4-4
Cisco Aironet 802.11a/b/g Wireless LAN Client Adapters (CB21AG and PI21AG) Installation and Configuration Guide for Windows Vista
OL-16534-01
Chapter 4 Performing Administrative Tasks
Using Microsoft Tools to Perform Administrative Tasks
Step 6
After you are done, save the GPO. You can refresh the Vista client by running "gpupdate /force" to force
update of the GPO. You should see the new profile being added to Vista machine.
After you create a GPO network profile, it cannot be changed by the user on the Vista machine.
On the General tab of a wireless network policy, you can configure a name and description for the policy,
specify whether the WLAN AutoConfig service is enabled, and configure a list of wireless network
policies and their settings in a preferred order. You can also export profiles as XML files and import
XML files as wireless profiles.
For detailed information about configuring policies, exporting profiles, and importing profiles, see the
following documentation:
•
Windows Vista Wireless Networking Evaluation Guide
http://technet2.microsoft.com/WindowsVista/en/library/f0b0d1fd-6dff-46a2-8e6a-bdd152d2337f1033.
mspx?mfr=true
•
Wireless Group Policy Settings for Windows Vista
http://www.microsoft.com/technet/technetmag/issues/2007/04/CableGuy/default.asp
Configuring Machine Authentication for EAP-FAST
You can enable machine authentication from the Advanced Security screen when you create a Group
Policy Object.
The EAPHost notifies the EAP-FAST module that the current authentication is a machine authentication.
Machine authentication is achieved by using one of the following:
•
a machine PAC
•
a machine certificate
•
a machine password
The EAP-FAST module attempts to fetch the machine PAC first. If a machine PAC is unavailable, the
EAP-FAST module attempts to fetch a machine certificate. If a machine certificate is unavailable, the
EAP-FAST module attempts to fetch the machine password for the machine account in the Active
Directory.
When the machine is authenticated with either a machine certificate or a machine password, the
EAP-FAST module then requests the provisioning of a machine PAC for subsequent use. If neither a
machine certificate nor a machine password is available, the EAP-FAST module requests a machine PAC
during the next successful user authentication after a user has logged on. If an existing machine PAC is
invalid or expired, the EAP-FAST module relies on this process to request a new machine PAC.
Because machine authentication is integrated with and supported by the Windows 802.1X supplicant,
the EAP-FAST module is only responsible for authentication to gain network access. Additional network
operations to support machine authentication, such as DHCP, machine-level GPO, and other related
network services, are the responsibility of the operating system and the 802.1X supplicant.