Wireless LAN Support in Windows: Frequently Asked Questions

See Wireless LAN Technologies and Microsoft Windows.

For Windows XP, install either Windows XP Service Pack 2 and the Wireless Client Update for Windows XP with Service Pack 2 or Windows XP Service Pack 1 and the Wireless Update Rollup Package for Windows XP. For Windows Server® 2003, install Windows Server 2003 Service Pack 2.

See the "Deployment Resources" section of the Wireless Networking Web site. You can find additional information on the Internet Authentication Service Web site.

See Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home Office or Small Organization Networks for a small office/home office (SOHO) or for a small organization that uses 802.1X authentication and a Windows domain.

See Configuring Windows XP IEEE 802.11 Wireless Networks for the Home and Small Business for a home or small business that does not use 802.1X authentication and a Windows domain.

See Wireless LAN Technologies and Microsoft Windows and the additional resources on the Wireless Networking Web site.

Windows Server 2003 Service Pack 2 includes the following updates to the wireless client software:

See Wireless Networking in Windows Vista, the “Wireless and 802.1X-based Wired Connections” section of New Networking Features in Windows Server 2008 and Windows Vista, and Connecting to Wireless Networks with Windows Vista.

The properties of a wireless network adapter depend on whether the computer is running Windows XP with no service packs installed, Windows XP with Service Pack 1, and Windows XP with Service Pack 2. The properties of a wireless network adapter were changed to address customer issues and confusion. For the best experience configuring wireless networks, install Windows XP Service Pack 2 on all of your computers.

See Wired Networking with 802.1X Authentication.

Wireless Provisioning Services (WPS) is a new capability of Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 that allows you to configure wireless network settings using Extensible Markup Language (XML). WPS can be used to automate the secure configuration and connection to public wireless networks, known as hotspots. For more information, see the Deploying Wireless Provisioning Services Technology white paper.

An alternative to WPS is the Wireless LAN API Update, a free download from Microsoft for computers running Windows XP with Service Pack 2. The Wireless LAN API Update allows you to use new application programming interfaces (APIs) to manage wireless profiles and connections with wireless auto configuration. The APIs in the Wireless LAN API Update are also supported in Windows Vista.

See the “Wireless Networking” section of the Windows Vista Networking Web page. Also, see Wireless Networking in Windows Vista, the “Wireless and 802.1X-based Wired Connections” section of New Networking Features in Windows Server 2008 and Windows Vista, Connecting to Wireless Networks with Windows Vista, and Wireless Group Policy Settings for Windows Vista.

The wireless connection user interface has been redesigned and enhanced in Windows Vista to make wireless network connection and management easier. See Connecting to Wireless Networks with Windows Vista.

For an example of configuring Windows Vista wireless clients in a test lab, see the Windows Vista Wireless Networking Evaluation Guide.

You cannot select the shared key authentication method from the Connect to a network wizard. Microsoft strongly discourages its use because it provides very weak security for wireless networks. To configure shared key authentication, select No authentication (Open) as the Security type in the Connect to a network wizard and then select Shared from the Security tab for the properties of the wireless network.

For detailed information about the commands in the new netsh wlan context, see Netsh Commands for Wireless Local Area Network (wlan).

The IEEE 802.11i wireless networking standard specifies improvements to wireless LAN security. The 802.11i standard has been recently ratified, and addresses many of the security issues of the original 802.11 standard. While the new IEEE 802.11i standard was being ratified, wireless vendors agreed on an interoperable interim standard known as Wi-Fi Protected Access (WPA) to make existing 802.11-based wireless networks more secure.

See Wi-Fi Protected Access Overview and Overview of the WPA Wireless Security Update in Windows XP. For general information about WPA, see Wi-Fi Alliance WPA Q&A. For detailed information about WPA security features, see Wi-Fi Protected Access Data Encryption and Integrity.

Configuration of WPA authentication options is supported in Windows Vista, Windows Server 2008, Windows XP (with either Windows XP Service Pack 2 or Windows XP Service Pack 1 and the Wireless Update Rollup Package for Windows XP), Windows Server 2003 Service Pack 2, and Windows Server 2003 Service Pack 1. Check with your wireless adapter manufacturer for wireless client software that supports WPA for previous versions of Windows.

For information about wireless network adapters and wireless access points (APs) that support WPA, see the Certified product listing of the Wi-Fi Alliance.

Wi-Fi Protected Access 2 (WPA2) is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the 802.11i standard. The goal of WPA2 certification is to support the additional mandatory security features of the 802.11i standard that are not already included for products that support WPA.

See Wi-Fi Protected Access 2 (WPA2) Overview. For general information about WPA2, see the Wi-Fi Alliance Web site. For detailed information about WPA2 security features, see Wi-Fi Protected Access 2 Data Encryption and Integrity.

Configuration of WPA2 authentication options is supported in Windows Vista, Windows Server 2008, Windows XP with Service Pack 2 when the Wireless Client Update for Windows XP with Service Pack 2 is installed, and Windows Server 2003 Service Pack 2. Check with your wireless adapter manufacturer for wireless client software that supports WPA2 for previous versions of Windows.

For information about wireless network adapters and wireless APs that support WPA2, see the Wi-Fi Alliance Web page.

Wireless auto configuration is the feature of Windows Vista, Windows Server 2008, Windows XP, and Windows Server 2003 that allows Windows to detect the available wireless networks and automatically connect to the most preferred wireless network. Wireless auto configuration is enabled by the Wireless Zero Configuration service in Windows XP, the Wireless Configuration service in Windows Server 2003, and the WLAN AutoConfig service in Windows Vista and Windows Server 2008.

Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 include Wireless Provisioning Services (WPS), which allows you to configure wireless network settings using Extensible Markup Language (XML). For more information, see the Deploying Wireless Provisioning Services (WPS) Technology white paper. You can also use the Wireless Network (IEEE 802.11) Policies Group Policy extension in Windows Server 2003 Active Directory® directory service domains to automate the configuration of wireless network settings for wireless client computers running Windows XP with Service Pack 1, Windows XP with Service Pack 2, or Windows Server 2003.

An alternative to WPS is the Wireless LAN API Update, a free download from Microsoft for computers running Windows XP with Service Pack 2. The Wireless LAN API Update allows you to use new application programming interfaces (APIs) to manage wireless profiles and connections with wireless auto configuration. The APIs in the Wireless LAN API Update are also supported in Windows Vista.

See Wireless Auto Configuration for detailed information about the operation of wireless auto configuration in Windows XP.

No. There are no APIs to programmatically configure or deploy WEP keys, nor is it desirable to do so. Static WEP-key based deployments are inherently insecure in large-scale environments and are strongly discouraged. Additionally, there is no means to automate the changing of these keys once they are deployed. You would need to communicate such a change to all devices and all wireless APs simultaneously. Otherwise, the key used on the wireless APs and clients would be different, resulting in communication failures. The recommended solution is to use 802.1X authentication and an authentication method, such as Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), that dynamically determines WEP keys based on the authentication process and frequently changes the WEP key for ongoing connections. For home and small business wireless networks, you can use the new Wireless Network Setup Wizard in Windows XP Service Pack 2 to automatically create a strong WEP key or WPA preshared key and configure other computers running Windows XP with Service Pack 2 and wireless network devices that support Windows Connect Now. For more information, see The New Wireless Network Setup Wizard in Windows XP Service Pack 2.

When Windows XP with no service packs installed, Windows XP with Service Pack 1, and Windows Server 2003 displays a connected state, it means that you have created an association with a wireless AP. The association is the result of a negotiation with the wireless AP to use one of its available connections. However, a successful wireless connection also needs to perform an authentication process, determine encryption keys, and obtain an Internet Protocol (IP) address using the Dynamic Host Configuration Protocol (DHCP). When Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1 displays a connected state, the wireless client computer has associated, authenticated, and received a valid IP address configuration. For more information about improvements in reporting the status of wireless connections in Windows XP SP2, see Wireless LAN Enhancements in Windows XP Service Pack 2.

When connecting to a wireless network that does not require any encryption or that requires you to manually type a network key for encryption, make sure you clear the Enable 802.1X on this connection check box on the Authentication tab of either:

Verify that the Automatically connect to non-preferred networks check box on the Advanced dialog box is cleared. This option is designed to automate connections to any wireless network within range. You can access the Advanced dialog box by clicking Advanced on the Wireless Networks tab from the properties of a wireless network connection in Windows XP and Windows Server 2003.

When a computer running Windows XP with SP1 or Windows XP with SP2 is in the proximity of two wireless APs belonging to different wireless networks, and one of the wireless APs is broadcasting its Service Set Identifier (SSID), also known as the wireless network name, but the other is not, the computer always connects to the wireless AP that is broadcasting its SSID. This occurs regardless of the preference order of the wireless networks that are configured on the preferred networks list. The reason for this is that wireless auto configuration first tries to match available networks to preferred networks based on advertised SSIDs. If there is no match, wireless auto configuration then tries to find networks that were not advertised that are in its preferred networks list. This behavior is described in more detail in Your Computer Connects to an Access Point That Broadcasts Its SSID Instead of an Access Point That Does Not Broadcast Its SSID and Wireless Auto Configuration.

For detailed information about how Windows wireless clients behave for non-broadcast wireless networks, see Non-broadcast Wireless Networks with Microsoft Windows.

Windows XP Service Pack 2, Windows Server 2003 Service Pack 2, and Windows Server 2003 Service Pack 1 include tracing for the Wireless Zero Configuration service, which is the service that performs wireless auto configuration. To see the Wireless Zero Configuration service logs:

To disable tracing for all components, type netsh ras set tracing * disabled at a command prompt.

No. To get the new Wireless Network (IEEE 802.11) Policies Group Policy extension in a Windows 2000 Active Directory domain, the Active Directory schema must be updated. You must install at least one domain controller in your Windows 2000 Active Directory domain that runs Windows Server 2003. This domain controller updates the Active Directory schema for the Wireless Network (IEEE 802.11) Policies Group Policy extension. To configure Wireless Network (IEEE 802.11) Policies settings, you must use the Group Policy snap-in from any domain member computer running Windows Server 2003.

Yes. To take advantage of user certificate autoenrollment, you must upgrade your Active Directory domain to Windows Server 2003, as it requires a Windows Server 2003 Active Directory schema. You can upgrade a Windows 2000 Active Directory domain to a Windows Server 2003 Active Directory schema using the Adprep.exe tool, located in the \I386 folder on the Windows Server 2003 product CD-ROM.

For user certificate autoenrollment, you must use a certification authority that is running Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition. Only these versions of Windows Server 2003 support the certificate templates required to configure user certificate auto enrollment.

Yes. However, you must use at least one domain controller running either Windows Server 2003 with no service packs installed and the 811233 update or Windows Server 2003 with Service Pack 1 to update the Active Directory schema for the Wireless Network (IEEE 802.11) Policies Group Policy extension that supports WPA authentication and encryption options. Additionally, you must configure the Group Policy settings from a computer running Windows Server with no service packs installed or Windows Server 2003 with Service Pack 1. The new WPA settings will be read and configured for wireless clients running Windows XP with SP2, Windows XP with SP1 and the Wireless Update Rollup Package for Windows XP, Windows Server 2003 with the WPA Wireless Security Update in Windows XP, or Windows Server 2003 with Service Pack 1.

Yes. To configure WPA2 authentication settings for wireless clients running Windows XP with SP2 using the Wireless Network (IEEE 802.11) Policies Group Policy extension, the client computers must be members of a Windows Server 2003 Active Directory domain and have the Wireless Client Update for Windows XP with Service Pack 2 installed. The WPA2 authentication settings in the Wireless Network (IEEE 802.11) Policies Group Policy extension must be configured from the Group Policy Object Editor snap-in on a computer running Windows Vista.

For an example configuration in a test lab, see the Windows Vista Wireless Networking Evaluation Guide.

The WPA2 authentication settings configured in this way for Windows XP with SP2 wireless clients also apply to Windows Vista and Windows Server 2003 with Service Pack 2 wireless clients.

Windows Vista supports an enhanced set of wireless Group Policy settings designed for use by Windows Vista and Windows Server 2008 wireless clients. Windows Vista supports both Windows XP-based Group Policy settings and Windows Vista-based Group Policy settings. The Windows Vista-based Group Policy settings include the ability to configure multiple profiles and their order, lists of wireless networks that are either allowed or denied, and Single Sign On settings. For more information, see Wireless Group Policy Settings for Windows Vista. When both types of wireless settings are configured, Windows Vista wireless clients use the Windows Vista settings. If the Windows Vista wireless settings are not configured, Windows Vista wireless clients use the Windows XP wireless settings.

The Windows Vista-based wireless settings can be configured in a Windows Server 2008 Active Directory domain using the Group Policy Object Editor snap-in from a computer running Windows Vista. However, Windows Server 2008 is currently in beta testing.

To configure and use Windows Vista-based wireless settings in a Windows Server 2003 Active Directory domain, you must extend your Windows Server 2003 Active Directory schema to support the new Windows Vista-based wireless settings. For more information and the directory extension file, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements. After extending your schema, configure Windows Vista-based wireless settings from the Group Policy Object Editor snap-in on a computer running Windows Vista.

For an example configuration in a test lab, see the Windows Vista Wireless Networking Evaluation Guide.

For information about using the enhanced Windows Vista wired Group Policy settings, see Frequently Asked Questions about Wired LAN Support in Windows.

For more information, see the following:

For Windows XP, install either Windows XP Service Pack 2 or Windows XP Service Pack 1 and the Wireless Update Rollup Package for Windows XP. For Microsoft Windows CE .NET wireless clients, install FIX: Wireless Clients Cannot Connect When the PEAP Fast Reconnect Authentication Option Is Turned On.

If a Windows XP-based wireless client obtains an Automatic Private IP Addressing (APIPA) address in the 169.254.0.0/16 range when there is a DHCP infrastructure to allocate IP address configurations to wireless clients, you should install either Windows XP Service Pack 2 or Windows XP Service Pack 1 and the Wireless Update Rollup Package for Windows XP.

The most common reason for login scripts failing to execute or when computer configuration Group Policy setting updates are not applied is that computer authentication has failed. Computer authentication can fail for the following reasons:

If you are using Internet Authentication Service (IAS) as your Remote Authentication Dial-In User Service (RADIUS) server, check the System event log for an authentication attempt using the wireless client's computer to ensure that computer authentication is being tried.

Updates to Computer Configuration Group Policy occur when the computer starts, achieves network connectivity, and locates a domain controller. The computer attempts to download the latest Computer Configuration Group Policy based on the computer's placement in a domain system container.

If the wireless client computer cannot authenticate to a wireless AP to obtain wireless LAN network connectivity, the attempt to locate a domain controller and download the latest Computer Configuration Group Policy fails. This event is recorded in the event log.

The solution to this problem is to ensure that computer authentication is configured and is successful, so that wireless LAN network connectivity is present during the location of the domain controller and the download of the Computer Configuration Group Policy. When you are using EAP-TLS authentication, this means that each wireless client computer must have a computer certificate installed.

Updates to User Configuration Group Policy occur when a user supplies correct credentials and logs on to the domain. If the computer has not authenticated itself against the wireless AP, the logon uses cached credentials. After the user certificate in the user's certificate store becomes available, the Windows wireless client configured to use EAP-TLS authentication attempts to authenticate against the wireless AP. Depending on how long the wireless authentication takes, the download of the User Configuration Group Policy might also fail. This event is recorded in the event log.

The solution to this problem is to ensure that computer authentication is configured and is successful. With an installed computer certificate (for EAP-TLS) or a computer account password (for PEAP-MS-CHAP v2), the Windows wireless client has wireless LAN network connectivity during the entire logon process, and therefore should always be able to download the latest User Configuration Group Policy.

Yes, this is the default behavior. With EAP-TLS, your computer or user certificate is automatically submitted when authenticating. With PEAP-MS-CHAP v2, your computer account credentials or your user logon credentials are automatically submitted when authenticating.

No. This type of behavior is not a feature of Windows because it greatly impacts the usability of wireless networking. Roaming between wireless APs may occur at any time, even without changing physical location. Roaming may also occur several times within a short distance. Interrupting the user for credentials with each new wireless association is disruptive and annoying.

No. There are currently no plans to support these alternate wireless authentication protocols. For a comparison of using PEAP over LEAP, see Advantages of Protected Extensible Authentication Protocol (PEAP).

With Windows XP Service Pack 2 or Windows XP Service Pack 1 and the Wireless Update Rollup Package for Windows XP installed, the sequence of events is the following:

The AuthMode registry value (found at HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\AuthMode) affects the behavior of computer authentication and user authentication. The AuthMode value can be set to the following:

0 - Computer authentication is performed when the wireless client computer is started. When a user logs in, if the computer authentication was successful, user authentication is not performed. This setting has been deprecated and its use is discouraged. This is the default setting for Windows XP with no service packs installed.

1 - Computer authentication is performed when the wireless client computer is started. When a user logs in, user authentication occurs. When the user logs out, computer authentication occurs. This is the default setting for Windows XP SP1, Windows XP SP2, and Windows Server 2003.

2 - Computer authentication is performed when the wireless client computer is started. User authentication is never performed.

The default setting of 1 is recommended. A setting of 2 is recommended only in situations where you have kiosk-like wireless devices that require only computer authentication and any user that has access to the device is allowed to access the wireless network.

You can enable tracing for 802.1X connections at a Windows command prompt with the following commands:

To disable tracing for all components, type netsh ras set tracing * disabled at a command prompt.

For information about how to interpret the log files, see A Support Guide for Wireless Diagnostics and Troubleshooting.

Not at this time. All 802.1X-based wireless connections are affected, including those using EAP-TLS or PEAP-MS-CHAP v2. Connections using a static WEP key or WPA-PSK are not affected. Microsoft has addressed this issue in Windows Vista and Windows Server 2008.

Computers running Windows 2000 only support IEEE 802.1X authentication for wired and wireless network adapters with Microsoft 802.1X Authentication Client, a capability included with Service Pack 4.

To configure a wireless client computer running Windows 2000, you must use the wireless configuration tool provided by your wireless network adapter manufacturer. Please see the instructions for the wireless configuration tool to configure 802.11 encryption and authentication settings.

To add 802.1X functionality to the Windows 2000 platform, a subset of features was taken from Windows XP. The 802.1X authentication components are largely the same. For example, you configure 802.1X authentication settings from an Authentication tab from the properties of an Ethernet or wireless network adapter in the Network and Dial-up Connections folder.

Here is a list of the differences for Microsoft 802.1X Authentication Client:

To configure 802.1X authentication settings on the wireless network adapter in the Network and Dial-up Connections folder, see HOW TO: Support Wireless Connections in Windows 2000.

There is no built-in wireless LAN support in Windows Me, Windows 98, or Windows NT 4.0. Wireless network adapter manufacturers must supply all wireless and authentication functionality for these versions of Windows.

To configure a wireless client computer running Windows Me, Windows 98, or Windows NT 4.0, you must use the wireless configuration tool provided by your wireless network adapter manufacturer. Please see the instructions for the wireless configuration tool to configure 802.11 and 802.1X authentication settings.

For help in answering a specific question about wireless support in Windows that is not described in this FAQ, submit your question to the Microsoft Newsgroup for Windows Wireless.