Windows

Ultimate wireless security guide: Automatic PEAP deployment with Microsoft Active Directory GPO

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, shows you how to save hours of trouble per user by deploying client side wireless configuration settings with Microsoft Active Directory Group Policies.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

Save hours of trouble per user by deploying client side wireless configuration settings from Microsoft Active Directory with Group Policies by configuring the global Wireless LAN policy for your entire organization in minutes! These settings can be pushed out from Windows Server 2003 with Service Pack 1, Windows Server 2003 R2, or Windows Server 2007. These settings pertain to Windows XP computers with Service Pack 2 and above and they work on Windows Vista.

To get started, you need to fire up your group policy editor by opening up "Active Directory Users and Groups" as a Domain Administrator. You can deploy the wireless policy to the entire domain, or you can limit the deployment to a certain Organizational Unit (OU) that contains a certain class of users. Once you get to the screen shown in Figure DD, simply create a new Group Policy called "Wi-Fi Policy" and click "Edit" as shown.

Figure DD

Edit Global Group Properties

Expand out as shown in the following screen (Figure EE) shot and right click on "Wireless Network ...". Click "Create Wireless Network Policy".

Figure EE

Group Policy Object Editor

Click "Next". (Figure FF)

Figure FF

Wireless Network Policy Wizard

Pick a name for the new policy such as "Wi-Fi Policy" as shown below (Figure GG)and click "Next".

Figure GG

Choose a name

Click "Finish". (Figure HH)

Figure HH

Click Finish

Fill out the dialog box shown Figure II. Note that I have selected "Access point (infrastructure) networks only" for "Networks to access". This is a very important security feature that Active Directory affords your entire network. Even if you don't intend to run wireless networking on your network, you should still use this setting to prevent any domain user from using wireless ADHOC mode.

The "Use Windows to configure wireless network settings for clients" is also a very important feature. Even if your clients have a third party wireless client like the Cisco ACU installed with Microsoft Wireless Zero Configuration disabled, this setting will override all of them and make them use these Active Directory settings. This ability allows you full control of wireless networking in your network from a centralized policy. When you've completed this page, click on the "Preferred Networks" tab

Figure II

Wi-Fi Policy

Click "Add." (Figure JJ)

Figure JJ

Preferred Networks

Put in the SSID you have configured for all of the Wireless Access Points you have set up. Use the SSID that you want, it shouldn't be the same as my example below. Having a common SSID across all your access points (if they attach to the same subnet) allows your users to "roam" between access points. Fill everything else out below the same way with WPA and TKIP as fairly secure and widely supported settings. You can use AES for "Data encryption" if all of your hardware supports it. Then click on the "IEEE 802.1x" tab. (Figure KK)

Figure KK

MySSID

Fill out the following window exactly as shown in Figure LL. The "Authenticate as computer when computer information is available" enables machine authentication which is a very useful and unique feature of the Windows wireless client. Click on the "Settings" button to continue.

Figure LL

Preferred settings

On the following screen as shown in Figure MM, is another important security feature of Active Directory. Forcing the "Validate server certificate" setting protects users from Man-in-the-Middle attacks where a hacker may attempt to pose as a valid access point and RADIUS server with a bogus certificate. Validating the server certificate prevents this and you don't want the users to set this themselves because that means they have the opportunity to screw it up.

Pre-selecting the "Trusted Root Certificate Authorities" is also an important security feature because you don't want the users to trust all of the other Certification Authorities on the list. You also want to check "Do not prompt user to authorize new servers or trusted certification authorities. Manual configuration of these settings is complex and unreliable. Security must be systematically enforced at a policy level.

Figure MM

Certificate settings

Then click on the "Configure" button in Figure MM, and you will get the Window shown in Figure NN. This is a very convenient method of authentication where the user's Windows credentials are automatically used for Wireless (or Wired 802.1x mode) access.

Figure NN

Automate credentials

Once this is completed, hit OK and OK all the previous dialog boxes to commit the changes. Within minutes or an hour once your client machines refresh their group policy automatically or when they logon to the Active Directory, they will have all these new settings.


9 comments
jbutterf
jbutterf

I'm not seeing the option for 'wireless networking' anything when I edit the new GPO i've created as shown in the example. I even tried running the gpo editor from a wireless laptop in case it was because the workstation didn't have wireless hardware... running w2k3 DCs.

Thierrypenning
Thierrypenning

is this function also possible for wired connections? imagine that the wireless accespoint is a layer 2/3 switch configured to use RADIUS and all ports are 802.1x enabled. because i would like to authenticate computers to my network. the only thing i got working is by user credentials and user certificates. with this HOWTO it works just like i want it to work... only using wired network authentication instead of wireless. Thanks in advance, Thierry Penning

malikn1
malikn1

Thanks. This was great. Is there a way to lock this policy so the clients can't change this and be at the top of the profile every time in XP SP2. Thanks Malik

zoly_almasi
zoly_almasi

Is there a patch to upgrade the domain controller GPO to WPA2? The wireless settings GPO supports WPA but not WPA2.

BarbiD
BarbiD

Does this only apply to Windows Server? What if you only have a wireless router?

Amphitryon
Amphitryon

Does the certificate need to be installed on the client computer? I tried this as outlined here and it doesn't appear to have completely worked. The GPO pushed to my test client and the settings showed up for the WLAN adapter, but no client side certificate (for my server/domain) was available for selection... so I get an exclamation point (!) on the test client's WLAN adapter and a big red ? on the network connection 'Authentication Failed' ... Do I have to set up a CA server to direct users to install the cert? This is all new to me, sorry if I am missing something obvious.

amarige
amarige

Hello I do as it's shown in the tuto but it doesn't work.should i configure something else ??? how can I know that this strategy is being added correctly thanks,

strosien_z
strosien_z

The clients do need to be aware of the servers public key. You can push the public key of the CA cert out to all of the clients by including it in the Domain Security Settings mmc: * Public Key Policies -* Trusted Root Certification Authorities

echatham
echatham

This is also not working for me. What type of Cert do I need to create? I have the default Domain Controller cert as an Issued Cert. I even placed this cert in the Domain Security Settings MMC under Trusted Root Cert.