Provide Wired Access that uses Secure Password Client Authentication

Applies To: Windows Server 2008, Windows Server 2008 R2

Networks that use 802.1X to prevent unauthorized access to the network must use one of several Extensible Authentication Protocol (EAP) types. There are advantages and disadvantages to each. Administrators who must provide strong security, but can forgo a very strong EAP type security in exchange for lower deployment overhead, can use Protected EAP (PEAP) with Microsoft Challenge-Handshake Authentication Protocol Version 2 (MS-CHAP v2).

For more information, see PEAP-MS-CHAP v2-based Authenticated Wired Access Design.

To illustrate, Example Company ( must provide Ethernet access for 150 corporate employees at a new remote site building. The solution must provide strong security and protect their network from unauthorized access. To reduce deployment costs, they want the deployment to rely on their existing domain infrastructure as much as possible. As an additional requirement, they want to avoid the additional time and cost associated with deploying a private certification authority (CA) on their network.

The following features and components are required for wired access with domain user secure password authentication:

  • One or more 802.1X-capable 802.3 Ethernet switches. This scenario requires that you purchase and deploy one or more 802.1X-capable 802.3 Ethernet switches that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.

  • Active Directory Domain Services (AD DS). AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and PEAP-MS-CHAP v2 to authenticate user credentials and to evaluate authorization for wired connections.

  • Group Policy Management. This design uses Wired Network (IEEE 802.3) Policies in Group Policy Management to configure the security and connectivity settings on client computers that are required for 802.1X authenticated wired access.

  • One or more servers running Network Policy Server (NPS). When you configure your 802.1X-capable switches as RADIUS clients in NPS, NPS processes the connection requests sent by the switches. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection.

  • Server certificates for computers running NPS. This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication. A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service. Because secure password authentication requires certificates only for servers, and not for clients, this PEAP-MS-CHAP v2 designs specifies two NPS server certificate options:

    • Deploying a private CA on your network by using Active Directory Certificate Services (AD CS).

    • Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.

  • Client computers. This deployment provides 802.1X authenticated access to domain-member users who connect to the network by using client computers running either Windows Vista or Windows XP with Service Pack 3 (SP3) or later versions. Computers must be members of the domain in order to successfully establish authenticated access.