Define 802.1x authentication for wireless networks in group strategies
In the Wireless Network (IEEE 802.11) policy, double-click the wireless network policy you want to configure 802.1x authentication. On the "Preferred Network" tab under the Network, choose whether to configure 802.1x authentication for the existing wireless network or for new wireless networks:
To configure 802.1x authentication for existing wireless networks, click Wi-Fi to configure 802.1x authentication, and then click Edit. To configure 802.1x authentication for new Wi-Fi, click Add. On the IEEE 802.1x tab, do one of the following:
To enable IEEE 802.1x authentication for this wireless network, select Enable the Network Access Control of IEEE 802.1X check box. This check box will be selected by default. To disable the IEEE 802.1x authentication for wireless networks, clear "Enable the IEEE 802.1X network access control" checkbox. In Eapol Start Message, specify whether to start the "Extensible Authentication Protocol" via LAN (EAPOL), if yes, specify how to transfer. In the Parameter (Second), specify the EAPOL to start message packet parameters. In EAP Type, click the EAP type you want to use for this wireless network. If you select a Smart Card or Other Certificate in EAP Type, click Settings and do the following in the Smart Card or Other Certificate Properties:
To allow wireless clients to use certificates that reside on their smart cards, click "Use My Smart Card". To allow the wireless client to use a certificate for authentication in a certificate storage area residing in its computer, click "Use Certificate on this Computer" and specify whether you use a simple certificate selection. To verify that the server certificate provided for the client computer is still valid. Check the "Verification Server Certificate" check box, click Connect Series check box, specify one or more servers that the client computer will automatically connect, then Specifies the trusted root certification authority. To allow users to view more information about the selected root certification authority, click View Certificate. When the username in the smart card or certificate is different from the username in the logged field, if the user is allowed to specify another username, select "Use a different user name for this connection" check box. If you are selected in the "EAP type", click Set "and do the following:
To verify that the server certificate provided for the client computer is still valid. Check the "Verification Server Certificate" check box, click Connect Series check box, specify one or more servers that the client computer will automatically connect, then Specifies the trusted root certification authority. In the Select Identity Authentication Method, click the authentication method used in the PEAP and click Configure.
If you select "EAP-MSCHAP V2)", then specify whether to use the user on the client computer in the "EAP MSCHAP V2 property" to type the username and password used for identity authentication on the Windows login screen (and Domain, if applicable, then click OK. If you select a Smart Card or Other Certificate, then in the Smart Card or Other Certificate Properties, follow the instructions in step 7 and configure the settings as needed, and then click OK. To enable fast reconnection for the wireless client, select the Enable Quick Reconnect check box. For more information on PEAP fast reconnection, see "Note". On the IEEE 802.1X tab, do the following:
When user information or computer information is not available, specify that the client computer attempts to authenticate the network. Check "When the user or computer information is not available as a guest authentication" check box. If you want to verify the network when the user is not logged in, select "Verify when computer information is available as a computer" check box, and click an option in Computer Authentication, specify the computer How to try authentication. For information on each option selected for the Computer Authentication, see "Note". Point
It is highly recommended to use 802.1x authentication when connecting to 802.11 wireless network. 802.1X is an IEEE standard that enhances security and deployment by providing support for centralized user ID, authentication, dynamic key management, and billing. In order to enhance
Windows XP Service Pack 1 and
The security in the Windows Server 2003 family, 802.1x authentication is only available for access points (infrastructure) networks that need to use the Network Key (WEP). WEP provides data encryption by encrypting data transmitted between wireless clients and wireless access points. For additional information about wireless network security, see "Related Topics".
note
To perform this process, you must be a member of the Domain Admins group in Active Directory, or must have permission to edit group policy objects (for more information, see "Related Topics). As the best operation of security, you can consider using operational ways to perform this process. To open the Wireless Network (IEEE 802.11) Policy, you must access the Active Directory wireless network policy. For more information, see "Related Topics". To define 802.1x authentication, you must select an existing preferred wireless network, or you must define a new preferred wireless network. For information on how to define the preferred wireless network, see "Related Topics". As long as each wireless access point is configured as a client of the same IAS (RADIUS) server, the PEAP fast reconnection allows roaming users to remain continuous wireless network connections when moving between different wireless access points of the same network. In addition, both wireless clients and RADIUS servers must enable fast reconnection. If "Verify when computer information is available as a computer" check box, you can select one of the following options:
Use User Authentication. Select this option and the user does not log in to the computer, use computer credentials to perform authentication. When the user logs in to the computer, use computer credentials to maintain authentication. If the user moves to a new wireless access point, use user credentials to perform authentication. Use users to authenticate (recommended) [with user re-authentication]. Select this option and the user does not log in to the computer, use computer credentials to perform authentication. After the user logs in to the computer, use user credentials to perform authentication. When the user is logged out of the computer, authenticate authentication is performed using computer credentials. Only use computer credentials (Computer only). When you select this option, you always perform authentication using computer credentials. Never perform user authentication.
