Ultimate wireless security guide: Automatic PEAP deployment with Microsoft Active Directory GPO

Enterprise wireless LAN security is a persistent concern for every system administrator and CIO. This article, part of the TechRepublic ultimate guide to enterprise wireless LAN security, shows you how to save hours of trouble per user by deploying client side wireless configuration settings with Microsoft Active Directory Group Policies.

The complete TechRepublic Ultimate Wireless Security Guide is available as a download in PDF form.

Save hours of trouble per user by deploying client side wireless configuration settings from Microsoft Active Directory with Group Policies by configuring the global Wireless LAN policy for your entire organization in minutes! These settings can be pushed out from Windows Server 2003 with Service Pack 1, Windows Server 2003 R2, or Windows Server 2007. These settings pertain to Windows XP computers with Service Pack 2 and above and they work on Windows Vista.

To get started, you need to fire up your group policy editor by opening up "Active Directory Users and Groups" as a Domain Administrator. You can deploy the wireless policy to the entire domain, or you can limit the deployment to a certain Organizational Unit (OU) that contains a certain class of users. Once you get to the screen shown in Figure DD, simply create a new Group Policy called "Wi-Fi Policy" and click "Edit" as shown.

Figure DD

Edit Global Group Properties

Expand out as shown in the following screen (Figure EE) shot and right click on "Wireless Network ...". Click "Create Wireless Network Policy".

Figure EE

Group Policy Object Editor

Click "Next". (Figure FF)

Figure FF

Wireless Network Policy Wizard

Pick a name for the new policy such as "Wi-Fi Policy" as shown below (Figure GG)and click "Next".

Figure GG

Choose a name

Click "Finish". (Figure HH)

Figure HH

Click Finish

Fill out the dialog box shown Figure II. Note that I have selected "Access point (infrastructure) networks only" for "Networks to access". This is a very important security feature that Active Directory affords your entire network. Even if you don't intend to run wireless networking on your network, you should still use this setting to prevent any domain user from using wireless ADHOC mode.

The "Use Windows to configure wireless network settings for clients" is also a very important feature. Even if your clients have a third party wireless client like the Cisco ACU installed with Microsoft Wireless Zero Configuration disabled, this setting will override all of them and make them use these Active Directory settings. This ability allows you full control of wireless networking in your network from a centralized policy. When you've completed this page, click on the "Preferred Networks" tab

Figure II

Wi-Fi Policy

Click "Add." (Figure JJ)

Figure JJ

Preferred Networks

Put in the SSID you have configured for all of the Wireless Access Points you have set up. Use the SSID that you want, it shouldn't be the same as my example below. Having a common SSID across all your access points (if they attach to the same subnet) allows your users to "roam" between access points. Fill everything else out below the same way with WPA and TKIP as fairly secure and widely supported settings. You can use AES for "Data encryption" if all of your hardware supports it. Then click on the "IEEE 802.1x" tab. (Figure KK)

Figure KK


Fill out the following window exactly as shown in Figure LL. The "Authenticate as computer when computer information is available" enables machine authentication which is a very useful and unique feature of the Windows wireless client. Click on the "Settings" button to continue.

Figure LL

Preferred settings

On the following screen as shown in Figure MM, is another important security feature of Active Directory. Forcing the "Validate server certificate" setting protects users from Man-in-the-Middle attacks where a hacker may attempt to pose as a valid access point and RADIUS server with a bogus certificate. Validating the server certificate prevents this and you don't want the users to set this themselves because that means they have the opportunity to screw it up.

Pre-selecting the "Trusted Root Certificate Authorities" is also an important security feature because you don't want the users to trust all of the other Certification Authorities on the list. You also want to check "Do not prompt user to authorize new servers or trusted certification authorities. Manual configuration of these settings is complex and unreliable. Security must be systematically enforced at a policy level.

Figure MM

Certificate settings

Then click on the "Configure" button in Figure MM, and you will get the Window shown in Figure NN. This is a very convenient method of authentication where the user's Windows credentials are automatically used for Wireless (or Wired 802.1x mode) access.

Figure NN

Automate credentials

Once this is completed, hit OK and OK all the previous dialog boxes to commit the changes. Within minutes or an hour once your client machines refresh their group policy automatically or when they logon to the Active Directory, they will have all these new settings.

Editor's Picks