Advanced Security Settings for Wired and Wireless Network Policies

 

Applies To: Windows Server 2012

The Wireless Network (IEEE 802.11) Policies Advanced settings and Wired Network (IEEE 802.11) Policies specify settings associated with 802.1X authentication requests. For the Wireless Network (IEEE 802.11) Policies, the Advanced settings are only exposed by enabling Wi-Fi Protected Access 2 (WPA2)-Enterprise, WPA-Enterprise, or Open with 802.1X as the network authentication setting on the Security tab in the Wireless Network (IEEE 802.11) Policy.

Advanced security settings for the Wireless Network Policies and Wired Network Policies

IEEE 802.1X - settings

IEEE 802.1X settings specify the behavior of wireless client 802.1X authentication requests.

Item

Details

Enforce advanced 802.1x settings

Specifies that the settings listed are enforced as configured:

  • Max Eapol-Start Msgs

  • Held Period (seconds)

  • Start Period (seconds)

  • Auth Period (seconds)

Max Eapol-Start Msgs

EAPOL is the Extensible Authentication Protocol (EAP) over local area network (LAN) protocol.

If no response is received to the original EAPOL-Start message, this setting specifies the maximum number of subsequent EAPOL-Start messages sent.

Default = 3

Held Period (seconds)

After a client has received notification of authentication failure, this setting specifies the number of seconds an authenticating client waits before it performs another 802.1X authentication request.

Default = 60

Start Period

If no response is received to the original EAPOL-Start message, this setting specifies the number of seconds between the retransmission of subsequent EAPOL-Start messages.

Default = 5

Auth Period

After end-to-end 802.1X authentication is initiated, this setting specifies the number of seconds authenticating clients must wait before retransmitting any 802.1X requests.

Default = 30

Single Sign On - settings

In Windows Server® 2008 and Windows Vista, Single Sign On performs 802.1X authentication based on the network security configuration during the user logon process. This feature enables scenarios — such Group Policy updates, implementation login scripts, and joining of wireless clients to domains — that require network connectivity prior to user logon.

You can use Group Policy settings to configure Single Sign On profiles for your wireless client computers. When a Single Sign On profile is configured, 802.1X authentication is conducted prior to computer logon to the domain; users are only prompted for credential information if needed.

Item

Details

Enable Single Sign On for this network

Specifies that Single Sign On is activated for the wireless network profile for this network.

Default = Not enabled

Perform immediately before User Logon

Specifies that Single Sign On performs 802.1X authentication before user logon completes.

Default = Not enabled

Perform immediately after User Logon

Specifies that Single Sign On performs 802.1x authentication immediately upon successful user logon.

Default = Not enabled

Max delay for connectivity (Seconds)

Specifies the maximum time, in seconds, in which 802.1X authentication must complete and authorize network access. This setting allows the network administrator to define the maximum length of time a user waits at the logon screen.

Default = 10

This network uses different VLAN for authentication with machine and user credentials

Specifies that wireless computers are placed on one virtual local area network (VLAN) at startup, and then — based on user permissions — transitions to a different VLAN network after the user logs on to the computer.

This setting is used in scenarios where it is desirable to separate traffic by using VLANs. For example, one VLAN, "VLAN-a," allows access only to authenticated computers, typically with a restricted set of assets. A second VLAN, "VLAN-b," provides authenticated and authorized users with access to a broader set of assets, such as e-mail, build servers, or the intranet.

Default = Not enabled

Fast Roaming settings

Fast Roaming is a feature of WPA2 that uses pre-authentication and Pairwise Master Key (PMK) Caching to enable wireless clients to roam more quickly among wireless access points (APs).

Fast Roaming settings are only exposed by enabling WPA2-Enterpries on the Security tab in the Windows Vista Wireless Network (IEEE 802.11) Policy.

Item

Details

Enable Pairwise Master Key (PMK) Caching

Specifies that Pairwise Master Key (PMK) Caching is used for WPA2 Fast Roaming.

Default = Enabled

PMK time to Live (Minutes)

Specifies the duration, in minutes, the PMK is held in cache.

Default = 720

Number of Entries in PMK Cache

Specifies the maximum number of PMK entries that are stored in cache.

Default = 128

This network uses pre-authentication

Specifies that pre-authentication is used for WPA2 Fast Roaming.

Pre-authentication enables WPA2 wireless clients that are connected to one wireless AP to perform 802.1X authentication with other wireless APs within its range. Pre-authentication stores the PMK and its associated information in the PMK cache. When the wireless client connects to a wireless AP with which it has pre-authenticated, it uses the cached PMK information to reduce the time required to authenticate and connect.

Note

WPA2 client pre-authentication is only possible with wireless access points that broadcast pre-authentication capability in Beacon and Probe Response messages.

Default = Enabled

Maximum pre-authentication attempts

Specifies the maximum allowed pre-authentication attempts.

This setting is available only when This network uses pre-authentication is selected.

Default = 3

Item

Details

Perform cryptography in FIPS 140-2-certified mode

Specifies that wireless transmissions adhere to the Federal Information Processing Standard (FIPS) 140-2 mode for cryptography. FIPS 140-2 is a U.S. government computer security standard that is used to certify cryptographic modules.

Default = not enabled

Additional resources

For additional information about wireless settings in Group Policy, see Managing the New Wireless Network (IEEE 802.11) Policies Settings

For additional information about wireless settings in Group Policy, see Managing the New Wired Network (IEEE 802.3) Policies Settings