It used to be that connecting to a wireless network took planing. Now you usually can gain access by choosing a familiar network from a list and logging in. But what if you need to manually configure your wireless settings? This excerpt from Windows® 7 Resource Kit will show you how.
Users want to stay constantly connected to their networks, and wireless LANs and wireless WANs are beginning to make that possible. However, managing multiple network connections can be challenging, and users often have difficulty resolving connectivity problems. As a result, users place more calls to support centers, increasing support cost and user frustration. You can reduce this by configuring client computers to connect to preferred wireless networks.
Windows will connect automatically to most wired networks. Wireless networks, however, require configuration before Windows will connect to them. You can connect Windows computers to wireless networks in three different ways:
Manually Windows 7 includes a new user interface that makes it simple to connect to wireless networks. You can use this interface to manually configure intranet-based computers running Windows 7; users can use this method to connect to public networks when they travel.
Using Group Policy Group Policy settings are the most efficient way to configure any number of computers running Windows in your organization to connect to your internal wireless networks.
From the command line or by using scripts Using the Netsh tool and commands in the netsh wlan context, you can export existing wireless network profiles, import them into other computers, connect to available wireless networks, or disconnect a wireless network.
After a wireless network is configured, the Wireless Single Sign-On feature executes 802.1X authentication at the appropriate time based on the network security configuration, while simply and seamlessly integrating with the user's Windows logon experience. The following sections describe each of these configuration techniques.
Windows 7 makes it very easy to connect to a wireless network using the enhanced View Available Networks (VAN) feature included in the platform. For example, to configure a wireless network that is currently available, follow these steps:
Click the networking icon in the notification area.
Click the network to which you want to connect and then click Connect, as shown in Figure 25.14.
Figure 25.14. The Network Connection Details dialog box provides graphical access to IP configuration settings.
If the network is encrypted, provide the encryption key.
In AD DS environments, you can use Group Policy settings to configure wireless network policies. For best results, you should have Windows Server 2003 SP1 or later installed on your domain controllers because Microsoft extended support for wireless Group Policy settings when they released SP1.
Before you can use Group Policy to configure wireless networks, you need to extend the AD DS schema using the 802.11Schema.ldf file included on this book's companion media. If you do not have access to the companion media, you can copy the schema file from http://technet.micro...y/bb727029.aspx. To extend the schema, follow these steps:
Copy the 802.11Schema.ldf file to a folder on a domain controller.
Log on to the domain controller with Domain Admin privileges and open a command prompt.
Select the folder containing the 802.11Schema.ldf file and run the following command (where Dist_Name_of_AD_Domain is the distinguished name of the AD DS domain whose schema is being modified; an example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com AD DS domain).
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X
Restart the domain controller.
After you extend the schema, you can configure a wireless network policy by following these steps:
Open the Active Directory GPO in the Group Policy Object Editor.
Expand Computer Configuration, Windows Settings, Security Settings, and then click Wireless Network (IEEE 802.11) Policies.
Right-click Wireless Network (IEEE 802.11) Policies and then click Create A New Windows Vista Policy. The Wireless Network Properties dialog box appears.
To add an infrastructure network, click Add and then click Infrastructure to open the Connection tab of the New Profile Properties dialog box. In the Network Names list, click NEWSSID and then click Remove. Then, type a valid internal SSID in the Network Names box and click Add. Repeat this to configure multiple SSIDs for a single profile. If the network is hidden, select the Connect Even If The Network Is Not Broadcasting check box.
On the New Profile Properties dialog box, click the Security tab. Use this tab to configure the wireless network authentication and encryption settings. Click OK.
This resource kit does not cover how to design wireless networks. However, you should avoid using Wired Equivalent Privacy (WEP) whenever possible. WEP is vulnerable to several different types of attack, and WEP keys can be difficult to change. Whenever possible, use WPA or WPA2, which both use strong authentication and dynamic encryption keys.
The settings described in the previous process will configure client computers to connect automatically to your internal wireless networks and to not connect to other wireless networks.
You can also configure wireless settings using commands in the netsh wlan context of the Netsh command-line tool, which enables you to create scripts that connect to different wireless networks (whether encrypted or not). To list available wireless networks, run the following command.
Netsh wlan show networks Interface Name : Wireless Network Connection There are 2 networks currently visible SSID 1 : Litware Network Type : Infrastructure Authentication : Open Encryption : None SSID 1 : Contoso Network Type : Infrastructure Authentication : Open Encryption : WEP
Before you can connect to a wireless network using Netsh, you must have a profile saved for that network. Profiles contain the SSID and security information required to connect to a network. If you have previously connected to a network, the computer will have a profile for that network saved. If a computer has never connected to a wireless network, you need to save a profile before you can use Netsh to connect to it. You can save a profile from one computer to an Extensible Markup Language (XML) file and then distribute the XML file to other computers in your network. To save a profile, run the following command after manually connecting to a network.
Netsh wlan export profile name="
SSID" Interface profile "
SSID" is saved in file ".\Wireless Network Connection-
Before you can connect to a new wireless network, you can load a profile from a file. The following example demonstrates how to create a wireless profile (which is saved as an XML file) from a script or the command line.
Netsh wlan add profile filename="C:\profiles\contoso1.xml" Profile contoso1 is added on interface Wireless Network Connection
To connect to a wireless network quickly, use the netsh wlan connect command and specify a wireless profile name (which must be configured or added previously). The following examples demonstrate different but equivalent syntaxes for connecting to a wireless network with the Contoso1 SSID.
Netsh wlan connect Contoso1 Connection request is received successfully Netsh wlan connect Contoso1 interface="Wireless Network Connection" Connection request is received successfully
Note that you need to specify the interface name only if you have multiple wireless network adapters—an uncommon situation. You can use the following command to disconnect from all wireless networks.
Netsh wlan disconnect Disconnection request is received successfully
You can use scripts and profiles to simplify the process of connecting to private wireless networks for your users. Ideally, you should use scripts and profiles to save users from ever needing to type wireless security keys.
You can also use Netsh to allow or block access to wireless networks based on their SSIDs. For example, the following command allows access to a wireless network with the Contoso1 SSID.
Netsh wlan add filter permission=allow ssid=Contoso networktype=infrastructure
Similarly, the following command blocks access to the Fabrikam wireless network.
Netsh wlan add filter permission=block ssid=Fabrikam networktype=adhoc
To block all ad hoc networks, use the Denyall permission, as the following example demonstrates.
Netsh wlan add filter permission=denyall networktype=adhoc
To prevent Windows from automatically connecting to wireless networks, run the following command.
Netsh wlan set autoconfig enabled=no interface="Wireless Network Connection"
You can also use Netsh to define the priority of user profiles (but not Group Policy profiles). Group Policy profiles always have precedence over user profiles. The following example demonstrates how to configure Windows to connect automatically to the wireless network defined by the Contoso profile before connecting to the wireless network defined by the Fabrikam profile.
Netsh wlan set profileorder name=Contoso interface="Wireless Network Connection" priority=1 Netsh wlan set profileorder name=Fabrikam interface="Wireless Network Connection" priority=2
Netsh wlan help
When troubleshooting problems connecting to wireless networks, open Event Viewer and browse the Applications And Services Logs\Microsoft\Windows\WLAN-AutoConfig event log. You can also use this log to determine the wireless networks to which a client is connected, which might be useful when identifying the source of a security compromise.