This sounds simple...Add another twist: Have machines authenticate rather than with user accounts, and manage the whole thing centrally for Windows-based clients. Add yet another hurdle: We need Group Policy to run at the computer level, which means the Group Policy needs to run from the domain even though the computer is wireless only.
Not all of this is yet solved, however the basic infrastructure is there. Here's how to get it to work from a high level:
1 - Have a fully operational Active Directory domain
2 - Install IAS on some member server or domain controller
3 - Install the SelfSSL utility from Microsoft's IIS 6.0 Resource Kit Tools on your IAS server
4 - Generate the Self-Signed Certificate on the IAS Server using the command line SelfSSL tool:
c:\Program Files\IIS Resources\SelfSSL\selfssl.exe /V:1895
c:\Program Files\IIS Resources\SelfSSL\selfssl.exe /V:1895
This will create a self-signed certificate for the IAS server to use duing PEAP authentication. The certificate will be valid for 1895 days, or about 5 years.
5 - You now need to export the root certificate so that you can send out the root certificate for clients to trust your IAS server. Open up MMC.exe and add the Certificates Snap-In based on Computer Certificates for the local computer. Under Personal certificates, you'll see the certificate listed. Using the context menu, export the certificate to a file. Don't export the Private keys, and choose the .cer format.
5 - Get this certificate to be trusted by your Windows Clients. This is best done with Group Policy. It is safe to set this in a domain-wide policy, assuming you trust the server for which you are publishing the certificate. In Group Policy, navigate to:
Computer Settings -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities
Using the context menu, Import the root certificate you created in the previous step.
6 - Now use Group Policy to configure the Wireless Settings. This is best done using the GPMC on a Domain Controller running Windows 2003 SP1. You'll find the Wireless Settings at:
Computer Settings -> Windows Settings -> Security Settings -> Wireless Network (IEEE 802.11) Policies. Here you can setup a policy to configure the preferred networks, as well as the basic parameters for the wireless connection. Make sure to select the root certificate for your IAS server in the PEAP configuration page. Notice the options here are different than when using the Wireless Zero Config GUI. One thing in particular is that it allows you to use Computer authentication for domain computers:
