Provide Wired Access that uses Digital Certificate Client Authentication

Applies To: Windows Server 2008, Windows Server 2008 R2

Networks that use 802.1X to prevent unauthorized access to the network must use one of several Extensible Authentication Protocol (EAP) types. There are advantages and disadvantages to each. In general, the tradeoff is between ease of deployment and strength of security. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is a good alternative for administrators who must provide stronger security than that provided by Protected EAP (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

For more information, see EAP-TLS-based Authenticated Wired Access Design.

To illustrate, Example Company ( wants to provide authenticated wired access at their main location. The access solution must provide very strong security to protect their network from unauthorized access. As an additional requirement, they want to integrate their wired access security solution with the smart card deployment that they use for employee identification and building access.

The following features and components are required for wired access with digital certificate client authentication:

  • One or more 802.1X-capable 802.3 Ethernet switches. This scenario requires that you purchase and deploy one or more 802.1X-capable 802.3 Ethernet switches that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.

  • Active Directory Domain Services (AD DS). AD DS contains the user accounts, computer accounts, and account properties that are necessary to deploy IEEE 802.1X authenticated wired access that uses EAP-TLS for authentication.

  • Group Policy Management. This design uses Wired Network (IEEE 802.3) Policies in Group Policy Management, to configure the security and connectivity settings on client computers that are required for 802.1X authenticated wired access.

  • One or more servers running Network Policy Server (NPS). When you configure your 802.1X-capable switches as RADIUS clients in NPS, NPS processes the connection requests sent by switches. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection.

  • Server certificates for computers running NPS. This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication. A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service. Because digital certificate authentication requires certificates for servers and clients, this deployment design requires that you deploy a private CA on your network by using Active Directory Certificate Services (AD CS).

  • Dynamic Host Configuration Protocol (DHCP) servers. This deployment scenario requires that DHCP servers are deployed and configured to allocate TPC/IP addresses to client computers that NPS has authenticated and authorized for wired access.

  • Wired client computers. This deployment provides 802.1X authenticated access to domain-member users who connect to the network by using client computers running either Windows Vista or Windows XP with Service Pack 3 (SP3) or later versions. Computers must be members of the domain in order to successfully establish authenticated access.