Implementing Your Wired Network

Applies To: Windows Server 2008, Windows Server 2008 R2

Following are the requirements for deploying 802.1X authenticated wired access as documented in this guide:

• You or someone else in your organization must be familiar with the IEEE 802.3 standards that are supported by your 802.1X-capable switches and the network adapters installed in the client computers on your network.

• Before you deploy wired access, you must first purchase and physically install 802.1X-capable Ethernet switches in the locations you want at your site.

• Active Directory Domain Services (AD DS) must be installed.

• Dynamic Host Configuration Protocol (DHCP) servers must be configured to allocate IP addresses to network clients after those clients are authenticated and authorized by Network Policy Server (NPS).

• NPS must be installed on one or more servers on your network. NPS servers are logically connected to your network so that they can receive incoming access requests directly from 802.1X-capable switches, or have them forwarded from the switches to NPS by a Remote Authentication Dial-In User Service (RADIUS) proxy.

• You must determine whether your 802.1X authenticated wired access solution will use secure password authentication (PEAP-MS-CHAP v2), or either smart cards or client certificates (PEAP-TLS or EAP TLS).

• For smart card or other certificate deployments that use either PEAP-TLS or EAP-TLS authentication, you must install and configure a private certification authority (CA) on your network to issue server certificates to your NPS servers, and client certificates to your client computers and users.

• For secure password deployments that use PEAP-MS-CHAP v2 authentication, you must either configure a private CA on your network to issue server certificates to your NPS servers, or you must purchase server certificates from a public CA, such as VeriSign.