Control Access to the Wired Network

Applies To: Windows Server 2008, Windows Server 2008 R2

Unlike a wireless network that can transmit signals beyond the walls of a building, the closed cabling system of an Ethernet network can be physically secured within a building, which offers a level of protection. However, some organizations need to provide additional network security to prevent unauthorized persons — who can physically connect a computer to their wired network — from sending or capturing transmissions on the network.

Portable computers offer users a high degree of mobility, which can be very beneficial for many organizations. However, the very versatility those portable computers can provide also pose increased security risks. Consider an example of a wired network that does not control access to Ethernet ports. It can be relatively easy for a malicious user who can gain access to a building to use a IEEE 802.3 wired Ethernet adapter that is built into most portable computers to connect to a port on a wired Ethernet network, and then begin sending or capturing TCP/IP packets.

To protect your wired network from unauthorized computers that can physically connect, you can deploy 802.1X authenticated wired access. For example, 802.1X authenticated wired access can prevent:

  • The deployment of rogue network services, such as a Dynamic Host Configuration Protocol (DHCP) server, which can cause service outages for your network users.

  • Capturing of transmissions that can contain information, such as user account credentials, that can then be used to gain full access to network resources or the Internet.

  • A malicious user from probing to find out details about the network that might expose other security vulnerabilities.

For more information, see PEAP-MS-CHAP v2-based Authenticated Wired Access Design and EAP-TLS-based Authenticated Wired Access Design.

To illustrate, Example Company ( has a partnership with another company and allows user from the partner company to use mobile computers to set up ad hoc wireless networks for peer-to-peer file sharing while they are visiting Example Company. To respond to growing concerns that a malicious user could attempt to physically connect to the wired Ethernet network and either send or capture transmissions on the network, Example Company has determined that they need a wired network access solution that prevents unauthorized connections to their wired network.

The following features and components are required to deploy 802.1X authenticated wired access:

  • One or more 802.1X-capable IEEE 802.3 wired Ethernet switches. This scenario requires that you purchase and deploy one or more 802.1X-capable switches that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.

  • Active Directory Domain Services (AD DS). AD DS contains user accounts, computer accounts, and account properties, which are used for multiple purposes, including 802.1X authentication and authorization.

  • Group Policy Management. This design uses Wired Network (IEEE 802.3) Policies in Group Policy Management to configure the Extensible Authentication Protocol (EAP)-based security settings and network connectivity settings on client computers on your network.

  • One or more servers running Network Policy Server (NPS). When you configure your 802.1X switches as RADIUS clients in NPS, NPS processes the connection requests sent by the switches. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection.

  • To perform mutual 802.1X authentication between network access clients and RADIUS servers, 802.1X uses server certificates for computers running NPS, and one of the following for access clients:

    • User credentials (user name and password)

    • User and computer digital certificates

    • Smart cards

  • Wired client computers. This deployment provides 802.1X authenticated access to domain-member users who connect to the wired network by using client computers running either Windows Vista or Windows XP with Service Pack 3 (SP3) or later versions. Computers must be members of the domain in order to successfully establish authenticated access.