I needed to add enterprise wireless to my domain using a Sonicwall system (NSA firewall and SonicPoint wireless). The setup for those devices will not be covered here.
After looking at various authentication methods, I decided to use certificates to authenticate the computers but not the users. Once the computer is authenticated with the domain it will received GPO configuration including Software Installation policies.
The first step (after installing and configuring Certification Authority on domain) is to create a GPO to configure auto-enrollment settings on the PCs. See these GPO settings (all under Computer Configuration):
[Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment]
Set Configuration Model: Enabled and check the two options regarding certificate updates/renewals.
[Policies > Windows Settings > Security Settings > Public Key Policies > Automatic Certificate Request Settings]
Add a new certificate request for Computer.
These settings may already be present in the Default Domain policy so they might not need to be specified in a new GPO.
Next create the wireless network settings in a new GPO. This will be targeted at the specific group of computers that require wireless access.
[Policies > Windows Settings > Security Settings > Wireless Network (IEEE 802.11) Policies]
Add a new policy and enter a Policy Name. Under Connect to available networks in the order of profiles listed below, click Add > Infrastructure.
Enter a Profile Name and add at least one SSID. On the Security tab specify the details to connect to the Access Point. I’m using WPA2-Enterprise and AES. Authentication Method is PEAP and Mode is Computer Authentication.
Click Ok twice to add policy.
I then linked the GPO to my Laptops OU (which contains the computer objects for the laptops) and created a Security Group to control which laptops can access the wireless network. Add this Security Group to the Security Filtering of the GPO.