Re: SBS Wireless policy

In article <1166443120.195333.94770@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, ajj3085
@alum.rit.edu says...

Tried with the new settings in place. Now I get 'Windows was unable to
connect to one or more of your wirelss networks..'

I know it's not what you were hoping for, but it is progress! At least the
laptop now recognizes YOUR wireless network is there.

Checking the network properties, everything is set, but there are no
certificates checked to be trusted. ON the DC, the cert is checked, so
I'm thinking that the required cert isn't being copied to the laptop
when I refresh group policies.

I agree this sounds like a GPO issue. Most likely the wireless GPO either has
a small configuration error or it is not being properly pushed out to the
laptop during the WIRED connection step.

In "Computer Wireless LAN Policy" -> Computer Configuration -> Windows Settings
-> Security Settings -> Wireless Network (IEE 802.11 Policies), right-click
"802.1x Computer Certificate Wireless LAN Policy" and select Properties.

Preferred Networks tab -> select your secure SSID -> [Edit] button

IEEE 802.1x tab -> [Settings] button (under EAP type)

Verify:
When connecting ... Use a certificate on this computer is selected and
Use simple certificate selection (Recommended) is checked
Validate server certificate is checked
Connect to these server is checked and the box has the INTERNAL name
of your SBS (vortex.hellmouth.local, right?)
Trusted Root Certification Authorities: Scroll down to your CA
(hellmouthCA, right?) and make sure it is checked. It may be listed
twice. If so, it's OK to check both of them. (Checking either one
should also work.) You might want to select the CA and click [View
Certificate] to verify the cert looks like what you are expecting.

When you've verified/fixed all that and have returned to the "Edit <yourSSID>
Properties" page, also verify "Authenticate as guest ..." is NOT checked,
"Authenticate as computer ..." is checked, and "Computer authentication" is set
to "Computer only".

Then OK as necessary and close the GPO editor.

Redo the "Logon to the SBS domain using a _wired_ connection" steps (p. 15 of
the text document). It is VERY important to DISable the wireless NIC while
doing this because Windows XP does not deal well with two active network
connections, especially on the same subnet. Then check the laptop's event logs
to be sure there were no GPO errors. If not, disconnect wired, enable
wireless, and check the laptop's wireless properties to be sure they match the
GPO's - especially the IEEE 802.1x tab -> Settings.

If that looks good, let's see if you can connect via secure wireless. Don't
forget to reconfigure the WAP for RADIUS rather than WPA-PSK!

-- Owen Williams [SBS MVP]
.

Loading