New Preferred Setting Properties - IEEE 802.1X

Article
07/10/2009

Applies To: Windows 7, Windows Server 2008 R2

IEEE 802.1X settings specify the behavior of wireless clients when connecting to an infrastructure wireless network that is configured for 802.1X authentication. Settings include authentication methods, such as Extensible Authentication Protocol (EAP), authentication mode, and 802.1X-specific parameters.

802.1X - configuration items

Item	Details
Enable network access control using IEEE 802.1X	Specifies whether you want to use Institute of Electrical and Electronics Engineers (IEEE) 802.1X to perform authentication for your wireless network. If you clear this check box, all of the other settings on this tab become unavailable.
EAP Type	Specifies the network authentication method that connecting wireless clients use: Microsoft: Smart Card or other certificate (EAP-TLS) Microsoft: Protected EAP (PEAP) Default = Microsoft: Protected EAP (PEAP)
Settings	Opens the properties page of the selected network authentication method. For setting information for network authentication methods, see: Network Authentication Methods Properties
Eapol-Start message	EAPOL is the Extensible Authentication Protocol (EAP) over local area network (LAN) protocol. This setting specifies the transmission behavior of EAPOL-Start messages when authenticating. You can select from the following: Do not transmit. Specifies that EAPOL-Start messages are not sent. Transmit. Specifies that the client determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message. Transmit per IEEE 802.1X. Specifies that, upon detection of a connection to an 802.1X-capable wireless access point, an EAPOL-Start message is automatically sent to initiate the 802.1X authentication process.
Authentication Mode	Specifies how network authentication is performed: User authentication. Specifies that when users are not logged on to the computer, authentication is performed by using the computer credentials. After a user logs on to the computer, authentication is still based on the computer credentials. Authentication is performed by using the user credentials if the user travels to a new wireless access point. User or Computer authentication. An 802.1X-compliant device always uses security credentials based on the current state of the computer. Authentication is performed by using the computer credentials when no users are logged on to the computer. When a user logs on to the computer, authentication is always performed by using the user credentials. This is the recommended setting. Computer only. Authentication is always performed by using only the computer credentials. Default = User or Computer authentication
Authenticate as computer when computer information is available	Specifies whether the computer will attempt to authenticate using computer credentials when the user is not logged on. Computer credentials are typically a computer certificate. Default = enabled
Authenticate as guest when user or computer information is unavailable	Specifies that client connection requests that cannot meet computer or user authentication requirements can connect to the network by using permissions configured for the Guest account. Default = not enabled
Max Eapol-Start Msgs	If no response is received to the initial EAPOL-Start message, this setting specifies the maximum number of subsequent EAPOL-Start messages sent. Default = 3
Held Period (seconds)	After a client has received notification of authentication failure, this setting specifies the number of seconds an authenticating client waits before it performs another 802.1X authentication request. Default = 1
Start Period (seconds)	If no response is received to the initial EAPOL-Start message, this setting specifies the number of seconds an authenticating client waits before it performs another 802.1X authentication request. Default = 5
Auth Period (seconds)	After end-to-end 802.1X authentication is initiated, this setting specifies the number of seconds authenticating clients must wait before retransmitting any 802.1X requests. Default = 18

Enable network access control using IEEE 802.1X

Specifies whether you want to use Institute of Electrical and Electronics Engineers (IEEE) 802.1X to perform authentication for your wireless network. If you clear this check box, all of the other settings on this tab become unavailable.

EAP Type

Specifies the network authentication method that connecting wireless clients use:

Microsoft: Smart Card or other certificate (EAP-TLS)
Microsoft: Protected EAP (PEAP)

Default = Microsoft: Protected EAP (PEAP)

Settings

Opens the properties page of the selected network authentication method.

For setting information for network authentication methods, see:

Network Authentication Methods Properties

Eapol-Start message

EAPOL is the Extensible Authentication Protocol (EAP) over local area network (LAN) protocol.

This setting specifies the transmission behavior of EAPOL-Start messages when authenticating. You can select from the following:

Do not transmit. Specifies that EAPOL-Start messages are not sent.
Transmit. Specifies that the client determines when to send EAPOL-Start messages and, if needed, sends an EAPOL-Start message.
Transmit per IEEE 802.1X. Specifies that, upon detection of a connection to an 802.1X-capable wireless access point, an EAPOL-Start message is automatically sent to initiate the 802.1X authentication process.

Authentication Mode

Specifies how network authentication is performed:

User authentication. Specifies that when users are not logged on to the computer, authentication is performed by using the computer credentials. After a user logs on to the computer, authentication is still based on the computer credentials. Authentication is performed by using the user credentials if the user travels to a new wireless access point.
User or Computer authentication. An 802.1X-compliant device always uses security credentials based on the current state of the computer. Authentication is performed by using the computer credentials when no users are logged on to the computer. When a user logs on to the computer, authentication is always performed by using the user credentials.

This is the recommended setting.
Computer only. Authentication is always performed by using only the computer credentials.

Default = User or Computer authentication

Authenticate as computer when computer information is available

Specifies whether the computer will attempt to authenticate using computer credentials when the user is not logged on.

Computer credentials are typically a computer certificate.

Default = enabled

Authenticate as guest when user or computer information is unavailable

Specifies that client connection requests that cannot meet computer or user authentication requirements can connect to the network by using permissions configured for the Guest account.

Default = not enabled

Max Eapol-Start Msgs

If no response is received to the initial EAPOL-Start message, this setting specifies the maximum number of subsequent EAPOL-Start messages sent.

Default = 3

Held Period (seconds)

After a client has received notification of authentication failure, this setting specifies the number of seconds an authenticating client waits before it performs another 802.1X authentication request.

Default = 1

Start Period (seconds)

If no response is received to the initial EAPOL-Start message, this setting specifies the number of seconds an authenticating client waits before it performs another 802.1X authentication request.

Default = 5

Auth Period (seconds)

After end-to-end 802.1X authentication is initiated, this setting specifies the number of seconds authenticating clients must wait before retransmitting any 802.1X requests.

Default = 18

New Preferred Setting Properties - IEEE 802.1X

802.1X - configuration items

Additional resources