Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Wirless via GPO

Status
Not open for further replies.
GrimR

GrimR

IS-IT--Management
Jun 17, 2007
1,149
ZA
Has anyone successfully setup wireless via GPO.W2k3
Grey areas, things I'm not clear on are RootCA Certificate.How is it created and is it needed?
How to authenticate, e.g the device has WPA with a key, in GPO the check box is greyed out, 'Key is automatically provided', does that mean I should remove the key from the device? then what is the key and how is it assigned.
 
Sort by date Sort by votes
I have set this up several times and it works fine assuming you are using Windows Wireless Zero configuration on the clients. You can only create WPA-Enterprise policies via GPO , unlike WEP where you get the option of unchecking 'The key is provided automatically'. You can't create any WPA-PSK policies, nor can you create any WPA2 policies unless you use a Vista Workstation to edit the policies.
For GPO WiFi Policies to work you need to also deploy a Radius Server to authenticate logon requests centrally (you can use the one included with Server 2003), plus you need a certificate deployed on the Radius Server for identification when using PEAP or EAP-TLS. This can be a self-signed one, one from an Enterprise CA or a purchased one. If you are deploying PEAP then you only need a Certificate on the Radius Server, if you want to deploy EAP-TLS then you also need certificates on each WiFi Client.

A couple of links to help you along:




HTH

Andy
 
Upvote 0 Downvote
Thanks for the reply. Just few questions. I take it that if I use IAS I need a RootCA. Can I install certificate services and create a root CA without causing any problems on the network? Can you use this Root CA certificate on either PEAP or EAP-TLS. Does this certificate need to be backed up? What complications will happen considering all laptops are currently manually configured? And I take it each Radius client needs to be setup for each device.
 
Upvote 0 Downvote
You don't need a Root CA, you can install a self-signed certificate or even buy one. Simplest way is to create a self-signed one using the IIS 6 resource kit (free download from M$). You can then via GPO either set the WiFi settings to ignore the Server certificate or make it a trusted certificate via importing it into a GPO.

You could go the whole nine-yards and create an Enterprise CA and then configure a GPO to automatically enroll workstations (and users if you want to?) for certificates. This might be a bit OTT though, however you could go with the self-signed one now and then look into a PKI infrastructure later and when you have decided what you want you can change the IAS servers certificate and push different settings down via GPO.

Each WiFi AP needs configuring with the Radius server(s) IP address along with an encryption key. You don't need to configure any radius stuff on WiFi client machines, just the APs.

HTH

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

o75zaid
  • Locked
  • Question
wirless access point
Replies
0
Views
101
o75zaid
o75zaid
Beowulf005
  • Locked
  • Question
Recommendations Home Wirless Config
Replies
4
Views
129
rclarke250
rclarke250
fzx5v0
  • Locked
  • Question
Guest and private Wirless Networks
Replies
7
Views
161
fzx5v0
fzx5v0
mlchris2
  • Locked
  • Question
Open and Secured Wirless network config help for small office
Replies
0
Views
66
mlchris2
mlchris2
vbportal
  • Locked
  • Question
can't connect to internet via wireless USB adapter
Replies
6
Views
75
vbportal
vbportal

Part and Inventory Search

Sponsor

Back
Top