Setting up a wireless connection on your laptop is a quick and easy process. Setting it up on dozens or even hundreds of user workstations could be an exercise in pain. Users will want wireless, and if they can’t get no connection, can’t get through, they are going to want to know “where are you?” very quickly. Rather than denying them wireless access, or running around to each machine one at a time to set things up by hand, you can use a group policy to push the configuration out to your workstations.
Using a group policy does assume that your clients are connected on the wired network at least for long enough to get the updated policy, but other than that, is fairly straight-forward. With this, you will be a hero in no time flat. Without this, you will come to know when the bullet hits the bone.
Extend the schema?
If you are using Windows 2008 or 2008 R2 on any domain controller, you already have the schema definitions needed for this. For Windows 2003, you are going to extend the schema, either using the Server 2008 R2 DVD, or using an ldif file. If you have 2008 domain controllers in your near future, I’d go that route, and since 2003 is getting a little long in the tooth already, that is probably the way you want to go. Otherwise, download the ldif file from http://technet.microsoft.com/en-us/library/bb727029.aspx then, open a cmd prompt, change to the directory that holds the ldif file, and execute this command.
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X
where Dist_Name_of_AD_Domain is the distinguished name of the AD DS domain whose schema is being modified, and of course, while logged on as a schema admin.
That will extend the schema to support this GPO. You’re ready for the next step.
Wireless Network Policies
If you are running Windows 2008 domain controllers, and Windows 7 with the RSAT tools, this following will look a little different, since the GUI will be written around Windows 7. For those of you with a touch of legacy still around, I am going to use the 2003 with ldif file visual, which shows Vista and later releases. 7 works fine with this.
- Launch GPMC, and create a new policy. Call it something like Windows7WiFi.
- Browse down to Computer Configuration, Policies, Windows Settings, Security Settings, and select Wireless Network (IEEE 802.11) Policies.
- Right-click that, and select “Create A New Wireless Network Policy for Windows Vista and Later Releases.”
- if you get this error
it is because you are using your Windows 7 RSAT tools which is looking for Windows 2008 R2, but you are trying to set up a policy on a 2008 or 2003 domain. Switch to a domain controller and try again, where this time the create new policy will look like this.
- Click that and run through the settings as follows.
- Give it a name.
- Give it a description that is actually useful.
- Click Add…and choose Infrastructure.
- Name the profile. I use the SSID as the name of the profile to keep it simple.
- Add the SSID to the Network Name(s) SSID:
- Remove the NEWSSID if it is present.
- If you are ‘stealthing’ your SSID by not broadcasting, make sure to check the box to connect. Has your beacon been moved under moon and star?
- Click the Security tab.
- Here is where things get tricky. The defaults on this tab should be correct.
Set the authentication and encryption to match your AP settings if they do not already line up properly.
- Next to the “Select a network authentication method":” click Properties.
- If you are using a certificate from your Enterprise AD or a public CA, you can leave “Validate server certificate” checked. If your AP rolled its own, clear this check box, and click OK to return to the Security tab.
- Notice that “Cache user information for subsequent connections to this network” is checked. Click the Advanced…button.
- To enable users to connect seamlessly, check the box for “Enable Single Sign On for this network.” The defaults here should be okay for most situations. Click OK, then click OK on the Security tab, then click OK on the General tab of the policy properties dialog box to take you back to the policy editor.
- Set any filtering or permissions you want on this policy, and link it to the appropriate OU.
- Allow AD replication to complete, and then do a gpupdate on your client.
- Now quickly! Check out your connection! I bet you see your machine already connecting to your wireless network. You know what comes next!
Note, if you have XP machines that you want connecting to the wireless network, just repeat the process with an XP policy. The settings are essentially the same. If you forgot to clear the checkbox for validating the certificate and your AP rolled its own, you are going to have to import that certificate to your client as a trust root certificate publisher. If you don’t, you’ll be wrapped up in silence, all circuits are dead.
This was set up and confirmed on my enterprise network using Aerohive AP-120 access points with HiveManager Online. That’s right, I am joining the hive. If you are looking at an enterprise class wireless solution, you have to look at these devices. Trust me, you will love them. And James Forbes, their pre-sales engineer, is great to work with. Check them out at http://aerohive.com.
Golden Earring-Twilight Zone
Direct link for RSS and email subscribers…http://youtu.be/a1sf2CzEq0w
If you found this post useful, please consider following us on twitter. You’ll be the first to learn about new posts, and, rarely, we’ll share a comedic or witty tweet. Of course, you can also leave a comment below to let us know we hooked you up, or share the love and tell your friends about us.