Install IAS from the Add/ Remove Windows Components area in the control panel.

Install Certificate Services from the Windows Components area in the control panel.

When prompted you want to install an “Enterprise Root CA”.

Load up the “Certificates” plugin for mmc and then submit a request for a new domain controller certificate.

Create a group in Active Directory called “WirelessUsers”.

Inside the administrative tools section load up the IAS plugin and create a “new remote access policy”. Call it “Wireless Access Policy”. Follow the wizard which is reasonably intuitive and when prompted for access restrictions you want to allow only computers and users that are a member of the “Wireless Users” group you created previously. Also make sure when prompted for the authentication method that you select EAP/PEAP.

Then right click on the policy you just created and goto “Properties”. Then click on the “Edit Profile” button and make the following changes:

1. Encryption tab: Make sure “No Encryption” is not ticked.
2. Authentication tab: Tick MSCHAP-V2.
3. Advanced tab: Add Ignore_User_Dial_In_Properties = true and also Terminate-Action = Radius-Request.

On the Access Point:

Use an access point that supports EAP/PEAP and 802.1X authentication (e.g. a DLink DWL 2100AP). Set up a DHCP reservation for it so that it is always on the same IP address.

Change the authentication mode to be WPA-EAP.
Put in the IP address of the radius server (the server you installed IAS on).
Put in the Radius server/ port numbers/ shared secret (make one up at this stage).
Remember to save/ restart the AP to make sure the settings have stuck.

Back to IAS:

Add a new Radius client. Put in the IP Address of your new AP and also the shared secret you came up with above.

Group Policy Setup:

Load up the group policy manager. Find the appropriate OU that you wish to distribute the wireless network settings to.

Create and link a new GPO here (by right clicking on it and choosing the obvious option). Then right click on the new GPO and click edit.

Goto Computer Configuration -> Windows Settings -> Security Settings -> Wireless Network.

From here you right click on the right hand window and click “Create Wireless Network Policy”.

1. Give the wireless network policy a name.
2. Select Access Point (infrastructure) networks only.

Once this is created edit the properties as follows:

1. Put in the SSID of the wireless network in to the “Network Name” box. Do not use any punctuation like (-,_,/) etc.
2. In the Wireless Network Key box. Set “Network Authentication” to WPA. with TKIP encryption.

On the IEEE 802.1X tab:

1. Set EAPOL start message to “Transmit”
2. In the parameters section you want to have : Max Start = 3 , Start Period = 10, Held Period=10, Authentication Period=10.
3. Make sure that “Authenticate as computer when computer information is available is ticked. Also make sure that computer authentication option is set to “With User Re-Authentication”.
4. Make sure that EAP Type is set to Protected EAP. Click the settings button and make sure that:

“Validate server Certificate” is ticked, that your CA (that you created above) is also in the list of “Trusted Root Certification Authorities”, Fast Connect is enabled and that “Secured Password (EAP-MSCHAAP v2)” is the selected method, click on “Configure” and make sure that automatically send my username and password is ticked.

Setup is now complete.