Hi there --
I pinged the wireless team about this and here is their response:
He doesn't explicitly say so, but I'm guessing that he is trying to
manually change the wireless connection profile on one of his COWS… If the
currently applied profile - that specifies EAP-TLS - was configured via the
Wireless Network (IEEE 802.11) Policies Group Policy extension, then - by
default - he is prevented from editing the properties of that profile on
client computers.
From the information available, I believe all he needs to do is modify the
Wireless Network (IEEE 802.11) Policies to specify the EAP type =
"Protected EAP [PEAP]," with the PEAP "Settings" specifying:
-- Verify that Validate server certificate is selected.
-- In Trusted Root Certification Authorities, select the certificate you
obtained from VeriSign.
-- From the Select Authentication Method drop-down list, select Secured
password (EAP-MS-CHAP v2).
-- Select Enable Fast Reconnect.
Then, on client computers that are connected to the network, refresh GP, by
running "gpupdate" at the command prompt.
The complete PEAP-MS-CHAP v2 deployment for WS03 is documented in: Step-by-
Step Guide for Secure Wireless Deployment for Small Office/Home Office or
Small Organization Networks
http://www.microsoft.com/downloads/d...269902E8-FC41-
4EB1-9374-44612E64F0FB&displaylang=en
I don't have the machines to test the exact client behavior, but as I
recall:
-- If in the current configuration (in Wireless policy / IEEE 802.1X tab),
the default "Computer authentication" specifies "With user re-
authentication," then after the policy is refreshed on the client computer
(COW) by "gpupdate" or the automatic refresh interval, the updated 'PEAP'
policy is automatically applied. When the user attempts to log on to the
network, Windows will prompt the user for domain credentials. { "With user
re-authentication" is the recommended setting. }
-- For logon attempts that do not prompt the user for domain credientials
after updating the Wireless Network (IEEE 802.11) Policies, they might need
to make a wired connection to the network to log on the first time; which
will refresh GP, and force the new wireless connection profile onto the
wireless adapter. Subsequent wireless connection attempts will prompt the
user for their domain credentials.
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Redleg6" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):
> OK, sorry 'bout that.
>
> I have a Win2003 domain. An enterprise CA running on a Win2003
> Enterprise OS. I use group policy. This is a test domain that I use
> for working out problems before I place anything on the production
> domain which is used to service a hospital.
>
> The workstations are all WinXP SP2.
>
> The problem I am working on is how to best setup some COWS(computers
> on wheels) for the nurses in the patient areas. We have wireless with
> Cisco AP's thruout the hospital to service the COWs. These AP's
> connect into our primary VLAN that connects to our production system.
> Since sensitive patient info is sent over the wireless network it is
> essential that the communications be highly secure.
>
> At first I set up a test using EAP-TLS. I also used autoenrollment in
> GP. Each COW has a computer certificate and a user certificate for
> each user. This setup is very secure but having 20-30 user
> certificates to manage on each COW is a huge managment problem. BTW
> the certs use a custom wireless template and all the users must be in
> a special wireless global group. The connections with the COWS use IAS
> that has a certificate from the CA.
>
> Now I want to try using PEAP. This will still encrypt the wireless
> common but will not require all the user certificates on the COWS. I
> can easily change to PEAP in the remote access policy for IAS. But
> when I try to change to PEAP in the wireless connection on the COW the
> change is not allowed. Everytime I change the properties for the
> wireless network to use PEAP instead of a certificate the change is
> not accepted.
>
> I need some help on how to change to PEAP on the COWS.
>
>
> "Robert L. (MS-MVP)" <(E-Mail Removed)> wrote in message
> news:%23cb9%(E-Mail Removed)...
>> We need more details to help you. Where do you make the change? Do
>> you have group policy?
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>> "Myrt Webb" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>I am using on my wireless network EAP-TLS which requires user
>>>certificates for authentication.
>>>
>>> I want to go back to PEAP which will eliminate this requirement.
>>> Problem is the wireless network configuration on my Win XP SP2 will
>>> not allow me to change. Everytime I make the change I get a message
>>> that will not allow the change. The card is a Linksys.
>>>
>>> How can I change from user certs to PEAP and make it stick?
>>>
>>
>
>
>
Similar Threads
Linear Mode
