Chapter Contents

Windows Server 2003 Group Policy
Administrative Tasks
Open the Group Policy Object Editor
Create a Policy
Configuring Your Network
User Tasks

Windows Server 2003 Group Policy

It is possible to configure group policy on your Windows Server 2003 domain to automatically provide wireless network configuration to the Windows XP and Windows Vista computers on your network. This can greatly speed up your WLAN deployment by removing the need to configure each computer individually.

Administrative Tasks

Open the Group Policy Object Editor

To begin, log in to your Windows Server 2003 machine as an administrator, and open the Group Policy snap-in:

  1. From the Start menu, choose “Run…”
  2. Type in mmc and click OK
  3. From the File menu in the newly opened console, choose “Add/Remove Snap-In”
  4. Click the “Add” button
  5. Find the “Group Policy Object Editor” and click add
  6. This brought up the “Select Group Policy Object” dialog. Click “Browse”.
  7. Select “Default Domain Policy” and click OK
  8. Click Finish in the “Select Group Policy Object” dialog.
  9. Click “Close” in the “Add Standalone Snap-in” dialog.
  10. Click “OK” in the “Add/Remove Snap-in” dialog.

Create a Policy

To create a policy using the Group Policy Object Editor, expand the console tree:

Default Domain Policy->Computer Configuration->Windows Settings->Security Settings->Wireless Network (IEEE 802.11) Policies

Select “Wireless Network (IEEE 802.11) Policies” in the tree and from the Action menu, select “Create Wireless Network Policy…” The Wireless Network Policy Wizard is launched, but this wizard doesn’t do anything more than allow you to enter the policy name. After completing the wizard, you will complete the actual policy configuration by editing the policy’s properties.

There are several properties to configure:

  • Name The initial value was created using the Wireless Network Policy Wizard.
  • Description A human-readable message that can be helpful if you have many policies configured
  • Check For Policy Changes Determines how frequently the server will be polled for changes to this policy. The default is 180 minutes.
  • Networks to Access We recommend setting this to “Access point (infrastructure) networks only”.
  • ”Use Windows to configure wireless network settings for clients” should be checked.
  • Automatically connect to non-preferred networks” should _not be checked.

Configuring Your Network

To configure a wireless network policy for your own network, go the Properties for the policy you’ve created (as described above), click on the Preferred Networks tab and click “Add”. The configuration options are:

  • Network Name Enter the SSID of your wireless network.
  • Description An optional human-readable message that is used for display purposes.
  • Network Authentication Choose “WPA”.
  • Data Encryption This will depend on your wireless network equipment. TKIP is more widely available, but AES is more secure. Both your wireless clients and your access points will need to support AES if you select this option. When in doubt, select TKIP.
  • The Key Is Provided Automatically With the options above correctly configured, this option will be checked and disabled.
  • This is a Computer-to-Computer Network Leave this option unchecked.

There are additional options that need to be configured on the IEEE 802.1x tab. Many of these have acceptable default values, with some important exceptions:

  • Enable Network Access Control Using IEEE 802.1x Must be checked.
  • EAPOL-Start Message Should usually be set to “Transmit”.
  • Max Start The default value of 3 is good.
  • Held Period This value tells the client the number of seconds it should wait after a failed authentication before trying again. The default value is 60 seconds.
  • Start Period The default value of 60 tells the client to wait for one minute before resending EAPOL-Start messages if the access point fails to respond.
  • Authentication Period Specifies the number of seconds that the client will wait before resending authentication packets. The default value is 30 seconds.
  • EAP Type Select “Protected EAP (PEAP)”
  • Authenticate as Guest When Computer or User Information is Unavailable This option is usually not enabled.
  • Authenticate as Computer When Computer Information is Available This option allows the computer to log in to your wireless network using the computer’s Active Directory credentials rather than the user’s credentials.
  • Computer Authentication With the “Authenticate as Computer When Computer Information is Available” option, you can decide the policy used with computer credentials.

You will likely need to configure PEAP for use with your network. To configure PEAP, click the “Settings” button. The options available are:

  • Validate Server Certificate With this option checked, the client must have the Elektron digital certificate installed, or the wireless login will fail. To enable this option via this group policy, you will also need to have the Elektron certificate authority digital certificate installed on the domain controller.
  • Authentication Method Select “Secured Password (EAP-MSCHAP v2)”
  • Enable Fast Reconnect This option will allow your users to reconnect to the network for up to 24 hours without needing to reauthenticate. This means that users will be able to bypass Elektron authentication and authorization steps during that period. Generally, you should leave this option disabled.

User Tasks

With the group policy configured, all that users need to do is open the “Connect to Wireless Network” or “Choose a Wireless Network” dialog, highlight the name of your network, and click “Connect”.

Support Links

Create a new support request
Check an existing request

Documentation

Elektron for Windows Manual
Elektron for Mac OS X Manual
Frequently Asked Questions