Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2
Applies To: Windows Server 2008, Windows Vista
This is a companion guide to the Windows Server® 2008 Foundation Network Guide, which is available for download in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).
The Windows Server 2008 Foundation Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® Domain Services (AD DS) domain in a new forest.
This guide explains how to build upon a foundation network by providing instructions about how to deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated IEEE 802.11 wireless access using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).
Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is easier and less expensive to deploy than EAP-TLS or PEAP-TLS.
In this guide, IEEE 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2 is abbreviated to “wireless access.”
About this guide
This guide provides instructions on how to deploy a WiFi access infrastructure using PEAP-MS-CHAP v2 and the following components:
One or more 802.1X-capable 802.11 wireless access points (APs).
Active Directory Users and Computers.
Group Policy Management.
One or more Network Policy Server (NPS) servers.
Server certificates for computers running NPS.
Wireless client computers running Windows Vista or Windows XP with Service Pack 2.
This guide is designed for network and system administrators who have:
Followed the instructions in the Windows Server 2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies included in the foundation network, including AD DS, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS).
Either followed the instructions in the Windows Server 2008 Foundation Network Companion Guide: Deploying Server Certificates to deploy and use Active Directory Certificate Services (AD CS) to autoenroll server certificates to computers running NPS, or who have purchased a server certificate from a public CA, such as VeriSign, that client computers already trust. A client computer trusts a CA if that CA cert is already in the Trusted Root Certification Authorities certificate store on Windows-based computers. By default, computers running Windows have multiple public CA certificates installed in their Trusted Root Certification Authorities certificate store.
The Foundation Network Companion Guide: Deploying Server Certificates is available for download in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Following are the requirements for deploying a wireless access infrastructure by using the scenario documented in this guide:
Before deploying this scenario, you must first purchase and install 802.1X-capable wireless access points to provide wireless coverage in the desired locations at your site.
Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide.
Server certificates are required when you deploy the PEAP-MS-CHAP v2 certificate-based authentication method.
You or someone else in your organization is familiar with the IEEE 802.11 standards that are supported by your wireless APs and the wireless network adapters installed in the client computers on your network; for example, radio frequency types, 802.11 wireless authentication (WPA2 or WPA), and ciphers (AES or TKIP). For information about determining which wireless standards are supported on wireless client computers running Windows Vista and Windows Server 2008.
What this guide does not provide
Following are some items this guide does not provide:
Comprehensive guidance for selecting 802.1X-capable wireless access points
Because many differences exist between brands and models of 802.1X-capable wireless APs, this guide does not provide detailed information about:
Determining which brand or model of wireless AP is best suited to your needs.
The physical deployment of wireless APs on your network.
Advanced wireless AP configuration, such as for wireless VLAN.
Instructions on how to configure wireless AP vendor-specific attributes in NPS.
Additionally, terminology and names for settings vary between wireless AP brands and models, and might not match the generic setting names referenced in this guide. For wireless AP configuration details, you must review the product documentation provided by the manufacturer of your wireless APs.
Instructions for deploying NPS server certificates
There are two alternatives for deploying NPS server certificates. This guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. In general, however, the choices you face are:
Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers.
Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.
This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server you deploy.
Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
Deploying a private CA on your network by using AD CS.
AD CS is included with Windows Server 2008.
This solution scales very well. After you have deployed a private CA on your network, AD CS automatically issues certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network.
AD CS automatically issues a server certificate to new NPS servers that you add to your network.
If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you can do so by using your AD CS-based private CA.
Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy.
It is possible to expose your network to specific security vulnerabilities if the proper precautions are not taken when deploying a private CA on your network.
NPS network policies and other NPS settings
Except for the configuration settings made when you run the Configure 802.1X wizard, as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints or other NPS settings.
For more information about NPS, see Additional Resources in this guide.
This deployment guide does not provide information about designing or deploying DHCP subnets for wireless LANs.
For more information about DHCP, see the Additional Resources in this guide.
Following are technology overviews for deploying wireless access:
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
802.1X-capable wireless access points (APs)
This scenario requires the deployment of one or more 802.1X-capable wireless APs that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.
802.1X and RADIUS-compliant APs, when deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.
This guide provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network with wireless client computers running either Windows Vista or Windows XP with Service Pack 2 or later. Computers must be joined to the domain in order to successfully establish authenticated access.
If you are using computers running Windows Server 2008 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of Windows Vista Wireless Network (IEEE 802.1) Policies as for computers running Windows Vista. If you are using computers running Windows Server 2003 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of Windows XP Wireless Network (IEEE 802.1) Policies as for computers running Windows XP.
Active Directory Doman Services (AD DS)
AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and PEAP-MS-CHAP v2 to authenticate user credentials and to evaluate authorization for wireless connections.
Active Directory Users and Computers
Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are referred to as group members.
Group Policy Management
Group Policy Management is a Windows Server 2008 feature that enables directory-based change and configuration management of user and computer settings, including security and user information. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's settings to the users and computers in those Active Directory containers. To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).
This guide provides detailed instructions about how to specify settings in the Wireless Network (IEEE 802.11) Policies Group Policy Management extension, which in turn configures the necessary settings on wireless client computers for 802.1X authenticated wireless access.
This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication.
A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.
A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Active Directory Certificate Services (AD CS) is a Windows Server 2008 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also known as a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.
EAP, PEAP, and PEAP-MS-CHAP v2
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2008 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2008 are:
Transport Layer Security (TLS)
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
|Strong EAP types (such as those that are based on certificates) offer better security against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP version 1).|
Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS server or other RADIUS servers. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MS-CHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers (NASs):
802.1X-capable wireless access points
802.1X-capable authenticating switches
Computers running Windows Server 2008 and the Routing and Remote Access service (RRAS) that are configured as virtual private network (VPN) servers
Computers running Windows Server 2008 and Terminal Services Gateway
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.
This guide provides instructions to configure your wireless clients and your NPS server(s) to use PEAP-MS-CHAP v2 for 802.1X authenticated access.
Network Policy Server
Network Policy Server (NPS) allows you to centrally configure and manage network policies by using the following three components: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is an optional service of a foundation network, but it is required to deploy 802.1X wireless access.
When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. This is explained in more detail as follows:
Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
The client authenticates the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. To successfully authenticate the NPS server, the client computer must trust the CA that issued the NPS server certificate. The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.
If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, ensure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.
The NPS server authenticates the user. After the client successfully authenticates the NPS server, the client sends user’s password-based credentials to the NPS server, which verifies the user’s credentials against the user accounts database in Active Directory Doman Services (AD DS).
If the credentials are valid, the server running NPS proceeds to the authorization phase of processing the connection request. Otherwise, NPS sends an Access Reject message and the connection request is terminated.
The server running NPS performs authorization as follows:
NPS checks for restrictions in the user or computer account dial-in properties in AD DS.
NPS then processes its network policies to find a policy that matches the connection request. If a matching policy is found, NPS either grants or denies the connection based on that policy’s configuration.
If both authentication and authorization are successful, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions.
To deploy wireless access, you must configure NPS network policies. This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wireless access.
For deployments in which the user or IT administrator cannot physically connect a computer to the wired Ethernet network to join the computer to the domain, and the computer does not have the necessary issuing root CA certificate installed in its Trusted Root Certification Authorities certificate store, this guide describes how to configure wireless clients running Windows Vista with a temporary wireless connection profile, called a bootstrap profile, to connect to the wireless network. A bootstrap profile removes the requirement to validate the RADIUS server's computer certificate. This temporary configuration enables the wireless user to join the computer to the domain, at which time the Wireless Network (IEEE 802.11) Policies are applied. The appropriate root CA certificate is then installed on the computer, and one or more wireless connection profiles that enforce the requirement for mutual authentication is installed on the computer. After joining the computer to the domain and restarting the computer, the user can use a wireless connection to log on to the domain.