Sunday, 11 January 2015

Configuring a WLAN profile for Windows computers using Group Policy

"If a trainstation is where the train stops, what's a workstation?"

As you go along with this tutorial, make sure to deviate from my settings so that you end up with a profile that suits your environment. In any case, you should have a functioning Active Directory and workstations running Windows Vista or higher.

This is a rare instance of something that benefits both usability and security and not one at the expense of the other. The users will not have to worry about WLAN settings as those are configured by the GPO and I will not have to worry about users watering down security settings because the settings are locked in into the profile and users cannot change them.

In my case the wireless connection deployed on the workstations will be based on
  • WPA2-Enterprise mode
  • A Network Policy Server (NPS) that will also serve as RADIUS server
  • Client and server authenticating using (pre-autoenrolled) X.509 certificates
  • I opened gpmc.msc and navigated to the Organizational Unit (OU) that contained my wireless capable computers.
  • Next, I created a new GPO (i.e. "WLAN profiles <<insert SSID>>"
  • Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) policies.
  • "Create A New Wireless Network Policy for Windows Vista and Later Releases".
    You can only do this once. When you have created the first policy, the option will disappear until the policy is deleted.
  • The policy gets a name and description. Properties General

  •  Adding a network
    The workstations connect automatically, do not connect to more preferable networks and do not connect if the SSID is not broadcast.

The RADIUS Server authenticates via X.509 certificate. There is also some sort of certificate pinning at the root-CA level. Note the checkbox in the middle. Alle three things must match for the client to proceed:
  1. Server hostname
  2. Server certificate
  3. Root certificate
This will ensure that the workstations is connected to the right network and it will remove unnecessary pop-ups that may require information that is not available to the user. ("Do you trust this computer?"). The authentication method selection at the lower end of the screenshot ensures that the workstation will authenticate using its own certificate which will be presented to the server. The alternative would be EAP-MSCHAP v2.

Leaving the PEAP setting, going back to Security > Advanced. I left following settings unchanged.

Network permissions

Once the GPO is deployed on the client side, you should see a pre-configured wireless connection with greyed out check-boxes and a message with exclamation mark, stating the the connection settings are managed by the system administrator.

No comments:

Post a comment