802.1X Authenticated Wired Access Deployment Guide
Updated: December 19, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2
This guide describes how to deploy IEEE 802.1X authenticated wired access using 802.1X-capable switches, a wired authentication infrastructure consisting of domain controllers running Windows Server® 2008, certification authorities, computers running Network Policy Server (NPS), and wired client computers running Windows Vista®, Windows Server 2008, or Windows® XP with Service Pack 3.
802.1X authenticated wired access can provide the following benefits:
Control access to the wired local area network (LAN).
Centrally manage security and connectivity settings on wired clients.
Provide an infrastructure in which clients can perform 802.1X authentication by using user credentials (user name and password).
Provide an infrastructure in which clients can perform 802.1X authentication by using digital certificates.
About this guide
This guide is for IT managers, system administrators, system engineers, and IT professionals.
This guide provides instructions about how to deploy an 802.1X authenticated wired access infrastructure by using Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication and the following components:
One or more 802.1X-capable 802.3 Ethernet switches.
The Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
Group Policy Management Console (GPMC).
One or more NPS servers.
Wired client computers running Windows Vista.
What this guide does not provide
Following are some items this guide does not provide:
Comprehensive guidance for installing required network service components
This guide does not provide instructions to install the following network services that 802.1X authenticated wired access deployments depend upon.
Active Directory® Domain Services (AD DS)
Dynamic Host Configuration Protocol (DHCP)
Network Policy Server (NPS)
Additionally, this guide does not provide comprehensive guidance for configuring AD DS or DHCP. For information about how to install and configure AD DS, Domain Name System (DNS), and DHCP, in addition to information about how to install NPS, see the Windows Server 2008 Foundation Network Guide online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=106252. You can also download the Windows Server 2008 Foundation Network Guide in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=105231.
The Windows Server 2008 Foundation Network Guide provides instructions for planning and deploying the components that are required for a fully-functioning network and a new Active Directory domain in a new forest.
Comprehensive guidance for selecting 802.1X-capable wired switches
Because many differences exist between brands and models of 802.1X-capable switches, this guide does not provide detailed information about the following:
Determining which brand or model of switch is best suited to your needs.
The physical deployment of switches on your network.
Advanced switch configuration, such as for virtual local area network (VLAN).
Instructions about how to configure vendor-specific attributes for switches in NPS.
Additionally, terminology and names for settings vary between switch brands and models, and might not match the generic setting names referenced in this guide. For switch configuration details, you must review the product documentation that was provided by the manufacturer of your switches.
Instructions about how to deploy NPS server certificates
There are two alternatives for deploying NPS server certificates. If your deployment solution uses Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) for secure password authentication, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using AD CS. If your wired access solution uses either EAP-TLS or PEAP-TLS, for authentication using user and computer certificates, or smart cards, you must deploy a private CA on your network by using Active Directory Certificate Services (AD CS).
For deployments that use PEAP-MS-CHAP v2, this guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. However, the choices you face are generally as follows:
Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers.
Using purchased certificates can prevent specific security vulnerabilities that can exist if the required precautions are not taken when deploying a private CA on your network.
This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server that you deploy.
Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
Deploying a private CA on your network by using AD CS.
AD CS is included with Windows Server 2008.
This solution scales very well. After you have deployed a private CA on your network, AD CS automatically issues certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network.
AD CS automatically issues a server certificate to new NPS servers that you add to your network.
If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you can do so by using your AD CS-based private CA.
Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy.
It is possible to expose your network to specific security vulnerabilities if the proper precautions are not taken when deploying a private CA on your network.
For information about deploying NPS server certificates, see the Foundation Network Companion Guide: Deploying Server Certificates online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=108258. You can also download Foundation Network Companion Guide: Deploying Server Certificates in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=108259.
Instructions about how to deploy client certificates for users and computers
For information about how to deploy computer and user certificates, see Foundation Network Companion Guide: Deploying Computer and User Certificates online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=113884. You can also download Foundation Network Companion Guide: Deploying Computer and User Certificates in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=115742.
NPS network policies and other NPS settings
Except for the configuration settings made when you run the Configure 802.1X wizard, as documented in this guide, this guide does not provide detailed information about manually configuring NPS conditions, constraints, or other NPS settings.
For more information about NPS, see Additional Resources for Deploying a Wired LAN in this guide.
This deployment guide does not provide information about designing or deploying DHCP subnets.
For more information about DHCP, see Additional Resources for Deploying a Wired LAN in this guide.
Terminology used in this guide
Following are technology overviews for deploying wired access.
The Institute of Electrical and Electronics Engineers (IEEE) 802.1X standard defines the port-based network access control that is used to provide authenticated wired access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has also been adapted for use on 802.11 wireless LANs.
802.1X-capable wired switches
This deployment requires one or more 802.1X-capable switches that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.
When 802.1X- and RADIUS-compliant switches are deployed in a RADIUS infrastructure, with a RADIUS server such as an NPS server, they are called RADIUS clients.
This guide provides comprehensive configuration details to supply 802.1X authenticated wired access for domain-member users who connect to the network by using client computers running Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3 or later versions. Computers must be joined to the domain in order to successfully establish authenticated wired access.
If you are using computers running Windows XP with Service Pack 3 or Windows Server 2008 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy Management extension of Windows Vista Wired Network (IEEE 802.3) Policies as for computers running Windows Vista.
Active Directory Doman Services
Active Directory Doman Services (AD DS) provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical structure. The hierarchical structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
AD DS contains the user accounts, computer accounts, and their associated account properties.
Active Directory Users and Computers
The Active Directory Users and Computers Microsoft Management Console (MMC) snap-in is a component of AD DS that contains objects that represent physical entities, such as a computer, a person, or a security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are called group members.
Group Policy Management
Group Policy Management is a Windows Server 2008 feature that enables directory-based change and configuration management of user and computer settings, including security and user information. Use this feature to define configurations for groups of users and computers, and to specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO settings to the users and computers in those Active Directory containers. To manage GPOs across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).
This guide provides detailed instructions about how to specify settings by using the Group Policy Management extension of Wired Network (IEEE 802.3) Policies, which in turn configures the necessary settings on wired client computers for 802.1X authenticated wired access.
Authenticated wired access deployment requires server certificates for each NPS server that performs 802.1X authentication.
A server certificate is a digital document that is commonly used for authentication and to help secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA), and they can be issued for a user, a computer, or a service.
A CA is an entity responsible for establishing and vouching for the authenticity of public keys that belong to subjects (usually users or computers) or other CAs. Activities of a CA can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Active Directory Certificate Services (AD CS) is a Windows Server 2008 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also called a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.
EAP, PEAP, and PEAP-MS-CHAP v2
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by enabling additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as an NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2008 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. By using EAP, you can support additional authentication schemes, called EAP types. The EAP types that are supported by Windows Server 2008 are as follows:
Transport Layer Security (TLS)
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a desktop computer, and a PEAP authenticator, such as an NPS server or other RADIUS server. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MS-CHAP v2) that can operate by using the TLS encrypted channel provided by PEAP. PEAP is an authentication method for access clients that are connecting to your organization network by using the following kinds of network access servers (NASs):
802.1X-capable Ethernet switches.
802.1X-capable wireless access points.
Computers running Windows Server 2008 and the Routing and Remote Access service (RRAS) that are configured as virtual private network (VPN) servers.
Computers running Windows Server 2008 and Terminal Services Gateway.
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.
This guide provides instructions to configure your wired clients and your NPS servers to use PEAP-MS-CHAP v2 for 802.1X authenticated wired access.
Network Policy Server
To deploy wired access, you must configure NPS network policies. This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wired access.
Network Policy Server (NPS) lets you centrally configure and manage network policies by using the following three components: RADIUS server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is required to deploy 802.1X wired access.
When you configure your 802.1X-capable switches as RADIUS clients in NPS, NPS processes the connection requests sent by the switches. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. This is explained in more detail in the following section.
Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
The client authenticates the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the identity of the NPS server by using the certificate. To successfully authenticate the NPS server, the client computer must trust the CA that issued the NPS server certificate. The client trusts this CA when the CA certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.
If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, make sure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.
The NPS server authenticates the user. After the client successfully authenticates the NPS server, the client sends user’s password-based credentials to the NPS server, which verifies the user’s credentials against the user accounts database in Active Directory Domain Services (AD DS).
If the credentials are valid, the server running NPS proceeds to the authorization phase of processing the connection request. Otherwise, NPS sends an Access Reject message and the connection request is terminated.
The server running NPS performs authorization as follows:
NPS checks for restrictions in the user or computer account dial-in properties in AD DS.
NPS then processes its network policies to find a policy that matches the connection request. If a matching policy is found, NPS either grants or denies the connection based on the configuration of that policy.
If both authentication and authorization are successful, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions.