostics for no visible networks. Moving beyond the range of APs commonly causes this type of error.

Note

This procedure depends on the Wi-Fi driver supporting packet statistics object identifiers (OIDs). Additionally, to test this diagnostic, your wireless client must be unable receive 802.11 signals from other 802.11 devices.

To diagnose no visible networks

  1. Create a connection to the WIR_TST_Lab network.

  2. Do one of the following:

    1. Move the wireless computer to a location where wireless signals cannot be received.

    2. Detach the antennae from broadcasting wireless APs.

  3. In Network Connections, right-click your wireless connection, and then click Diagnose.

    When the tool detects the error, it will summarize the error and provide possible steps to take to correct the problem.

Diagnose a wireless radio that is turned off

This exercise demonstrates diagnostics for a wireless device that is disabled by using the external switch on a portable wireless device to turn off the wireless radio.

Note

This procedure can only be run on computers equipped with an external switch that controls the wireless radio.

To diagnose a wireless radio that is turned off

  1. Connect to the WIR_TST_Lab network.

  2. Use the external switch to disable the wireless radio.

    Start the wireless diagnostics tool: When the tool detects the error, it will summarize the error, and provide possible steps to take to correct the problem.

Diagnose 802.1X network failures

This exercise demonstrates Windows wireless diagnostics for 802.1X failures resulting from a variety of reasons, including network hardware failures or network misconfiguration.

To diagnose 802.1X network failures

  1. Create a connection to the WIR_TST_Lab network.

  2. Detach the Ethernet cable from the RADIUS server to physically disconnect it from the network.

  3. Click Start, click Connect to, and in Select a network to connect to, select the wireless network profile that is listed as Connected, and then click Disconnect, and then click Disconnect again.

  4. Click Start, click Connect to, and in Select a network to connect to, select the wireless network profile you want to use for WIR_TST_Lab, and then click Connect.

  5. When you receive the message that Windows cannot connect to the PEAP or EPA-TLS profile, click Diagnose the problem to start wireless diagnostics.

    When the diagnostics tool detects the error, it will summarize the error, and provide possible steps to take to correct the problem, as shown in the following figure.

Diagnose certificate-based connection errors

This exercise simulates Windows wireless diagnostics for missing client certificates.

In order to perform this test, the wireless client must have a wireless profile configured for EAP-TLS authentication.

To diagnose certificate-based connection errors

  1. If you deployed EAP-TLS for your WIR_TST_Lab network perform steps a - d, and then continue to step 2.

    If you deployed PEAP-MS-CHAP v2 for your test network, proceed to step 2.

    1. On your WirelessV computer, in Start Search, type mmc, and then press ENTER.

    2. In the MMC, click File, and then click Add/Remove Snap-in.

    3. In Available snap-ins, select Certificates, and then click Add. On the Certificates Snap-in page, select My user account, click Finish, and then click OK.

    4. In the snap-in, under Console Root, open Certificates - Current User, open Personal, and then double-click Certificates. In Issued To, select the certificate, then use the "Cut" (scissors) and "Paste" (clipboard) menu options to temporarily move the certificates to a different location.

  2. Click Start, click Connect to, select EAP-TLS Profile, and then click Connect, to connect to the WIR_TST_Lab wireless network.

  3. When the connection attempt is unsuccessful, click Diagnose the problem, to start Windows wireless diagnostics.

    Windows wireless diagnostics detects that the certificate is missing. This is shown in the following figure.

  4. If you deployed EAP-TLS on your test network, restore the certificate to the original location.

Use netsh wlan for troubleshooting and diagnostics

You can use the following netsh wlan commands for diagnosing and troubleshooting connectivity problems:

  • set

  • show

  • import / export

With these commands, you can gather all of the data required to effectively troubleshoot and in some case correct configuration problems on wireless clients running Windows Vista. You can use these commands to gather:

  • the configuration of the client profiles on multiple interfaces

  • data about the capabilities of wireless network adapters installed on the computer, and the driver version for each wireless adapter

  • tracing data when the information in the Wireless NDF is not sufficient

In some cases, you can export wireless profiles and make the necessary configuration changes in the XML file, or configure a replacement profile. You can manually import the updated XML file onto individual computers by using the netsh command, or use the netsh wlan commands in a script to import the updated profile onto multiple computers.

Additionally, you can import the updated file into the Vista Wireless Network (IEEE 802.11) Policy, and then automate the configuration for all wireless clients to which the policy applies.

Troubleshooting with netsh wlan

The examples included in this section are for illustrative purposes only. You can run these commands on your WirelessV computer, and compare the results to information presented in the following examples to learn more about the behavior of each netsh wlan command.

Entering the netsh wlan context

To enter the netsh context for wlan

  1. Click Start, click Run, type cmd, and then click OK, to open a command prompt.

  2. At the command prompt, type netsh and press ENTER, and then type wlan and press ENTER.

Example: Network adapter capabilities

A client on the network is trying to enable WPA2-Enterprise with AES. The client reports that WPA2 is not listed as an option, but also reports that the wireless network adapter supports WPA2-Enterprise with AES. You can use the netsh “show drivers” command to quickly determine exactly what driver is loaded for this network adapter, to report its capabilities.

To use netsh wlan to gather wireless adapter driver data

  1. On your WirelessV computer, open a command prompt, enter the netsh wlan context, and then type the following command:

    netsh wlan>show drivers

  2. Press ENTER.

Information similar to the following appears:

Note

This sample is modified with intentional breaks to fit the text within the available viewable space.

Interface name: Wireless Network Connection
    Driver                    : D-Link AirPlus Xtrene G DWL-G650
    Vendor                   : D-Link
    Provider                 : D-Link
    Date                       : 7/14/2004
    Version                  : 2.2.4.71
    INF file                  : E:\Windows\INF\nnet5211.inf
    Files                       : 1 total

E:\Windows\system32\DRIVERS\ar5211.sys
    Type                      : FAT Driver
    Radio types supported     : 802.11g 802.11b
    Authentication and cipher supported in infrastructure mode:
                                Open            None
                                Open            WEP-40bit
                                Shared          WEP-40bit
                                Open            WEP-104bit
                                Shared          WEP-104bit
                                Open            WEP
                                Shared          WEP
                                WPA-Enterprise  TKIP
                                WPA-Personal    TKIP
                                WPA-Enterprise  CCMP
                                WPA-Personal    CCMP
    Authentication and cipher supported in ad-hoc mode:
                                Open            None
                                Open            WEP-40bit
                                Open            WEP-104bit
              Open            WEP

By running this command, you can determine that this driver in fact does not support WPA2. For drivers that do support WPA2-Enterprise, the following information is listed:

Authentication and cipher supported in infrastructure mode:
WPA2-Enterprise TKIP
WPA2-Enterprise CCMP
WPA2-Personal   CCMP
Authentication and cipher supported in ad-hoc mode:
WPA2-Personal   CCMP

Knowing this information, you might decide to check with the wireless network adapter vendor Web site for information about possible driver updates.

Example: Determine wireless AP association

A common troubleshooting task is to determine which wireless AP the client computer is associated with. In Windows XP, there is no way to gather real-time data without the aid of a third-party tool. However, in Windows Vista, you can use netsh wlan to gather the real time information by using the show interface command, which also provides additional configuration information.

To use netsh wlan to determine wireless AP association

  1. On your WirelessV computer, open a command prompt, enter the netsh wlan context, and then type the following command:

    netsh wlan>show interface

  2. Press ENTER.

Information similar to the following is displayed:

Note

This sample is modified with intentional breaks to fit the text within the available viewable space.

There is 1 interface on the system:
    Name             : Wireless Network Connection
    Description      : Realtek 8185 Extensible 802.11b/g 
Wireless Device
    GUID             : 58c0407a-0e61-475b-bb9b-713c901df72
    Physical Address : 00:02:44:ae:0d:d0
    State            : connected
    SSID             : WIR_TST_Lab
    BSSID            : 00:0b:86:cb:ed:00
    Network Type     : Infrastructure
    Radio Type       : 802.11g
    Authentication   : WPA2-Enterprise
    Cipher           : AES
    Connection Mode  : Auto Connect
    Channel          : 6
    Receive Rate     : 54000
    Transmit Rate    : 54000
    Signal           : 100%
    Profile          : PEAP Profile

In the output, the BSSID field displays the MAC address of the wireless AP to which the computer is associated. In addition, the show interface command also renders information including: the SSID, security settings, signal strength as well as the active profile. You can gather a complete picture of the status of the network connection by using the show interface command.

Example: Exporting a profile

With netsh wlan, you can export and import all profiles to use with scripting, to make configuration changes, and even to update the appropriate GPO to support client IHV settings. This section presents examples about how to export a profile and examine the XML in details.

To use netsh wlan to export a profile

  1. On your WirelessV computer, create a folder to which you will export your profiles, for example, create a folder named "profiles" on the D:\ drive.

  2. Open a command prompt, enter the netsh wlan context, and then type the following command:

    netsh wlan> export profile folder=d:\profiles

  3. Press ENTER.

Information similar to the following is displayed:

Note

This sample is modified with intentional breaks to fit the text within the available viewable space.

Group policy profile "PEAP Profile" is saved in file
"d:\profiles\Wireless Network Connection-PEAP Profile.xml"
successfully.
Group policy profile "Ad Hoc is saved in file "d:\profiles\Wireless
Network Connection-Ad Hoc.xml" successfully.
Group policy profile "EAP-TLS Profile" is saved in file
"d:\profiles\Wireless Network Connection-EAP-TLS Profile.xml"
successfully.

You can use the export command to save all the profile settings to XML and store them in a folder of your choice, for example, the d:\profiles folder (the default location is %systemroot%\users\<user>\). Open the d:\profiles\Wireless Network Connection folder. You have saved three GPO mandated profiles. Open the PEAP profile by using Notepad. Examine the XML text of the PEAP profile to see the details such as the following:

Note

This sample is modified with intentional breaks to fit the text within the available viewable space.

<?xml version="1.0"?>
<WLANProfile
xmlns="https://www.microsoft.com/networking/WLAN/profile/v1">
<name>PEAP Profile</name>
<SSIDConfig>
<SSID>
<hex>5749525F5453545F4C6162</hex>
<name>WIR_TST_Lab</name>
</SSID>
<nonBroadcast>false</nonBroadcast>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>true</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPA2</authentication>
<encryption>AES</encryption>
<useOneX>true</useOneX>
</authEncryption>
<PMKCacheMode>enabled</PMKCacheMode>
<PMKCacheTTL>720</PMKCacheTTL>
<PMKCacheSize>128</PMKCacheSize>
<preAuthMode>enabled</preAuthMode>
<preAuthThrottle>3</preAuthThrottle>
<OneX xmlns="https://www.microsoft.com/networking/OneX/v1">
<cacheUserData>true</cacheUserData>
<heldPeriod>1</heldPeriod>
<authPeriod>18</authPeriod>
<startPeriod>5</startPeriod>
<maxStart>3</maxStart>
<maxAuthFailures>1</maxAuthFailures>
<authMode>machineOrUser</authMode>
<singleSignOn>
<type>preLogon</type>
maxDelay>10</maxDelay>
<allowAdditionalDialogs>true</allowAdditionalDialogs>
<maxDelayWithAdditionalDialogs>30</maxDelayWithAdditionalDialogs>
<userBasedVirtualLan>false</userBasedVirtualLan>
</singleSignOn>
<EAPConfig><EapHostConfig xmlns="https://www.microsoft.com/provisioning/EapHostConfig">
<EapMethod><Type
xmlns="https://www.microsoft.com/provisioning/EapCommon">25</Type>
<VendorId
xmlns="https://www.microsoft.com/provisioning/EapCommon">0</VendorId>
<VendorType
xmlns="https://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId
xmlns="https://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
</EapMethod><ConfigBlob>01000000560000000100000001000000010000002D00000
0150000000100000014000000E7CE0BBCC28415FAA2C8A240FD011AFA59DBAC83000001
000000170000001A00000001000000020000000000000000000000</ConfigBlob>
</EapHostConfig></EAPConfig>
</OneX>
</security>
</MSM>
</WLANProfile>

See Also

Other Resources

Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements
Wireless Networking
Wi-Fi Protected Access 2 Data Encryption and Integrity: The Cable Guy, August 2005
Wi-Fi Protected Access 2 (WPA2) Overview: The Cable Guy, May 2005
Microsoft 802.1X Authentication Client: The Cable Guy, December 2002
Configuring Wireless Settings Using Windows Server 2003 Group Policy: The Cable Guy, July 2003
Windows XP Wireless Deployment Technology and Component Overview
Deployment of Secure 802.11 Networks Using Microsoft Windows