EAP-TLS-based Authenticated Wired Access Design

Applies To: Windows Server 2008, Windows Server 2008 R2

Many organizations want to supply their network users with access that meets the following goals:

  • Control access to the wired network.

  • Centrally manage wired client security and connectivity settings.

  • Centrally manage the 802.1X authentication and authorization of wired access clients.

  • Provide wired access that uses smart cards or user and computer digital certificates for client authentication.

Authenticated wired access design based on Extensible Authentication Protocol – Transport Level Security (EAP-TLS) can use either smart cards or user and computer digital certificates to authenticate wired access clients. EAP-TLS provides stronger security than secure password authentication that is based on user credentials (user name and password) to authenticate access clients.

The following diagram illustrates the core components of an 802.1X authentication infrastructure that uses digital certificates for client authentication.

You can deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated wired access using Extensible Authentication Protocol (EAP) in conjunction with computers running Network Policy Server (NPS), and 802.1X-capable switches to provide wired access with strong security. By using EAP, you can support additional authentication schemes, known as EAP types. EAP, in conjunction with strong EPA types, is a critical technology component for secure 802.1X authenticated wired connections. These schemes include token cards, user credentials, public key authentication using smart cards, and digital certificates.

EAP-TLS is an EAP type that is used in certificate-based security environments. EAP-TLS provides mutual authentication between the wired access client and NPS.

When you deploy a private certification authority (CA) on your network by using Active Directory Certificate Services (AD CS), you can use EAP-TLS, Protected EAP with TLS (PEAP-TLS), or PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) for authentication. Both EAP-TLS and PEAP-TLS use certificates for server authentication. For user and client computer authentication, both EAP-TLS and PEAP-TLS use can use either smart cards, which contain embedded digital certificates, or certificates issued to client computers that are stored on the local computer in the Trusted Root Certification Authorities certificate store. PEAP-MS-CHAP v2 uses certificates for server authentication, and user account credentials (user name and password) to authenticate clients.


Both PEAP-MS-CHAP v2 and PEAP-TLS provide PEAP fast reconnect. PEAP fast reconnect enables clients to move between Ethernet ports on the same network without being reauthenticated each time they connect.

Starting infrastructure

The following sections provide brief overviews of the required technologies that must be in place before you can begin deploying authenticated wired access on your network.

Active Directory Domain Services

Active Directory Domain Services (AD DS) is a hierarchical structure that stores information about objects on the network. AD DS, provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory Certificate Services

When you deploy 802.1X authenticated wired access that uses either smart cards or user and computer digital certificates for client authentication, you must deploy a private CA on your network.

You can deploy AD CS, which is included in Windows Server 2008, as an enterprise root certification authority (CA) that is also an issuing CA. You can configure AD CS to deploy certificates to NPS servers and domain member client computers.

To deploy server certificates by using autoenrollment, AD CS requires the Windows Server 2008 Enterprise or Windows Server 2008 Datacenter operating systems. AD DS must be installed before AD CS is installed.


Domain Name System (DNS) is a name resolution protocol for TCP/IP networks, such as the Internet or an organization network. A DNS server hosts the information that enables client computers to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other. DNS is installed as part of the AD DS installation.


Dynamic Host Configuration Protocol (DHCP) is an IP standard for simplifying management of host IP configuration. The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your private network.

Every computer on a TCP/IP network must have a unique IP address. The IP address (together with its related subnet mask) identifies both the host computer and the subnet to which it is attached. When you move a computer to a different subnet, the IP address must be changed. DHCP allows you to dynamically assign an IP address to a client from a DHCP server IP address database on your local network.

For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work involved in reconfiguring computers.

To increase control over DHCP lease times, you can separate IPv4 subnets. To use different subnets for wired and wireless clients, you must configure separate DHCP scopes. The typical lease duration for a DHCP scope for wired networks is a specified number of days.

Network Policy Server

Network Policy Server (NPS) allows you to centrally configure and manage network policies with the following three components: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server.

You must install NPS if to deploy 802.1X wired or wireless access.

NPS server certificates

When you deploy 802.1X authenticated wired access that uses smart cards or other digital certificates for client authentication, you must deploy a private CA on your network by using AD CS.


TCP/IP in Windows Server 2008 is the following:

  • Networking software based on industry-standard networking protocols.

  • A routable, enterprise networking protocol that supports the connection of your Windows-based computer to both local area network (LAN) and wide area network (WAN) environments.

  • Core technologies and tools for connecting your Windows-based computer with dissimilar systems for the purpose of sharing information.

  • A foundation for gaining access to global Internet services, such as the World Wide Web and File Transfer Protocol (FTP) servers.

  • A robust, scalable, cross-platform, client/server framework.

TCP/IP provides basic TCP/IP tools that enable Windows-based computers to connect and share information with other Microsoft and non-Microsoft systems.

802.1X capable Ethernet switches

Before configuring the Windows Server 2008 services for your 802.1X authenticated wired access infrastructure, purchase and install 802.1X-capable switches on your network.