802.1X Authenticated Wireless Deployment Guide
Applies To: Windows Server 2008, Windows Vista
Wireless connectivity offers users a high degree of mobility and provides another networking option when traditional wired networks are impractical. The Windows Server® 2008 operating system provides the networking services needed to deploy a secure and manageable wireless local area network (WLAN) infrastructure within networks ranging from small business to an enterprise environment. This guide provides comprehensive guidance to deploy an 802.1X authenticated wireless access solution.
Wireless networks can provide the following benefits:
A cost efficient network deployment alternative. Installing a wireless network can be easier, less time consuming, and is frequently less expensive to install that a wired network because it eliminates the need to run Ethernet cable through walls and ceilings.
A means to scale your client access resources with agility. Compared to a wired network, it is relatively easy to expand or decrease the size of a wireless network by adding or removing wireless APs. By contrast, to expand service in a wired network typically requires the installation of additional network switches or hubs as well as installing cable.
The elimination of recurring telecommunications charges. To connect the networks in two buildings separated by a physical, legal, or financial obstacle, you can either use a link provided by a telecommunications vendor (for a fixed installation cost and ongoing recurring costs), or you can create a point-to-point wireless link by using WLAN technology (for a fixed installation cost but no recurring costs).
The availability of network resources without the constraints associated with connecting client computers directly to the wired network. Some kinds of buildings, such as historical buildings, might be governed by building codes that prohibit the use of wiring, making wireless networking an important alternative. Additionally, a WLAN lets you extend your network into areas that cannot be easily included in the wired network; examples include courtyards and cafeterias.
After you deploy an 802.1X authenticated wireless access solution, you will be able to provide domain users with wireless access to resources on the wired LAN.
About this guide
This guide is targeted for IT managers, system administrators, system engineers and IT professionals.
This guide provides instructions on how to deploy a wireless access infrastructure by using Extensible Authentication Protocol (EAP) authentication and the following components:
One or more 802.1X-capable 802.11 wireless access points (APs)
Active Directory Users and Computers
Group Policy Management
One or more Network Policy Server (NPS) servers
Wireless client computers running Windows Vista® or Windows XP with Service Pack 2
What this guide does not provide
Following are some items this guide does not provide:
Comprehensive guidance for installing following required network service components
This guide does not provide instructions to install the fundamental network services that 802.1X authenticated wireless access deployments depend upon.
Active Directory® Domain Services (AD DS)
Dynamic Host Configuration Protocol (DHCP) Servers
Network Policy Server (NPS)
Additionally, this guide does not provide comprehensive guidance for configuring AD DS or DHCP. For information about how to install and configure AD DS, Domain Name System (DNS), and DHCP, in addition to information about how to install NPS, see the “Windows Server 2008 Foundation Network Guide,” available in HTML format in the Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=106252, and for download in Word format at the Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkId=105231
The Windows Server 2008 Foundation Network Guide provides instructions for planning and deploying the components that are required for a fully-functioning network and a new Active Directory domain in a new forest.
Comprehensive guidance for selecting 802.1X-capable wireless access points
Because many differences exist between brands and models of 802.1X-capable wireless APs, this guide does not provide detailed information about the following:
Determining which brand or model of wireless AP is best suited to your needs.
The physical deployment of wireless APs on your network.
Advanced wireless AP configuration, such as for wireless virtual local area network (VLAN).
Instructions on how to configure wireless AP vendor-specific attributes in NPS.
Additionally, terminology and names for settings vary between wireless AP brands and models, and might not match the generic setting names referenced in this guide. For wireless AP configuration details, you must review the product documentation that was provided by the manufacturer of your wireless APs.
Instructions for how to deploy NPS server certificates
There are two alternatives for deploying NPS server certificates. If your deployment solution uses PEAP-MS-CHAP v2 for secure password authentication, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using AD CS. If your wireless solution uses either EAP-TLS or PEAP-TLS, you must deploy a private CA on your network by using Active Directory Certificate Services (AD CS).
For deployments that use PEAP-MS-CHAP v2, this guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. However, generally the choices you face are as follows:
Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers.
Using purchased certificates can prevent specific security vulnerabilities that can exist if the required precautions are not taken when you deploy a private CA on the network.
This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server that you deploy.
Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
Deploying a private CA on your network by using AD CS.
AD CS is included with Windows Server 2008.
This solution scales very well. After you have deployed a private CA on your network, AD CS automatically issues certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network.
AD CS automatically issues a server certificate to new NPS servers that you add to your network.
If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you can do so by using your AD CS-based private CA.
Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy.
You can expose your network to specific security vulnerabilities if the required precautions are not taken when you deploy a private CA on your network.
For information about deploying NPS server certificates, see the Foundation Network Companion Guide: Deploying Server Certificates, available in HTML format in the Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=108258, and for download in Word format at the Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkId=108259.
Instructions for how to deploy client certificates for users and computers
For information about how to deploy computer and user certificates, see Foundation Network Companion Guide: Deploying Computer and User Certificates, available in HTML format in the Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=113884, and for download in Word format at the Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkId=115742.
NPS network policies and other NPS settings
Except for the configuration settings made when you run the Configure 802.1X wizard, as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints, or other NPS settings.
For more information about NPS, see Additional Resources for Deploying a Wireless LAN in this guide.
This deployment guide does not provide information about designing or deploying DHCP subnets for wireless LANs.
For more information about DHCP, see Additional Resources for Deploying a Wireless LANin this guide.
Terminology used in this guide
Following are technology overviews for deploying wireless access:
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
802.1X-capable wireless access points (APs)
This scenario requires the deployment of one or more 802.1X-capable wireless APs that are compatible with both the Remote Authentication Dial-In User Service (RADIUS) protocol.
802.1X and RADIUS-compliant APs, when they are deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.
This guide provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network using wireless client computers running either Windows Vista or Windows XP with Service Pack 2 or later versions. Computers must be joined to the domain in order to successfully establish authenticated access.
If you are using computers running Windows Server 2008 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of Windows Vista Wireless Network (IEEE 802.1) Policies as for computers running Windows Vista. If you are using computers running Windows Server 2003 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of Windows XP Wireless Network (IEEE 802.1) Policies as for computers running Windows XP.
Active Directory Doman Services
Active Directory Doman Services (AD DS) provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and PEAP-MS-CHAP v2 to authenticate user credentials and to evaluate authorization for wireless connections.
Active Directory Users and Computers
Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are called group members.
Group Policy Management
Group Policy Management is a Windows Server 2008 feature that enables directory-based change and configuration management of user and computer settings, including security and user information. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's settings to the users and computers in those Active Directory containers. To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).
This guide provides detailed instructions about how to specify settings in the Wireless Network (IEEE 802.11) Policies Group Policy Management extension, which in turn configures the necessary settings on wireless client computers for 802.1X authenticated wireless access.
This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication.
A server certificate is a digital document that is commonly used for authentication and to help secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.
A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys that belong to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Active Directory Certificate Services (AD CS) is a Windows Server 2008 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also called a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.
EAP, PEAP, and PEAP-MS-CHAP v2
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by enabling additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2008 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. By using EAP, you can support additional authentication schemes, called EAP types. The EAP types that are supported by Windows Server 2008 are as follows:
Transport Layer Security (TLS)
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS server or other RADIUS servers. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MS-CHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following kinds of network access servers (NASs):
802.1X-capable wireless access points.
802.1X-capable authenticating switches.
Computers running Windows Server 2008 and the Routing and Remote Access service (RRAS) that are configured as virtual private network (VPN) servers.
Computers running Windows Server 2008 and Terminal Services Gateway.
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.
This guide provides instructions to configure your wireless clients and your NPS server(s) to use PEAP-MS-CHAP v2 for 802.1X authenticated access.
Network Policy Server
Network Policy Server (NPS) lets you centrally configure and manage network policies by using the following three components: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is required to deploy 802.1X wireless access.
When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. This is explained in more detail in the following section.
Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
The client authenticates the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. To successfully authenticate the NPS server, the client computer must trust the CA that issued the NPS server certificate. The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.
If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, make sure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.
The NPS server authenticates the user. After the client successfully authenticates the NPS server, the client sends user’s password-based credentials to the NPS server, which verifies the user’s credentials against the user accounts database in Active Directory Doman Services (AD DS).
If the credentials are valid, the server running NPS proceeds to the authorization phase of processing the connection request. Otherwise, NPS sends an Access Reject message and the connection request is terminated.
The server running NPS performs authorization as follows:
NPS checks for restrictions in the user or computer account dial-in properties in AD DS.
NPS then processes its network policies to find a policy that matches the connection request. If a matching policy is found, NPS either grants or denies the connection based on that policy’s configuration.
If both authentication and authorization are successful, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions.
To deploy wireless access, you must configure NPS network policies. This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wireless access.
Wireless networking overview
Wireless networking technologies range from global voice and data networks, which enable users to establish wireless connections across long distances, to infrared light and radio frequency technologies that are optimized for short-range wireless connections. Devices commonly used for wireless networking include portable computers, desktop computers, handheld computers, personal digital assistants (PDAs), cellular phones, pen-based computers, and pagers. Wireless technologies serve many practical purposes. For example, mobile users can use their cellular phone to access e-mail. Travelers with portable computers can connect to the Internet through base stations installed in airports, railway stations, and other public locations. At home, users can connect devices on their desktop to synchronize data and transfer files.
To reduce costs, ensure interoperability, and promote the widespread adoption of wireless technologies, organizations such as the Institute of Electrical and Electronics Engineers (IEEE), Internet Engineering Task Force (IETF), Wireless Ethernet Compatibility Alliance (WECA), and the International Telecommunication Union (ITU) are participating in several major standardization efforts. For example, IEEE working groups are defining how information is transferred from one device to another (whether radio waves or infrared light is used, for example), and how and when a transmission medium should be used for communications. In developing wireless networking standards, organizations such as the IEEE address power management, bandwidth, security, and issues that are unique to wireless networking.
Wireless network types
As with wired networks, wireless networks can be classified into different types based on the distances over which data can be transmitted.
Wireless local area networks
Wireless local area networks (WLANs) technologies enable users to establish wireless connections inside a local area (for example, inside a corporate or campus building, or in a public space, such as an airport). WLANs can be used in temporary offices or other spaces where the installation of extensive cabling would be prohibitive, or to supplement an existing LAN so that users can work at different locations inside a building at different times. WLANs can operate in two ways. In infrastructure WLANs, wireless stations (devices with radio network adapters or external modems) connect to wireless access points that function as bridges between the stations and the existing network backbone. In peer-to-peer (ad hoc) WLANS, several users inside a limited area, such as a conference room, can form a temporary network without using access points, if they do not require access to network resources.
In 1997, IEEE approved the 802.11 standard for WLANs, which specifies a data transfer rate of 1 to 2 megabits per second (Mbps). Under 802.11b, data is transferred at a maximum rate of 11 Mbps over a 2.4 gigahertz (GHz) frequency band. Another standard is 802.11a, specifies data transfer at a maximum rate of 54 Mbps over a 5 GHz frequency band.
Wireless wide area networks (WWANs)
WWAN technologies enable users to establish wireless connections over remote public or private networks. These connections can be maintained over large geographical areas, such as cities or countries, by using multiple antenna sites or satellite systems maintained by wireless service providers. Current WWAN technologies are known as second-generation (2G) systems. Key 2G systems include Global System for Mobile Communications (GSM), Cellular Digital Packet Data (CDPD), and Code Division Multiple Access (CDMA). Efforts are under way to transition from 2G networks, some of which have limited roaming capabilities and are incompatible with each other, to third-generation (3G) technologies that would follow a global standard and provide worldwide roaming capabilities. The ITU is actively promoting the development of a global standard for 3G.
Wireless metropolitan area networks (WMANs)
WMAN technologies enable users to establish wireless connections between multiple locations within a metropolitan area (for example, between multiple office buildings in a city or on a university campus), without the high cost of laying fiber or Ethernet cabling and leasing lines. In addition, WMANs can serve as backups for wired networks, should the primary leased lines for wired networks become unavailable. WMANs use either radio waves or infrared light to transmit data. Broadband wireless access networks, which give users high-speed access to the Internet, are in increasing demand. Although different technologies, such as the multichannel multipoint distribution service (MMDS) and the local multipoint distribution services (LMDS), are being used, the IEEE 802.16 working group for broadband wireless access standards is still developing specifications to standardize development of these technologies.