Foundation Network Companion Guide: Deploying 802.1X Authenticated Wired Access with PEAP-MS-CHAP v2
Applies To: Windows Server 2008, Windows Vista
This is a companion guide to the Windows Server® 2008 Foundation Network Guide, which is available for download at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).
The Windows Server 2008 Foundation Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® Domain Services (AD DS) domain in a new forest.
This guide explains how to build upon a foundation network and server certificate infrastructure by providing instructions about how to deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated IEEE 802.3 wired access using Protected Extensible Authentication Protocol - Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).
Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is easier and less expensive to deploy than Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) or Protected Extensible Authentication Protocol - Transport Layer Security (PEAP-TLS).
In this guide, IEEE 802.1X authenticated wired access with PEAP-MS-CHAP v2 is abbreviated to “wired access.”
About this guide
This guide provides instructions on how to deploy a wired access infrastructure the following components:
One or more 802.1X-capable 802.3 wired Ethernet switches
Active Directory Users and Computers
Group Policy Management
One or more servers running Network Policy Server (NPS)
Server certificates for NPS servers
Client computers running Windows Vista that are joined to the domain
This guide is designed for network and system administrators who have:
Followed the instructions in the Windows Server 2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies included in the foundation network, including AD DS, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS).
Either followed the instructions in the Windows Server 2008 Foundation Network Companion Guide: Deploying Server Certificates to deploy and use Active Directory Certificate Services (AD CS) to autoenroll server certificates to computers running NPS, or who have purchased a server certificate from a public certification authority (CA), such as VeriSign, that client computers already trust. A client computer trusts a CA if that CA certificate is already in the Trusted Root Certification Authorities certificate store on the client computer. By default, computers running Windows have multiple public CA certificates installed in their Trusted Root Certification Authorities certificate store.
The Foundation Network Companion Guide: Deploying Server Certificates is available for download in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Following are the requirements for deploying wired access by using this guide:
Before deploying this scenario, you must first purchase and install 802.1X-capable Ethernet switches on your network.
Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide.
Server certificates are required when you deploy the PEAP-MS-CHAP v2 certificate-based authentication method for network access authentication. PEAP-MS-CHAP v2 requires that each NPS server deployed on your network must have a server certificate issued by your network AD CS certification authority (CA), or by a public CA that your Windows-based clients already trust, unless the administrator deselects Validate server certificate in the PEAP properties within Wired Network (IEEE 802.3) Policies.
You or someone else in your organization is familiar with the IEEE 802.3 standards that are supported by your network switches and the Ethernet network adapters installed in the client computers on your network.
What this guide does not provide
Following are some items this guide does not provide:
Comprehensive guidance for selecting 802.1X-capable Ethernet switches
Because many differences exist between brands and models of 802.1X-capable switches, this guide does not provide detailed information about:
Determining which brand or model of switch is best suited to your needs.
The physical deployment of switches on your network.
Advanced switch configuration.
Instructions on how to configure switch vendor-specific attributes in NPS.
Additionally, terminology and names for settings vary between switch brands and models, and might not match the generic setting names referenced in this guide. For switch configuration details, you must use the product documentation provided by the manufacturer of your switches.
NPS server certificates
This guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. In general, however, the choices you face are:
Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows clients. This option is typically recommended for smaller networks.
Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers.
Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.
This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server you deploy.
Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
Deploying a private CA on your network by using AD CS.
AD CS is included with Windows Server 2008.
This solution scales very well. After you have deployed a private CA on your network, AD CS will automatically issue certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network.
AD CS will automatically issue a server certificate to new NPS servers that you add to your network.
If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you will be able to do so by using your AD CS-based private CA.
Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy.
It is possible to expose your network to specific security vulnerabilities if the proper precautions are not taken when deploying a private CA on your network.
NPS network policies and other NPS settings
Beyond the configuration settings made when you run the Configure 802.1X wizard as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints or other NPS settings.
The Additional Resources for Deploying Wired Access with PEAP-MS-CHAP v2 section in this guide provides links to comprehensive NPS documentation.
This deployment guide does not provide information about designing or deploying DHCP subnets.
For more information about DHCP, see the Additional Resources for Deploying Wired Access with PEAP-MS-CHAP v2 section in this guide.
Following are technology overviews for deploying wired access.
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. 802.1X-capable switches will deny access to a port if the authentication process fails. 802.1X port-based access control prevents computers that are not joined to the domain from obtaining TCP/IP configuration settings from DHCP servers, and prevents the transmission of any TCP/IP packets by these computers. Although this standard was designed for wired Ethernet networks, it has also been adapted for use on 802.11 wireless LANs.
This deployment scenario requires the one or more switches that are compatible with both the Remote Authentication Dial-In User Service (RADIUS) protocol and 802.1X.
802.1X-capable RADIUS-compliant switches, when deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.
This guide provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network by using client computers running Windows Vista.
If you are using computers running Windows Server 2008 as client computers, you can configure 802.1X security and connectivity settings on those computers by using the same Wired Network (IEEE 802.3) Policies Group Policy extension as for computers running Windows Vista.
You can use the Windows Vista Wired Network (IEEE 802.3) Policies to configure computers running Windows Vista and Windows Server 2008. You cannot use this policy to configure computers running Windows XP. Computers running Windows XP cannot interpret settings in a Windows Vista Wired Network (IEEE 802.3) Policies.
Active Directory Domain Services (AD DS)
AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
As it relates to this guide, AD DS contains the user accounts, computer accounts, and security groups that are used when authenticating wired connection requests in 802.1X deployments that use PEAP-MS-CHAP v2.
Active Directory Users and Computers
Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are referred to as group members.
This guide provides instructions to create a wired users security group. Each domain member for whom you want to grant access is added as a member the wired users security group. Then, when you create and configure network policies in NPS, you will base the network policy on, and grant access to the wired users security group that you created in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. NPS will automatically deny access for any connection request that originates from a user that is not a member of the wired users security group.
Group Policy Management
Group Policy Management is a Windows Server 2008 feature that enables directory-based change and configuration management of user and computer settings, including security and user data. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's settings to the users and computers in those Active Directory containers. You can use Group Policy Management to create an individual GPO or to manage Group Policy objects across an enterprise.
This guide provides detailed instructions about how to specify settings in the Wired Network (IEEE 802.3) Policies as a Group Policy Management extension, which in turn provisions client computers with the necessary network and security settings for wired access.
This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication.
A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.
A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
AD CS is a Windows Server 2008 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also known as a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise. NPS servers use server certificates to prove their identity to client computers during PEAP-MS-CHAP v2 authentication.
EAP, PEAP, and PEAP-MS-CHAP v2
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2008 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2008 are:
Transport Layer Security (TLS)
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
Strong EAP types (such as those that are based on certificates) offer better security against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP, version 1).
Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer or computer that connects to the LAN through an 802.1X-capable switch, and a PEAP authenticator, such as an NPS server or other RADIUS servers. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MSCHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers (NASs):
802.1X-capable Ethernet switches
802.1X-capable wireless access points (APs)
Computers running Windows Server 2008 and the Routing and Remote Access service (RRAS) that are configured as virtual private network (VPN) servers
Computers running Windows Server 2008 and Terminal Services Gateway
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.
This guide provides instructions to configure your wired clients and your NPS servers to use PEAP-MS-CHAP v2 for 802.1X authenticated access.
Network Policy Server
Network Policy Server (NPS) allows you to centrally configure and manage network policies by using the following three components: RADIUS server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is an optional service of a foundation network, but it is required to deploy 802.1X wired access.
When you configure your 802.1X-capable switches as RADIUS clients in NPS, NPS processes the connection requests sent by the switches. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. This is explained in more detail as follows:
Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
The first part of mutual authentication requires the client to authenticate the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. To successfully authenticate the NPS server, the client computer must trust the CA that issued the NPS server certificate. The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.
If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, ensure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.
The second part of mutual authentication requires the NPS server to authenticate the user. After the client successfully authenticates the server, the client sends password-based user credentials to the NPS server, which verifies the user credentials against the user accounts database in Active Directory Doman Services (AD DS).
If the credentials are valid, the server running NPS proceeds to the authorization phase of processing the connection request. Otherwise, NPS sends an Access Reject message and the connection request is terminated.
The server running NPS performs authorization, as follows:
NPS checks for restrictions in the user or computer account dial-in properties in AD DS.
NPS then processes its network policies to find a policy that matches the connection request. If a matching policy is found, NPS either grants or denies the connection based on that policy.
If both authentication and authorization are successful, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions.
To deploy wired access, you must configure NPS network policies. This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wired access.