Use this procedure to configure a Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) wireless profile for wireless computers running Windows XP and Windows Server 2003.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
|To configure a PEAP-TLS wireless profile for computers running Windows XP|
Open New XP Wireless Network (IEEE 802.11) Policies Properties dialog box.
On the General tab, do the following:
- In XP Policy Name, type a name for your wireless
- In Description, type a description of the policy.
- In Networks to access, select either Access point
(infrastructure) networks only or Any available network
(access point preferred).
- Select Use Windows to configure wireless network settings
- In XP Policy Name, type a name for your wireless policy.
On the Preferred Networks tab, click Add, and then select Infrastructure. On the Network Properties tab, configure the following:
- In Network Name (SSID), type the service set identifier
(SSID) for your network.
The value you enter in this field must match the value configured on the access points you have deployed on your network.
- In Description, enter a description for the New
Preferred Setting Properties.
- In Select the security methods for this network, in
Authentication, select either WPA2 (preferred), or
WPA. In Encryption, specify either AES or
In Windows XP Wireless Network (IEEE 802.11) Policies, WPA2 and WPA correspond to the Windows Vista Wireless Network (IEEE 802.11) Policies WPA2-Enterprise and WPA-Enterprise settings, respectively.
Selecting WPA2 exposes additional settings for Fast Roaming. The default settings for Fast Roaming are sufficient for most wireless deployments.
- In Network Name (SSID), type the service set identifier (SSID) for your network.
Click the IEEE 802.1X tab. In EAP type, by default, Protected EAP (PEAP) is selected.
The remaining default settings on the IEEE 802.1X tab are sufficient for most wireless deployments.
Click Settings. In the Protected EAP Properties dialog box, do the following:
- Select Validate server certificate.
- To specify which Remote Authentication Dial-In User Service
(RADIUS) servers your wired access clients must use for
authentication and authorization, in Connect to these
servers, type then name of each RADIUS server, exactly as it
appears in the subject field of the server certificate. Use
semicolons to specify multiple RADIUS server names.
- In Trusted Root Certification Authorities, select the
trusted root certification authority (CA) that issued the server
certificate to your server running Network Policy Server (NPS).
This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store.
- For improved security and a better user experience, select
Do not prompt user to authorize new servers or trusted
- In Select Authentication Method, select Smart Card or
- To enable PEAP fast reconnect, select Enable Fast
- To specify that Network Access Protection (NAP) performs system
health checks on clients to ensure they meet health requirements,
before connections to the network are permitted, select Enforce
Network Access Protection.
- To require cryptobinding Type-Length Value (TLV), select
Disconnect if server does not present cryptobinding TLV.
- To configure your clients so that they will not send their
identity in plaintext before the client has authenticated the
RADIUS server, select Enable Identity Privacy, and then in
Anonymous Identity, type a name or value, or leave the field
For example, if Enable Identity Privacy is enabled and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select Enable Identity Privacy but do not provide an anonymous identity value, the identity response is @realm.
- To configure PEAP-TLS properties, click Configure, and
then in Smart Card or other Certificate Properties,
configure the following items according to your needs:
- In When connecting, select either
Use my smart card, or select both Use a certificate on
this computer and Use simple certificate selection
- To require that access clients validate the
NPS server certificate, select Validate server
- To specify which RADIUS servers your wired
access clients must use for authentication and authorization, in
Connect to these servers, type then name of each RADIUS
server, exactly as it appears in the subject field of the server’s
certificate. Use semicolons to specify multiple RADIUUS server
- In Trusted Root Certification
Authorities, select the CA that issued NPS server certificates
on your network.
- To specify that clients use an alternate name
for the access attempt, select Use a different user name for the
- To prevent users from being prompted to trust
a server certificate if that certificate is incorrectly configured,
is not already trusted, or both, select Do not prompt user to
authorize new servers or trusted certification authorities.
- Click OK to close the Smart card or
other Certificate Properties dialog box, and then click
OK again to close the Protected EAP (PEAP) Properties
dialog box, returning you to the New Vista Wired Network Policy
Properties dialog box.
- In When connecting, select either Use my smart card, or select both Use a certificate on this computer and Use simple certificate selection (Recommended).
- Select Validate server certificate.