Below we will detail in words and pictures how to configure a WPA2-AES (we should all be using this) on domain computers. **THESE INSTRUCTIONS ASSUME THAT YOU HAVE ALREADY CONFIGURED WPA2-AES WITH PEAP AND YOUR CLIENTS HAVE ALREADY CONNECTED SUCCESSFULLY*** These are only instructions to distribute that connection to your clients in a domain.
First, you have to RDP into a Windows 2008 server that has the group policy snapin and is part of your domain with a domain admin account. After you do that, go to Start> Administrative Tools> Group Policy Management. When you open the snapin, drill down to your default domain policy. Right click on it, and left click on edit:
You should then see the screen below:
Under Computer Configuration, expand Policies, Expand Windows Settings, Expand Security Settings and you should see Wireless Network (IEEE 802.11) Policies:
Right-Click on Wireless Network (IEEE 802.11) policies and left click on Create New Windows XP Policy. Name your XP policy name RISD (this is a friendly name and has nothing to do with the network we are connecting to) and change the networks to access to "Access point (Infrastructure) networks only". Also make sure that "Use Windows WLAN AutoConfig service for clients" has a check in it:
Click on the Preferred Networks Tab. Click on Add Infrastructure. In the Network name (SSID) box, type RISD (pretending that RISD is the wireless network you want to connect to). Make sure "Connect even if network is not broadcasting" is enabled. Make sure the Authentication is WPA2 and the Encryption is AES:
After that, click on Apply, then Ok, Ok, Ok, OK to get out of all the dialogs.
NOTE: To make sure that a XP wireless client on the domain gets the policy, plug it in wired, then type "gpupdate" on the commandline and press enter. Check the wireless networks configured on the client to make sure they got the definition. All the other clients that are connected wired should get the wireless config in the group policy refresh period, which should be 4 hours are less, if they are plugged in wired. The "gpupdate" method is only if you want your clients to get it immediately.
NOTE: You have to create another separate, identical policy for Windows 7 computers.
Big shout out to the School District in Texas that inspired this post.