Problem:
How do I deploy our company 802.1x NPS authenticated wireless access point profile to users using Group Policy?
Solution:
Create a new GPO that is assigned/permissioned to the machines you want to deploy the wireless network to.
Right click on the policy and click Edit. Go to Computer Configuration>Policies>Windows Settings>Security Settings>Wireless Network (IEEE 802.11) Polices and right click
Choose Create a New Wireless Network Policy for Windows Vista and Later Releases
Give the Policy a name then click Add>Infrastructure
Give the profile a name and then enter the name of the SSID that you want to connect users to then click Add
Select the Security tab and select WPA2-Enterprise and AES encryption. Then select Microsoft: Smart card or other certificate and choose Computer authentication. Click the Properties tab wen ready.
Select Use a certificate on this computer and check Use simple certificate validation. Select Verify the server’s identity and select your root CA from the list below, then click Ok>Ok>Ok>Ok.
This Group Policy should now deploy your 802.1x certificate based wireless network to your clients.
Hi,
thanks for this article. Do you know if it possible to create a second GPO with a different Wireless Policy and deploy both GPOs to the same Client? I tried that but the 2nd Wireless Policy does not apply.
Thanks
Daniel
Hi Daniel,
Yes this is possible and I have done this before. Have you run a gpresult/r to check the policy status on the machine? It could be something like permissions or the machine in the wrong GPO that are easily overlooked.
Thanks
Robin
Hi Robin,
thanks for your reply. I have allready checked with gpresult and it says that the policy was applied succesfully. But I can´t see the settings of the new policy or the new SSID.
Thanks
Daniel
Hi Daniel, have you tried disabling the first policy to see if there was some kind of conflict between them?
Hi Robin,
the Background was that I had to push an additional Wifi to only a few Clients. So I thought I can create a new GPO with a new Wireless Policy and this will merge with our existing Wireless Policy. But that was not the case. At the end I had to add all existing Wireless Networks and the new one to the new policy and gave it a higher priority. This means for me that it is not possible to push more than one Wireless Policy to the Clients.
Daniel
Hi Daniel,
Finally i found a person who met same issue with me. I also want to deploy a different SSID for a few clients, but i found only one gpo could work, I wanna know if you found the solution till now ?
Hey Team,
Ive currently got a setup where i have my own wireless profile i self created on my machine that is called “apple” its set to connect automatically. I created a GPO to push out the profile to my computer called “Apple_Corp”. For some reason my computer still sometimes connects to “apple” over “Apple_Corp” when theyre both within range. Do GPO pushed wireless profiles take highest priority by default ? i imagined they would but i was wondering if i need to set that manually in my gpo somewhere. IF i do need to do that, where in the gpo does the priority need to be applied for “Apple_Corp” to take priority number one ? thanks.
Hi Robin,
Great article. When it comes to selecting the encryption type, I only get AES-GCMP & AES-CCMP not just AES. Which one should I select?
AES-CCMP
You need to also have a Windows Certificate Services set up that issues certificates to the computers in the AD domain for this to work.
Steps:
Set up WIFI system to call the radius/NPS service.
Set up GPO to issue certificates from the Windows Certificate Services.
Set up GPO to push WIFI config.
Make sure computers have certificates. Make sure certificate root.crt are in each system.
AES-GCMP is newer and better than AES-CCMP but if your old hardware only supports AES-CCMP, you’re stuck with it
Hi, from a client, how do I find out which GPO policy was deployed to the computer via GPO and what were its detailed settings? How do I know for example it used WPA2+PSK or certificate from computer?