Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind


Privacy Feedback

Deploying wireless settings with Group Policies.

At long last, the final part of the wireless networking article. Having to manually enter the settings we've gone over in the previous parts into each and every laptop in an organization may not be the best use of a network administrators time. Which is why these settings can be deployed through group policies. However, in order to deploy policies using anything other than WEP, you'll need to install SP1 for the Windows 2003 server.

I haven't installed the Group Policy Management Console, so the images reflect the "old fashioned" way of managing group policies. Shouldn't be too unfamiliar for anyone, though.

Create the policy in an OU that makes sense. I have one OU for wired computers and one for wireless computers, and I've seen other organizations using the terms "desktops" and "laptops". If you don't have such an hierarchy, then applying it to a non-server OU would do fine as well. The policy will restrict itself to computers with a wireless network interface.

Name the policy appropriately, then go to Computer Configuration\Windows Settings\Security Settings, and you should see the "Wireless Network Policies" item. If there is no defined policy, the policy wizard should be accessible when you right click on the "Wireless Network Policy". Just breeze through the wizard. It doesn't really let you do much at all, and we'll make the few changes necessary manually anyways.

There's only two tabs for the policy; General and "Preferred Networks", both of which we'll need to make some minor changes to if you followed my advice and just skip through the wizard.


The General tab gives you some space to enter some comments about the policy as well as change the name of the policy (note: this is different from the name of the policy object. The name here doesn't really matter at all, as you can only have one policy anyways).

A couple of more useful settings are at the bottom of this window. I don't see any reason why any laptop business laptop would need to connect to an ad-hoc network, so I've disabled this by setting the "Networks to access" to "Infrastructure only". Unless there's a need to use any other software than the wireless client that comes with Windows XP (ie, you have Windows 2000 clients which needs a 3rd party client to do WPA), the "Use Windows to configure..." should be checked. The "automatically connect to non-preferred networks" should be unchecked. You really don't want your laptop just connect to any available network out there...

On the "Preferred Networks" tab, there's very little other than a list of the defined networks. The network (SSID) that you defined during the wizard setup should be the only thing listed. All the fun stuff will be revealed once you select that SSID and press the Edit button.

The first tab will let you define the SSID, the authentication protocol and the data encryption. On the screenshot to the right, I've picked WPA and AES, which matches the setup that we've done previously. Since this is an infrastructure network, we'll leave the ad-hoc box at the bottom unchecked.

The IEEE 802.1x tab is where the action is. It's important to make sure that the settings here match what we've done before, since we know that those settings work. Most of the settings on the top half can be left alone. The part that we need to worry about are the EAP type and the EAP type settings. Pick "Protected EAP (PEAP)" as the EAP type, and then click on settings. On the dialog box that pops up, match the settings with what we've done before. Basically, enable Certificate verification with specific server (your CA server), "EAP-MSCHAP v2" as authentication method and "Enable Fast Reconnect" should be checked. Click the "configure" button to the right of the authentication method, and make sure that the checkbox on the following dialog box is checked. This makes sure that the username/password is passed on without having the user re-enter this information. Click "OK" to close out of everything, and your wireless policy is all set. Give it some time to propagate, and once all the clients have the new policy installed, you can change the SSID on your wireless access point to match the one you've created in the policy, and your laptops should re-connect as soon as it can see the new SSID that matches the SSID in the policy.

Since some time has passed since the last articles, I've had the opportunity to work with some other access points. For the more business oriented administrators who doesn't want to work with Linksys access points, these settings works fine with the HP 420wl access points as well. Just select the matching security profile, and you'll be surfing wirelessly in no time at all. And, since you can define multiple SSIDs on the access point at the same time, you don't even have to deal with changing the SSID...

1999 - 2005 Lars M. Hansen