If the APs are vanilla 802.11b, 802.11a or 802.11g then you must configure remote access to your network via a VPN. You can use the Windows Server 2003 routing and remote access service to do so. This allows you to use Windows for authentication, and also allows you to protect the data traveling between your network and the wireless client. When you add the wireless APs to the network, you must ensure that they do not connect directly to the network, but connect via a hub or switch to the external network interface of the VPN server. The internal interface of the VPN server will connect to your network. This way, no access to your network from a wireless AP can be gained without authentication and the data will be protected. The reason for the RRAS/VPN combo is to authenticate all access and to protect the contents.
If the AP's also have 802.1x authentication capability then you can configure additional security and drop the requirement for a VPN. However, you will require additional infrastructure. You will need a RADIUS server (You can use IAS, the MS implementation -- that's IAS the Internet Authentication Service. Don't confuse this with ISA, the separate firewall product sold by MS.) All AP's and wireless network cards must be 802.1x for this design (you can support both types on your network, but only 802.1x compatible clients and APs can use the RADIUS approach). You may also need to establish a Public Key Infrastructure and certificate services, but you will need at least a server certificate for the IAS server. 802.1x provides a couple of different authentication choices, hence the need, or lack of need for PKI. 802.1x also provides re-keying of WEP keys, a feature that makes the WEP algorithm more secure. IAS will pass authentication credentials to the Active Directory. To read more about the use or 802.1x in for wireless access to a windows network see the following articles:
This was first published in October 2003