If you’re running a Wi-Fi network in your enterprise Windows network, 802.1x is certainly the way to go - it moves away from pre-shared keys and lets us centrally manage access to your wireless network. In this article I’ll start to take you through how to set up your own 802.1x Wi-Fi network on a Windows Active Directory domain.

Benefits of using 802.1x for Wi-Fi authentication

If you’re running Wi-Fi to provide access to you enterprise, you need to ensure that it is as secure as possible, and also keep access to the wireless network manageable. At home you probably use a pre shared key (PSK) to grant/restrict access to the wireless network, while this is fine for a network with only a handful of client devices, we need something a bit more durable in the enterprise – Imagine having to change the key on 100+ workstations when a disgruntled employee leaves your business! Using 802.1x / WPA2-Enterprise technology we can control access to our wireless network in a much more granular fashion, by selecting groups of users or computers from active directory that will be granted access – if a user’s AD account is disabled, so is their ability to access the wireless network. We can also use group policy to push out the Wi-Fi settings, completely centralising all aspects of you wireless network deployment.


Before we get started, we will need a few bits and pieces:

  • Windows 2008 domain
  • Wireless access point (supporting RADIUS/WPA2-Enterprise)
    In my examples, I’ll be using a CISCO WAP200.
  • Laptop with Wi-Fi that is an Active Directory domain member

Installing the NPS and Certificate Services

Firstly, we will need to add the following roles onto a server, or servers to the domain (if you’ve already got servers running these, you don’t need to add them again):

  • Active Directory Certificate Services
  • Network Policy and Access Services

You can add roles by opening up ‘Server Manager’, selecting ‘roles’, then clicking on ‘add roles’ and following the wizard. The Certificate Services setup will ask you a few questions, if it’s your first time using the Certificate Services role, you’ll just want to select Enterprise & Root CA.

802.1x - Wi-Fi - Windows - Active Directory - Certificates

Certificates snap-in

Certificate enrolment

Once we have installed the roles, we will need to enrol our NPS server for a certificate from the server that is running our Certificate Services (CS). To do this, from the server running NPS, we need the Certificates MMC snap-in (Run mmc.exe > file > Add/Remove snap-ins > Certificates) – make sure you set the snap-in to manage certificates for the computer account on the local system. Once the certificates MMC is loaded, we can enrol for a new certificate by right clicking on the Certificates\Personal\Certificates folder, then selecting ‘Request new certificate’ – all being well, we should be able to click next, then tick ‘Active Directory Enrolment’ – we should then see a certificate issued to the server running NPS, issued by our CS.

In part 2 we will continue with our 802.1x wireless setup, by configuring our NPS role and access points.


Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account