TechNet Home > TechNet Security > Library > Cryptography, Certificates, and Secure Communications

Securing Wireless LANs with PEAP and Passwords

Chapter 6: Configuring the Wireless LAN Clients

Updated: April 2, 2004
On This Page
OverviewOverview
Chapter PrerequisitesChapter Prerequisites
Preparing for ImplementationPreparing for Implementation
Allowing Users and Computers to Access the WLANAllowing Users and Computers to Access the WLAN
Configuring Windows XP WLAN ClientsConfiguring Windows XP WLAN Clients
Configuring Pocket PC 2003 ClientsConfiguring Pocket PC 2003 Clients
SummarySummary
ReferencesReferences

Overview

This chapter provides guidance on configuring and deploying the network settings for your wireless local area network (WLAN) clients and connecting the clients to the WLAN. It includes procedures for connecting Microsoft Windows XP (Professional and Tablet Edition) and Pocket PC 2003 clients to the WLAN.

The chapter also provides details on verifying security group memberships for WLAN users and computers, configuring the WLAN settings using Group Policy for Windows XP clients, and procedures for configuring Pocket PC clients.

Chapter Prerequisites

In addition to the prerequisites described in Chapter 3, “Preparing Your Environment,” you should be familiar with the following topics:

Windows XP configuration and driver installation.

Pocket PC 2003 configuration and use.

You should have read and implemented the guidance provided in Chapter 3, “Preparing Your Environment,” Chapter 4, “Building the Network Certification Authority,” and Chapter 5, “Building the Wireless LAN Security Infrastructure.” In addition, you should also have read the design and planning information provided in Chapter 2, “Planning a Wireless LAN Security Implementation” and understood the architecture and design of the solution.

Preparing for Implementation

To carry out the Group Policy configuration procedures in this chapter, you need to log on with an account that is a member of the Domain Admins group for the domain into which you are installing the WLAN settings. By default, the built-in Administrator account of the domain is a member of this group but you may use any other account with the same group membership.

To carry out the Windows XP client computer verification procedures you need to be a member of the local Administrators group for that computer.

Tools Needed

The following table lists the tools that are required for implementing the procedures in this chapter.

Table 6.1: Tools Needed

ToolDescriptionSource

Group Policy Management Console (GPMC)

Advanced management tool for import and export of Group Policy objects (GPO).

Installation steps provided in Chapter 3, “Preparing Your Environment.”

Active Directory Users and Computers

A Microsoft Management Console (MMC) tool for managing Microsoft Active Directory directory service users, groups, and computers and other Active Directory objects.

Installed as part of Windows Server™ 2003.

WLAN Client Parameters

The following table lists some of the main parameters used in this chapter.

Table 6.2: WLAN Client Settings

Configuration ItemSetting

Group to allow WLAN access

Wireless LAN Access

Group to allow WLAN access for users

Wireless LAN Users

Group to allow WLAN access for computers

Wireless LAN Computers

WLAN GPO name

WLAN Client Settings

GPO filtering security group

Wireless LAN Computer Settings

Wireless network policy name

Windows XP WLAN Client Settings (Protected Extensible Authentication Protocol (PEAP)-Wired Equivalent Privacy (WEP))

WLAN network name (SSID)

LucerneWLAN (change this to your WLAN service set identifier (SSID))

Extensible Authentication Protocol (EAP) type

PEAP

PEAP authentication method

Secured Password (EAP-MSCHAP v2)

PEAP fast reconnect

Enabled

The values shown in italic font need to be replaced with setting values that are relevant to your environment.

Allowing Users and Computers to Access the WLAN

You can control user and computer access to a network access server (such as a wireless access point (AP)) by setting the dial-in permission on the domain account of the user or computer. This was the method used by Windows NT 4.0 to control user access to the Remote Access Service (RAS). However, controlling network access for a large number of users with this method is extremely cumbersome. Moreover, it is an “all-or-nothing” setting, which means that you cannot allow virtual private network (VPN) access while simultaneously blocking WLAN access for a given user.

Internet Authentication Service (IAS), with Windows 2000 and Windows Server 2003, allows you to control access to network services using Active Directory security groups associated with a remote access policy. This method is more flexible and much easier to manage because it allows you to use group memberships to govern access to a network service.

Controlling WLAN Access Using Security Groups

Access to the WLAN is controlled by the IAS Remote Access Policy (RAP). The RAP for this solution was configured in Chapter 5, “Building the Wireless LAN Security Infrastructure.” This policy includes a filter to allow access to the WLAN only to members of the Wireless LAN Access security group.

Wireless LAN Access is not populated with user and computer accounts directly. It has two security groups as members—Wireless LAN Users and Wireless LAN Computers. The solution makes Domain Users and Domain Computers members of these groups, respectively, which allows all users and computers to connect to the WLAN by default. The background to this topic is discussed in the "WLAN User and Computer Administration Model" section in Chapter 2, “Planning a Wireless LAN Security Implementation.”

Using Security Groups for More Granular Control

Allowing all users and computers access to the WLAN is a very simple administration model, but you may need to exert more control over which users and computers can access the WLAN. To do this, you must remove Domain Users and Domain Computers from Wireless LAN Users and Wireless LAN Computers, respectively. You can then add the specific users and computers to which you want to grant access as members of these groups.

Avoid adding users and computers directly to Wireless LAN Access, because it is a universal group and, therefore, its membership is published to the forest-wide global catalog. Being published to the global catalog means that any changes to its membership will be replicated to all domain controllers in the organization. Adding users and computers to the domain-specific groups (Wireless LAN Users and Wireless LAN Computers) limits the replication changes to just the domain controllers within a single domain.

Note: Pocket PCs do not have Active Directory computer accounts, and therefore you do not need to add them to Wireless LAN Computers. They only use the user account to authenticate to the WLAN; therefore, only the account of the Pocket PC user is significant.

Users receive changed group membership information only at logon. Therefore, your users will need to log off and log on again after you create and populate the WLAN access groups. Similarly, client computers must be restarted after any changes to their group memberships.

Configuring Windows XP WLAN Clients

In this section, you will learn how to configure WLAN client settings for Windows XP. The procedures described here will enable you to configure PEAP password authentication using dynamically keyed Wired Equivalent Privacy (WEP) for data protection. The settings can be applied to both Windows XP Professional and Windows XP Tablet Editions.

For instructions on how to configure Wi-Fi Protected Access (WPA) data protection and key management, see Appendix B, "Using WPA in the Solution."

Install any Required Patches and Updates

You should ensure that all relevant patches and updates have been applied to the client computers, including:

Critical security patches.

Windows XP service packs (Service Pack 1 or later).

Windows XP WPA client (if required).

WLAN-related Windows patches (for example, the Wireless Update Rollup Package for Windows XP—see Knowledge Base article 826942. This package is highly recommended unless Windows XP SP2 is installed).

Updated WLAN drivers from your network adapter or computer vendor.

Creating the WLAN Settings GPO

To automate the delivery of WLAN client settings, you can use Active Directory Group Policy. The Group Policy Editor in Windows Server 2003 includes a collection of settings called Wireless Network Policy, which allows you to set client settings that are specific to your WLAN.

Important: It is assumed that the client computers are joined to the domain and are able to connect to a wired LAN so that they can receive the WLAN client settings.

You can create GPOs either by using GPMC or by using Active Directory Users and Computers.

Important: The Wireless Network Policy GPO settings will not appear in the GPO Editor if you are editing the GPO from a Windows 2000 or Windows XP system. You must edit these settings from a Windows Server 2003 system or a system with the Windows Server 2003 administration tools installed. However, the settings work with both Windows 2000 and Windows Server 2003 domain controllers. These settings are not present in the local policy object of any version of Windows.

To create a WLAN Client GPO using GPMC

1.

Open the GPMC and select the domain object of the domain you are configuring.

2.

Right-click the domain and select Create and Link a GPO Here...

Note: The GPO is linked at the domain level; therefore, the settings will be available to all computers in the domain. If you prefer, you can restrict the scope of the GPO by linking it to a lower-level organizational unit (OU).

3.

When prompted for the name, type WLAN Client Settings.

4.

In the right pane, double-click the newly created WLAN Client Settings GPO. The right pane now displays the properties of the GPO.

5.

Click the Scope tab. In the Security Filtering list, select Authenticated Users and delete it using the Remove button.

6.

Click Add... to add a different group.

7.

Type (or browse for) Wireless LAN Computer Settings.

Note: The effective membership of the Wireless LAN Computer Settings group is the Domain Computers group; Domain Computers is a member of Wireless LAN Computers which in turn is a member of the Wireless LAN Computer Settings group. The GPO at the domain level (refer to step 1) allows all computers in the domain to receive WLAN client settings. If you want to restrict the settings to a smaller subset, remove Domain Computers from the Wireless LAN Computers group membership.

8.

Click the Details tab and select User configuration settings disabled from the GPO Status drop-down list. Click OK to confirm.

9.

Right-click the GPO in the left pane and select Edit... to edit the GPO settings.

10.

When the GPO Editor opens, navigate to \Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies.

11.

Select the Wireless Network (IEEE 802.11) Policies object from the navigation pane and then select Create Wireless Network Policy from the Action menu.

12.

Use the wizard to name the policy as Windows XP WLAN Client Settings (PEAP-WEP). Leave the Edit properties check box selected and then click Finish to close the wizard.

13.

Click the Preferred Networks tab and then click Add... to add a new preferred network.

14.

In the Network Name (SSID) field, type the name of your wireless network.

15.

In the Description field, type a description of the network.

Note: If you have an existing WLAN and you intend to run this side by side with the 802.1X-based WLAN of this solution, you must use a different SSID for the new WLAN.

16.

Click the IEEE 802.1x tab and select Protected EAP (PEAP) from the EAP Type drop-down list.

17.

Click the Settings... button to modify the PEAP settings. From the Trusted Root Certification Authorities list, select the root CA certificate for the CA that you had installed in Chapter 4, “Building the Network Certification Authority.”

Important: If you ever need to reinstall your CA from scratch (not just restore from backup), edit the GPO and select the root CA certificate for the new CA.

18.

Select Secured Password (EAP-MSCHAP v2) in Select Authentication Method and then select the Enable Fast Reconnect option.

19.

Close each properties window by clicking OK.

20.

Close the GPO Editor and the GPMC.

To create the GPO using Active Directory Users and Computers (if you have not installed the GPMC), substitute the following steps for steps 1 to 10 in the previous procedure.

To create a GPO using Active Directory Users and Computers

1.

Open Active Directory Users and Computers and select the domain object.

2.

Right-click the domain object and select Properties.

3.

Click the Group Policy tab and then click the New... button.

4.

Type WLAN Client Settings for the GPO name.

5.

Click the Properties button and then click the Security tab.

6.

Select Authenticated Users from the Group or User Names list and click the Remove button.

7.

Click Add... and type (or browse for) Wireless LAN Computer Settings. Click OK.

8.

With the Wireless LAN Computer Settings group name in the Group or User Names list highlighted, click Read and Apply Group Policy permissions in the Allow column of the Permissions list.

9.

Click the General tab and click Disable User Configuration settings. Click Yes to any warning messages.

10.

Click OK to apply the changes and close the GPO properties window.

11.

Click the Edit button to edit the policy and navigate to \Computer Configuration\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies.

12.

Repeat steps 11 to 20 of the previous procedure.

Deploying the WLAN Settings

If you are migrating from an existing WLAN (unsecured, static WEP or other type), you should deploy WLAN Group Policy settings for the new 802.1X-based network several days, or even weeks, in advance of configuring 802.1X settings on your wireless access points and activating the new WLAN. Doing so will provide the client computers with ample opportunity to download and apply the WLAN Client Settings Group Policy, even if they only connect to the wired LAN occasionally.

You can also apply the Group Policy settings to your client computers before a WLAN network adapter is installed and configured by Windows. The WLAN settings will be ignored until a valid WLAN network adapter is installed. Once the network adapter is installed, it will automatically be configured with the WLAN Group Policy settings.

Verifying Application of WLAN Group Policy

To verify correct application of the WLAN GPO settings, you need to log on to a client computer. The Domain Computers group is a member of the Wireless LAN Computer Settings security group, which is used to filter which computers receive the WLAN settings in the WLAN Client Settings GPO. All domain computers should therefore have received these GPO settings. You may need to restart the computer if it has not been restarted since the creation of the Wireless LAN Computer Settings group.

Note: You must have a WLAN network adapter installed on the computer to view the wireless network settings.

To verify successful deployment of the WLAN settings

1.

Log on as a member of the local Administrators group on a client computer.

2.

Double-click the Network Connections folder in Control Panel.

3.

View the properties of the Wireless Network Connection icon that corresponds to your wireless card. On the Wireless Networks tab, you should see your new wireless network SSID (name) under Preferred Networks.

4.

Select the new wireless SSID and click Properties to view the settings and verify that they match those chosen in the WLAN Group Policy.

5.

If the SSID does not appear under Preferred networks or the network settings shown for this SSID do not match the settings configured in the WLAN Group Policy, close all Wireless Networks dialog boxes and run the following command from the command prompt.

Gpupdate /force

After a minute or two, reinspect the settings. If the settings still do not appear, refer to the “Troubleshooting” section in Chapter 8, “Maintaining the Secure Wireless LAN Solution.”

Verifying the Root CA Certificate on the Client

To authenticate to the IAS server using PEAP, the clients need to have the certificate for the network CA (installed using the guidance provided in Chapter 4, “Building the Network Certification Authority”) in their Trusted Root CA store. This certificate was published to Active Directory as part of the CA installation. All members of your Active Directory forest will automatically download and install this certificate in their Trusted Root CA store.

To verify that the root CA certificate has been installed

1.

Log on as Administrator to the client computer.

2.

Run MMC.exe (from the Start, Run... menu option or a command shell).

3.

From the File menu of the MMC, select Add/Remove Snap-in...

4.

On the Add/Remove Snap-in window, click the Add... button. Select the Certificates item from the list of available snap-ins.

5.

Select Computer Account and then click Next.

6.

Click Finish.

7.

Close the Add Standalone Snap-in and the Add/Remove Snap-in windows.

8.

In the left pane, navigate to Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates.

9.

Locate the certificate for your CA. (It will be listed under the name you gave during the CA installation.)

10.

If the certificate does not appear in the list, open a command shell and type the command:

Gpupdate /force

11.

Return to the Certificates management console. Right-click the Certificates (Local Computer) node, select Refresh and then check for the CA certificate again.

If the certificate still does not appear, see the “Troubleshooting” section in Chapter 8, “Maintaining the Secure Wireless LAN Solution.”

Verifying the Connection to the WLAN

Having verified the WLAN GPO settings and the root CA certificate, you can now test the connection to the WLAN using a client computer.

To test the connection to the WLAN

1.

As a domain user with authorized access to the WLAN, log on to a client computer that has a WLAN card installed and is not connected to the wired network. By default, all domain users have access to the WLAN.

Note: If the WLAN is not working at this point and the user does not have cached credentials on the computer, the logon will fail.

2.

From the command prompt, use the ping command to verify network connectivity to another computer on the network.

If the ping command (or logon) fails, see the “Monitoring Client Connection to the WLAN” subsection of the “Troubleshooting” section in Chapter 8, “Maintaining the Secure Wireless LAN Solution.”

For more information on testing procedures for WLAN clients, see Chapter 7, “Testing the Secure Wireless LAN Solution.”

Configuring Pocket PC 2003 Clients

Pocket PC 2003 has full support for 802.1X WLAN networks using either PEAP (with passwords) or Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) (with certificates). However, Pocket PC 2003 is a modular operating system and the vendor of the handheld device can choose whether or not to include this facility; therefore, you should not assume that all Pocket PC 2003 devices are WLAN-capable. Leading vendors of these devices provide 802.1X WLAN-capable systems either with built-in WLAN hardware or with an add-on WLAN network adapter. This section describes the configuration of the generic Pocket PC WLAN interface and is based on the HP IPAQ 5550 Pocket PC. However, some vendors implement their own WLAN drivers and interfaces. The following instructions may not be correct for these latter devices and you should follow the instructions provided by your device vendor.

Some Pocket PC device vendors also offer 802.1X WLAN support on Pocket PC 2002. Pocket PC 2002 has not been tested with this solution. You should consult your vendor's Web site for details of their Pocket PC 2002 support for WLAN.

Preparing the Pocket PC Device

Before configuring the device, you should obtain and install any relevant updates for your Pocket PC available from its vendor, including:

Read-only memory (ROM) updates. (These may contain a variety of updates including drivers.)

Network driver updates.

Other WLAN or network updates that are relevant to 802.1X networking.

Important: Before installing the updates, you should carefully read the documentation accompanying each of them. Some updates may be incompatible with others or with what you are trying to achieve. For example, HP has published an update for the IPAQ 555x series to support Cisco LEAP but this update is incompatible with their 802.1X WLAN driver update and will prevent PEAP from working.

Making the CA Certificate Available

You need to install the CA certificate of your network CA into the Trusted Root CA store of all Pocket PCs that need to connect to the WLAN. To do this, you must export the certificate from the CA and make it available for Pocket PC users or information technology (IT) staff.

To export the CA certificate

1.

Log on to the CA server and open a command shell.

2.

Run the following command to export the CA certificate to a file:

certutil –ca.cert rootca.cer

You can specify a path to the Rootca.cer file if you want to save it in a different folder. (You need to enclose the path and file name in quotes if it contains embedded spaces.)

3.

Copy the certificate file to a file share or Web server directory so that users can easily download it when required for the Pocket PC installation.

Configuring the Pocket PC

You must configure each Pocket PC with the CA certificate and WLAN settings before it can be connected to the WLAN. You need some means of copying the certificate file to the Pocket PC. This procedure assumes the use of ActiveSync connection established using a docking cradle, Infrared, or Bluetooth connection. You can also use removable media (such as a Compact Flash, Secure Digital, or Multimedia Card) to transfer the certificate file, or use an unauthenticated WLAN connection to allow the Pocket PC to download the certificate from a Web site. You can also send the certificate to the user in e-mail, allow them to synchronize (to transfer the e-mail to Pocket Outlook), and then have the use execute the attached certificate file.

To import the CA certificate to the Pocket PC

1.

Connect the Pocket PC to a host computer using ActiveSync (you may need to establish an ActiveSync partnership to do this) and your preferred connection method.

2.

From the host computer, use the ActiveSync Explore option to open a folder window on the device; it should open the My Documents folder.

3.

Obtain the CA certificate file from its published location and copy it to the My Documents folder. You can ignore the warning about file conversion. You can now disconnect the device from the ActiveSync connection.

4.

On the Pocket PC, locate the CA certificate file using File Explorer and double-tap the file.

5.

You will be asked whether you want to install the certificate. Verify that the CA name matches the name of your network CA and tap Yes to install it.

You can verify successful installation of the certificate by selecting Settings, System, Certificates, and then clicking the Root tab.

To configure the 802.1X WLAN settings on the Pocket PC

1.

If the WLAN adapter is not already enabled on the device, enable it using either a hardware switch or a software tool.

2.

If a pop-up message displays indicating that a new network has been found, select Work as the location to which the WLAN will connect you. Then tap Settings.

If the pop-up message does not appear (because the WLAN had been previously detected), perform the following steps:

Tap the Connectivity icon (two arrows pointing in opposite directions) on the Pocket PC title bar and tap Settings.

Tap the Advanced tab and then tap the Network Card button.

On the Wireless tab, you should see your WLAN SSID in the list of available wireless networks (if there are any other WLANs in range, their names may appear here).

Tap the name of your WLAN in the list.

3.

On the General tab, select Work from the Connects to: list.

4.

On the Authentication tab, select the following options:

Data encryption (WEP Enabled)

The Key is provided for me automatically

Enable network access using IEEE 802.1X

Clear the Network Authentication (Shared mode) option.

5.

In the Extensible Authentication Protocol Type: list, select PEAP.

6.

Tap OK to close the WLAN settings screen.

7.

When prompted to enter domain credentials to connect to the WLAN, type the name, password, and domain of a user who is authorized to connect to the WLAN.

Warning: You should select the Save Password option only if a strong security mechanism, such as fingerprint scanning or strong password access, is implemented to help protect the device from unauthorized use. Remember that the user credentials are used to authenticate to domain resources as well as the WLAN. If they are compromised, they will allow an intruder to access all your internal network resources over the WLAN without detection.

8.

If you navigated to the WLAN settings through the New Network popup in step 2, tap the Connectivity icon on the title bar of the Pocket PC and tap Settings to open the Connections Settings screen.

9.

Tap the Advanced tab and then the Network Card button. (You will already be at this screen if you did not navigate through the New Network popup in step 2.)

10.

In the Wireless Networks list, you should see the name of the WLAN that you just configured. The status should be Connected; if it is not, tap and hold the name and tap Connect. (You may be prompted to enter the user credentials again.)

11.

If the WLAN is now shown as Connected, tap OK to close the Configure Wireless Networks and the Connections Settings screens.

Note: If you are going to give these instructions to the Pocket PC users to configure their own devices, they can enter their own domain credentials when prompted. However, if the IT support engineers are preconfiguring the Pocket PCs for the users, you need to provide the engineers with valid domain accounts (with access to the WLAN); it is especially important that they do not select the Save Password option when using such accounts. The users should then be instructed to enter their own credentials when they first connect using the Pocket PCs.

Verifying the Pocket PC Connection to the WLAN

You can verify that the Pocket PC has successfully connected to the WLAN in a number of ways. The simplest way is to connect to an application on the network, such as a Web site. (You may need to configure a proxy server on the device if the Web server is not on the LAN.)

If the connection fails, see the “Troubleshooting” section in Chapter 8, “Maintaining the Secure Wireless LAN Solution.”

Summary

This chapter dealt with the configuration of WLAN network settings for Windows XP and Pocket PC clients. It provided guidance on using security groups to control access to the WLAN, configuring Group Policy to deploy WLAN settings to Windows XP clients, and configuration steps for Pocket PC 2003 clients.

References

This section provides references to important supplementary information or other background material relevant to the content of this chapter.

For more information on administering WLAN access by user and by security group, see the "Introduction to remote access policies" topic in the Windows Server 2003 product documentation, which is available at the following URL:

http://technet2.microsoft.com/windowsserver/en/library/06e188ef-0c02-4554-8dbc-dd08b4ea804c1033.mspx

For more information on the Wireless Update Rollup Package for Windows XP, see the following URL:

http://support.microsoft.com/default.aspx?scid=826942

For more information on configuring WLAN network settings using Group Policy, see the "Define Active Directory–based wireless network policies” topic in the Windows Server 2003 product documentation, which is available at the following URL:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/588AE21E-2156-470C-B618-651B952B9C4D.mspx

You can get more technical information on the WLAN support in your Pocket PC from the device vendor. For more technical information, see the "Windows CE .NET Wireless Technology Overview" on the Microsoft Developer Network at the following URL:

http://msdn.microsoft.com/library/en-us/wcemain4/
html/cmconwindowscenetwirelesstechnologyoverview.asp


**
**

Download

Get the Securing Wireless LANs with PEAP and Passwords

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions