As you go along with this tutorial, make sure to deviate from my settings so that you end up with a profile that suits your environment. In any case, you should have a functioning Active Directory and workstations running Windows Vista or higher.
This is a rare instance of something that benefits both usability and security and not one at the expense of the other. The users will not have to worry about WLAN settings as those are configured by the GPO and I will not have to worry about users watering down security settings because the settings are locked in into the profile and users cannot change them.
In my case the wireless connection deployed on the workstations will be based on
- WPA2-Enterprise mode
- A Network Policy Server (NPS) that will also serve as RADIUS server
- Client and server authenticating using (pre-autoenrolled) X.509 certificates
- I opened gpmc.msc and navigated to the Organizational Unit (OU) that contained my wireless capable computers.
- Next, I created a new GPO (i.e. "WLAN profiles <<insert SSID>>"
- Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) policies.
- "Create A New Wireless Network Policy for Windows Vista and Later Releases".
You can only do this once. When you have created the first policy, the option will disappear until the policy is deleted.
- The policy gets a name and description. Properties General
- Adding a network
The workstations connect automatically, do not connect to more preferable networks and do not connect if the SSID is not broadcast.
The RADIUS Server authenticates via X.509 certificate. There is also some sort of certificate pinning at the root-CA level. Note the checkbox in the middle. Alle three things must match for the client to proceed:
- Server hostname
- Server certificate
- Root certificate
Leaving the PEAP setting, going back to Security > Advanced. I left following settings unchanged.
Network permissions
The only issue is the password
ReplyDelete