部署 Password\ 為基礎的 802.1 X 驗證 Wireless 存取Deploy Password-Based 802.1X Authenticated Wireless Access

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

這是 Windows Server 小幫手指南®2016 年核心網路指南。This is a companion guide to the Windows Server® 2016 Core Network Guide. 核心網路指南指示計畫和部署正常運作的網路和新 Active Directory® 網域中新的樹系的必要元件。The Core Network Guide provides instructions for planning and deploying the components required for a fully functioning network and a new Active Directory® domain in a new forest.

本指南如何建置提供有關如何將協會和電子工程師 (IEEE) 802.1X\ 部署核心網路-驗證 IEEE 802.11 wireless 存取使用受延伸驗證通訊協定 – Microsoft 挑戰交換驗證通訊協定第 2 \ (PEAP-MS-CHAP v2)。This guide explains how to build upon a core network by providing instructions about how to deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated IEEE 802.11 wireless access using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).

PEAP-MS-CHAP v2 需要使用者驗證程序期間 password\ 認證,而非憑證提供,因為它是通常會更簡單且更比 EAP\ TLS 或 PEAP\ TLS 部署。Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is typically easier and less expensive to deploy than EAP-TLS or PEAP-TLS.

注意

本指南,IEEE 802.1 X 驗證的無線存取 PEAP-MS-CHAP v2 被縮寫」wireless 存取」和「WiFi 存取」。In this guide, IEEE 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2 is abbreviated to “wireless access” and “WiFi access.”

有關本指南About this guide

本指南,如下所述,必要條件指南搭配提供了解如何部署下列 WiFi 存取基礎結構的指示操作。This guide, in combination with the prerequisite guides described below, provides instructions about how to deploy the following WiFi access infrastructure.

  • 一或多個 802.1X-能 802.11 wireless 存取點 (APs)。One or more 802.1X-capable 802.11 wireless access points (APs).

  • Active Directory Domain 服務 (AD DS) 使用者與電腦。Active Directory Domain Services (AD DS) Users and Computers.

  • 群組原則管理。Group Policy Management.

  • 一或多個網路原則伺服器 (NPS) 伺服器。One or more Network Policy Server (NPS) servers.

  • 電腦執行 NPS 伺服器的憑證。Server certificates for computers running NPS.

  • 無線 client 電腦執行的 Windows® 10、Windows 8.1 或 Windows 8。Wireless client computers running Windows® 10, Windows 8.1, or Windows 8.

本指南相依性Dependencies for this guide

成功部署本指南使用的驗證的無線,您必須擁有網路和網域環境所有部署所需的技術。To successfully deploy authenticated wireless with this guide, you must have a network and domain environment with all of the required technologies deployed. 您必須同時伺服器的憑證部署至您的驗證 NPS 伺服器。You must also have server certificates deployed to your authenticating NPS servers.

下列章節提供您顯示如何部署這些技術文件的連結。The following sections provide links to documentation that shows you how to deploy these technologies.

網路和網域環境相依性Network and domain environment dependencies

本指南針對網路和系統管理員稍 Windows Server 2016 中的步驟核心網路指南部署核心網路,或對於先前已部署核心網路,包括 AD DS,包含核心技術網域名稱系統 (DNS)、動態主機設定通訊協定 (DHCP)、TCP\ 日 IP、NPS 及 Windows 網際網路名稱服務 (WINS)。This guide is designed for network and system administrators who have followed the instructions in the Windows Server 2016 Core Network Guide to deploy a core network, or for those who have previously deployed the core technologies included in the core network, including AD DS, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS).

核心網路指南可在下列位置:The Core Network Guide is available at the following locations:

伺服器的憑證相依性Server certificate dependencies

有兩個提供選項的伺服器的憑證用於使用 802.1 X 驗證的註冊驗證伺服器使用 Active Directory 憑證服務 (AD CS) 部署自己公用基礎結構或使用伺服器的憑證公開憑證授權單位已退出 (CA)。There are two available options for enrolling authentication servers with server certificates for use with 802.1X authentication - deploy your own public key infrastructure by using Active Directory Certificate Services (AD CS) or use server certificates that are enrolled by a public certification authority (CA).

AD CSAD CS

網路和系統管理員已驗證的無線部署必須依照指示 Windows Server 2016 核心網路系列指南,適用於 802.1 X 的有線和 Wireless 部署部署伺服器憑證Network and system administrators deploying authenticated wireless must follow the instructions in the Windows Server 2016 Core Network Companion Guide, Deploy Server Certificates for 802.1X Wired and Wireless Deployments. 本指南如何部署及使用電腦執行 NPS 註冊伺服器的憑證 AD CS。This guide explains how to deploy and use AD CS to autoenroll server certificates to computers running NPS.

本指南可在下列位置。This guide is available at the following location.

公開 CAPublic CA

您可以 client 電腦已信任購買 VeriSign,例如公用加拿大伺服器的憑證。You can purchase server certificates from a public CA, such as VeriSign, that client computers already trust.

Client 電腦信任 CA 時 CA 憑證已安裝的受信任的根憑證授權單位憑證存放區。A client computer trusts a CA when the CA certificate is installed in the Trusted Root Certification Authorities certificate store. 根據預設,執行 Windows 的電腦有多個公開 CA 憑證安裝在其受信任的根憑證授權單位憑證市集。By default, computers running Windows have multiple public CA certificates installed in their Trusted Root Certification Authorities certificate store.

您檢視的每一種技術,此部署案例中所使用的設計和部署指南至於。It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. 這些指南可協助您判斷這個部署案例提供服務和設定,您需要針對您組織的網路。These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.

需求Requirements

以下是使用本文中的案例部署 wireless 存取基礎結構的需求:Following are the requirements for deploying a wireless access infrastructure by using the scenario documented in this guide:

  • 部署之前此案例,您必須先購買 802.1X-能 wireless 存取點,以提供您想要的位置在網站中 wireless 涵蓋範圍。Before deploying this scenario, you must first purchase 802.1X-capable wireless access points to provide wireless coverage in the desired locations at your site. 本指南計劃一節協助判斷您的 Ap 必須支援的功能。The planning section of this guide assists in determining the features your APs must support.

  • Active Directory Domain Services (AD DS) 安裝,在其他網路所需的技術,根據 Windows Server 2016 核心網路節目表中的指示操作。Active Directory Domain Services (AD DS) is installed, as are the other required network technologies, according to the instructions in the Windows Server 2016 Core Network Guide.

  • AD CS 部署,及伺服器的憑證已退出 NPS 伺服器。AD CS is deployed, and server certificates are enrolled to NPS servers. 本指南使用的 PEAP-MS-CHAP v2 certificate\ 為基礎的驗證方法部署時,所需這些憑證。These certificates are required when you deploy the PEAP-MS-CHAP v2 certificate-based authentication method that is used in this guide.

  • 您成員是組織的熟悉 IEEE 802.11 標準您 wireless Ap client 電腦及網路上的裝置在安裝 wireless 網路介面卡的支援。A member of your organization is familiar with the IEEE 802.11 standards that are supported by your wireless APs and the wireless network adapters that are installed in the client computers and devices on your network. 例如,您在組織中其他人是熟悉廣播頻率類型,802.11 wireless 驗證 \(WPA2 或 WPA\),以及加密 (AES or TKIP)。For example, someone in your organization is familiar with radio frequency types, 802.11 wireless authentication (WPA2 or WPA), and ciphers (AES or TKIP).

未提供哪些本指南What this guide does not provide

以下是此指南不提供的部分項目:Following are some items this guide does not provide:

完整的指導方針選取 802.1X-能 wireless 存取點Comprehensive guidance for selecting 802.1X-capable wireless access points

因為之間品牌與機型的 802.1X\ 有許多不同的功能 wireless Ap,本指南不提供詳細的資訊,有關:Because many differences exist between brands and models of 802.1X-capable wireless APs, this guide does not provide detailed information about:

  • 適用於您的需求來判斷哪一個品牌或 wireless AP 型號最好的作法。Determining which brand or model of wireless AP is best suited to your needs.

  • Wireless Ap 您網路上的實體部署。The physical deployment of wireless APs on your network.

  • 進階 wireless AP 設定,例如的 wireless virtual 區域網路 (VLANs)。Advanced wireless AP configuration, such as for wireless virtual Local Area Networks (VLANs).

  • 如何設定 wireless AP vendor\ 特定屬性 NPS 中的指示操作。Instructions on how to configure wireless AP vendor-specific attributes in NPS.

此外,詞彙和設定的名稱 wireless AP 品牌與型號而有所不同,可能不符合本指南使用一般設定名稱。Additionally, terminology and names for settings vary between wireless AP brands and models, and might not match the generic setting names that are used in this guide. 適用於 wireless AP 設定的詳細資訊,您必須檢視您 wireless Ap 的製造商所提供的 product 文件。For wireless AP configuration details, you must review the product documentation provided by the manufacturer of your wireless APs.

部署 NPS 伺服器的憑證的指示Instructions for deploying NPS server certificates

有兩個選擇部署 NPS 伺服器的憑證。There are two alternatives for deploying NPS server certificates. 本指南不提供完整的指導方針,以協助您判斷的替代方案最符合您的需求。This guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. 一般而言,但是,您所遇到的選項︰In general, however, the choices you face are:

  • 購買公用 CA,例如 VeriSign,已經 Windows\ 型用的受信任的憑證。Purchasing certificates from a public CA, such as VeriSign, that are already trusted by Windows-based clients. 較小的網路,通常會建議使用此選項。This option is typically recommended for smaller networks.

  • 使用 AD CS 部署公用基礎結構 (PKI) 在您的網路。Deploying a Public Key Infrastructure (PKI) on your network by using AD CS. 我們建議針對大部分的網路,和之前所述的部署節目表中可使用如何部署伺服器的憑證 AD CS 的指示執行。This is recommended for most networks, and the instructions for how to deploy server certificates with AD CS are available in the previously mentioned deployment guide.

NPS 的網路原則和其他 NPS 設定NPS network policies and other NPS settings

除了對當您執行的組態設定設定 802.1 X精靈,如此節目表中所述,此指南不提供手動設定 NPS 條件、限制或其他 NPS 設定的詳細的資訊。Except for the configuration settings made when you run the Configure 802.1X wizard, as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints or other NPS settings.

DHCPDHCP

本部署指南不提供設計或部署 DHCP 子網路 wireless 區域網路的相關資訊。This deployment guide does not provide information about designing or deploying DHCP subnets for wireless LANs.

技術概觀Technology overviews

以下是用來部署 wireless 存取技術概觀:Following are technology overviews for deploying wireless access:

IEEE 802.1 XIEEE 802.1X

IEEE 802.1 X 的一般定義用來提供的已驗證的網路存取權乙太網路 port\ 為基礎的網路存取控制。The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. 這個 port\ 為基礎的網路存取控制驗證裝置連接到連接埠區域網路使用切換的區域網路基礎結構實體特性。This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. 連接埠可以會存取如果驗證程序失敗。Access to the port can be denied if the authentication process fails. 雖然這個標準固定乙太網路的設計,它已調整 802.11 wireless 區域網路上使用。Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.

802.1X-功能 wireless 的存取點 (APs)802.1X-capable wireless access points (APs)

本案例需要一或多個 802.1X\ 部署的功能 wireless Ap 遠端驗證 Dial-In 使用者服務 (RADIUS) 通訊協定與相容。This scenario requires the deployment of one or more 802.1X-capable wireless APs that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.

802.1 X 和 RADIUS\ 相容 Ap,例如 server NPS RADIUS 伺服器的基礎結構 RADIUS 部署時稱為RADIUS 戶端802.1X and RADIUS-compliant APs, when deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.

Wireless 戶端Wireless clients

本指南提供完整設定的詳細資訊,以提供 802.1 X 驗證 domain\ 成員使用者 wireless client 電腦執行的 Windows 10、Windows 8.1 和「Windows 8 的連上網路的存取。This guide provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network with wireless client computers running Windows 10, Windows 8.1, and Windows 8. 電腦必須加入網域,以便成功地建立驗證的存取。Computers must be joined to the domain in order to successfully establish authenticated access.

注意

您也可以使用電腦正在執行 Windows Server 2016、Windows Server 2012 R2,以及 Windows Server 2012 為 wireless 戶端。You can also use computers that are running Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012 as wireless clients.

支援 IEEE 802.11 標準Support for IEEE 802.11 Standards

支援的 Windows 和 Windows Server 作業系統提供 802.11 wireless 網路 built\ 中支援。Supported Windows and Windows Server operating systems provide built-in support for 802.11 wireless networking. 在下列作業系統中,安裝 802.11 wireless 網路介面卡,會顯示為 wireless 網路,在 [網路和共用中心。In these operating systems, an installed 802.11 wireless network adapter appears as a wireless network connection in Network and Sharing Center.

雖然 built\ 中的支援 802.11 wireless 網路功能,Windows 的 wireless 元件是根據下列:Although there is built-in support for 802.11 wireless networking, the wireless components of Windows are dependent upon the following:

  • Wireless 網路介面卡的功能。The capabilities of the wireless network adapter. 安裝 wireless 網路介面卡必須支援 wireless 區域網路或 wireless 安全標準您需要的。The installed wireless network adapter must support the wireless LAN or wireless security standards that you require. 例如,如果 wireless 網路介面卡不支援 (WPA) Wi\ Wi-fi 保護的存取,無法讓或設定 WPA 安全性選項。For example, if the wireless network adapter does not support Wi-Fi Protected Access (WPA), you cannot enable or configure WPA security options.

  • Wireless 網路介面卡驅動程式的功能。The capabilities of the wireless network adapter driver. 為了讓您設定的選項 wireless 網路,必須支援 wireless 網路介面卡驅動程式 windows 的所有功能都報告。To allow you to configure wireless network options, the driver for the wireless network adapter must support the reporting of all of its capabilities to Windows. 確認寫入 wireless 網路介面卡驅動程式是為您的作業系統功能。Verify that the driver for your wireless network adapter is written for the capabilities of your operating system. 也請確定驅動程式的最新版本檢查 Microsoft Update 或 wireless 網路介面卡廠商的網站。Also ensure that the driver is the most current version by checking Microsoft Update or the Web site of the wireless network adapter vendor.

下表顯示傳輸速率和一般 IEEE 802.11 wireless 標準的頻率。The following table shows the transmission rates and frequencies for common IEEE 802.11 wireless standards.

標準Standards 頻率Frequencies 傳輸速率的位元Bit Transmission Rates 使用Usage
802.11802.11 S\ 頻業界、[工程] 及醫療 (ISM) 頻率範圍 \ (2.4 到 2.5 GHz)S-Band Industrial, Scientific, and Medical (ISM) frequency range (2.4 to 2.5 GHz) 第二個 (Mbps) 每 2 mb2 megabits per second (Mbps) 過時。Obsolete. 不常使用。Not commonly used.
802.11802.11b ISM S\ 頻S-Band ISM 11 Mbps11 Mbps 常用。Commonly used.
802.11 a802.11a C\ 頻 ISM \ (5.725 以 5.875 GHz)C-Band ISM (5.725 to 5.875 GHz) 54 Mbps54 Mbps 不常用的費用及障礙到期。Not commonly used due to expense and limited range.
802.11 g802.11g ISM S\ 頻S-Band ISM 54 Mbps54 Mbps 常用。Widely used. 802.11 g 裝置的 802.11 相容裝置。802.11g devices are compatible with 802.11b devices.
802.11 n \2.4 和 5.0 GHz802.11n \2.4 and 5.0 GHz ISM C-Band 和 S\ 頻C-Band and S-Band ISM 250 Mbps250 Mbps 根據 pre-ratification IEEE 802.11 n 標準裝置變得 2007 年 8 月中可使用。Devices based on the pre-ratification IEEE 802.11n standard became available in August 2007. 許多 802.11 n 裝置的相容 802.11 a b 和 g 裝置。Many 802.11n devices are compatible with 802.11a, b, and g devices.
802.11ac802.11ac 5 GHz5 GHz 6.93 Gbps6.93 Gbps 802.11ac,IEEE 核准 2014,更延展性,而且可以更快速地比 802.11 n,且該位置支援 Ap 和 wireless 戶端部署。802.11ac, approved by the IEEE in 2014, is more scalable and faster than 802.11n, and is deployed where APs and wireless clients both support it.

Wireless 網路安全性方法Wireless network security methods

無線網路安全性方法是 wireless 驗證非正式群組 \(有時稱為 wireless security\)和 wireless 安全性加密。Wireless network security methods is an informal grouping of wireless authentication (sometimes referred to as wireless security) and wireless security encryption. Wireless 驗證及加密用於配對以防止未經授權的使用者存取 wireless 網路,並保護 wireless 傳輸。Wireless authentication and encryption are used in pairs to prevent unauthorized users from accessing the wireless network, and to protect wireless transmissions.

設定時 wireless 安全性 Wireless 網路原則的群組原則中,有多個組合,可從中。When configuring wireless security settings in the Wireless Network Policies of Group Policy, there are multiple combinations to choose from. 不過,支援只 WPA2\ 企業、WPA-企業版和使用 802.1 X 驗證標準開放 802.1 X 驗證的 wireless 部署。However, only the WPA2-Enterprise, WPA-Enterprise, and Open with 802.1X authentication standards are supported for 802.1X Authenticated wireless deployments.

注意

Wireless 的網路原則設定時,您必須選取WPA2\ 企業WPA\ 企業,或開放使用 802.1 X以取得所需的 802.1 X 驗證的 wireless 部署 EAP 設定的存取權。While configuring Wireless Network Policies, you must select WPA2-Enterprise, WPA-Enterprise, or Open with 802.1X in order to gain access to the EAP settings that are required for 802.1X authenticated wireless deployments.

Wireless 驗證Wireless authentication

本指南建議下列 wireless 驗證標準使用 802.1 X 驗證 wireless 部署。This guide recommends the use of the following wireless authentication standards for 802.1X authenticated wireless deployments.

Wi\ Wi-fi 保護的存取 – 企業 (WPA-Enterprise) WPA 是由遵守 802.11 wireless 安全性通訊協定 WiFi Alliance 暫時標準。Wi-Fi Protected Access – Enterprise (WPA-Enterprise) WPA is an interim standard developed by the WiFi Alliance to comply with the 802.11 wireless security protocol. 回應上述電傳同樣的隱私權 (WEP) 通訊協定發現嚴重問題的一些已開發 WPA 通訊協定。The WPA protocol was developed in response to a number of severe flaws that were discovered in the preceding Wired Equivalent Privacy (WEP) protocol.

企業 WPA\ 透過 WEP 來提供改善的安全性:WPA-Enterprise provides improved security over WEP by:

  1. 要求,以確保集中互加好友的驗證並動態金鑰管理基礎結構的一部分使用 802.1 X EAP 架構的驗證Requiring authentication that uses the 802.1X EAP framework as part of the infrastructure that ensures centralized mutual authentication and dynamic key management

  2. 美化訊息完整性檢查 (MIC),保護標頭和承載完整性檢查值的 (ICV)Enhancing the Integrity Check Value (ICV) with a Message Integrity Check (MIC), to protect the header and payload

  3. 實作防止重新執行攻擊畫面計時器Implementing a frame counter to discourage replay attacks

Wi\ Wi-fi 保護的存取 2 – 企業 (WPA2-Enterprise)如 WPA\ 企業標準,WPA2\ 企業使用 802.1 X 和 EAP 架構。Wi-Fi Protected Access 2 – Enterprise (WPA2-Enterprise) Like the WPA-Enterprise standard, WPA2-Enterprise uses the 802.1X and EAP framework. WPA2-企業版提供多個使用者和大型受管理的網路較資料保護。WPA2-Enterprise provides stronger data protection for multiple users and large managed networks. 企業 WPA2\ 是穩固的通訊協定是設計用來防止未經授權的網路存取權的網路使用者透過驗證伺服器的驗證。WPA2-Enterprise is a robust protocol that is designed to prevent unauthorized network access by verifying network users through an authentication server.

Wireless 安全性加密Wireless security encryption

Wireless 安全性加密用來保護 wireless client 與 wireless AP 之間傳送 wireless 傳輸。Wireless security encryption is used to protect the wireless transmissions that are sent between the wireless client and the wireless AP. Wireless 安全性加密是一起使用選取的網路安全性驗證方法。Wireless security encryption is used in conjunction with the selected network security authentication method. 根據預設,執行 Windows 10、Windows 8.1 和「Windows 8 電腦支援兩個加密標準:By default, computers running Windows 10, Windows 8.1, and Windows 8 support two encryption standards:

  1. 暫時鍵完整性通訊協定(TKIP) 是舊版原先提供更安全的 wireless 加密比所提供的原本弱電傳同樣的隱私權 (WEP) 通訊協定的設計加密通訊協定。Temporal Key Integrity Protocol (TKIP) is an older encryption protocol that was originally designed to provide more secure wireless encryption than what was provided by the inherently weak Wired Equivalent Privacy (WEP) protocol. TKIP 設計用來 IEEE 802.11 工作群組,而不需要更換舊版硬體更換 WEP Wi\ Wi-fi Alliance。TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance to replace WEP without requiring the replacement of legacy hardware. TKIP 是一套演算法封裝 WEP 承載,且可讓使用者的舊版 WiFi 設備升級至 TKIP,而不會取代硬體。TKIP is a suite of algorithms that encapsulates the WEP payload, and allows users of legacy WiFi equipment to upgrade to TKIP without replacing hardware. WEP,例如 TKIP 會使用 RC4 串流加密演算法做為基礎。Like WEP, TKIP uses the RC4 stream encryption algorithm as its basis. 新的通訊協定,但是加密每個資料封包唯一加密金鑰,而這些 WEP,許多較下的按鍵。The new protocol, however, encrypts each data packet with a unique encryption key, and the keys are much stronger than those by WEP. 雖然 TKIP 適合用來升級是設計用來使用只 WEP 舊款裝置上的安全性,它不處理所有面對 wireless 的區域網路的安全性問題,在大部分案例中不這些穩定保護的機密政府或公司資料傳輸。Although TKIP is useful for upgrading security on older devices that were designed to use only WEP, it does not address all of the security issues facing wireless LANs, and in most cases is not sufficiently robust to protect sensitive government or corporate data transmissions.

  2. 進階加密標準(AES) 是慣用的加密通訊協定的商業和政府資料加密。Advanced Encryption Standard (AES) is the preferred encryption protocol for the encryption of commercial and government data. 好一段提供較高的安全性 wireless 傳輸比 TKIP 或 WEP。AES offers a higher level of wireless transmission security than either TKIP or WEP. 然而 TKIP,WEP 好一段需要 wireless 硬體的支援好一段標準。Unlike TKIP and WEP, AES requires wireless hardware that supports the AES standard. 好一段是 symmetric\ 鍵加密標準使用三個封鎖加密 AES-128、AES-192 和 AES-256。AES is a symmetric-key encryption standard that uses three block ciphers, AES-128, AES-192 and AES-256.

Windows Server 2016 中 AES\ 型 wireless 加密下列方法可供設定中設定檔 wireless 屬性當您選取 WPA2-企業版,建議使用的驗證方法。In Windows Server 2016, the following AES-based wireless encryption methods are available for configuration in wireless profile properties when you select an authentication method of WPA2-Enterprise, which is recommended.

  1. AES-CCMPAES-CCMP. 對抗模式加密區鏈結訊息驗證碼通訊協定 (CCMP) 實作標準 802.11 適用於更高安全性加密比所提供的 WEP,並使用 128 元好一段加密金鑰。Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP) implements the 802.11i standard and is designed for higher security encryption than that provided by WEP, and uses 128 bit AES encryption keys.
  2. AES-GCMPAES-GCMP. Galois 計數器模式通訊協定 (GCMP) 802.11ac 支援、比 AES-CCMP 更有效率並提供針對 wireless 戶端更好的效能。Galois Counter Mode Protocol (GCMP) is supported by 802.11ac, is more efficient than AES-CCMP and provides better performance for wireless clients. GCMP 使用 256 元好一段加密金鑰。GCMP uses 256 bit AES encryption keys.

重要

有線相等隱私權 (WEP) 是原始 wireless 安全性標準加密網路流量是使用。Wired Equivalency Privacy (WEP) was the original wireless security standard that was used to encrypt network traffic. 您不應該部署 WEP 您網路上因為有 well\ 不為人知此過時表單的安全性弱點。You should not deploy WEP on your network because there are well-known vulnerabilities in this outdated form of security.

Active Directory 網域服務 (AD DS)Active Directory Doman Services (AD DS)

AD DS 提供分散式的資料庫來儲存及管理網路資源和 application\ 特定資料的相關資訊從 directory\ 功能的應用程式。AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. 系統管理員可以使用 AD DS 成階層包含結構組織使用者、電腦及其他裝置,例如網路的項目。Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. 階層包含結構包含 Active Directory 樹系的樹系,網域和組織單位 (OUs) 每個網域。The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. 執行 AD DS 伺服器稱為網域控制站A server that is running AD DS is called a domain controller.

AD DS 包含帳號,電腦帳號及驗證使用者憑證和評估 wireless 連接的授權 IEEE 802.1 X 和 PEAP-MS-CHAP v2 所需 account 屬性。AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and PEAP-MS-CHAP v2 to authenticate user credentials and to evaluate authorization for wireless connections.

Active Directory 使用者與電腦Active Directory Users and Computers

Active Directory 使用者和電腦是 AD DS 包含帳號,後者實體項目,例如電腦、某人或安全性群組」的元件。Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. A安全性群組是帳號使用者或電腦的系統管理員可以管理單位的集合。A security group is a collection of user or computer accounts that administrators can manage as a single unit. 使用者和電腦帳號屬於特定群組稱為群組成員User and computer accounts that belong to a particular group are referred to as group members.

群組原則管理Group Policy Management

群組原則管理可讓 directory\ 型變更和設定的管理使用者及電腦的設定,包括安全性和使用者資訊。Group Policy Management enables directory-based change and configuration management of user and computer settings, including security and user information. 您可以使用群組原則來定義設定的使用者及電腦的群組。You use Group Policy to define configurations for groups of users and computers. 使用群組原則中,您可以指定登錄項目、安全性、安裝的軟體、指令碼、資料夾重新導向遠端安裝的服務及維護 Internet Explorer 設定。With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. 群組原則設定,您可以建立包含在群組原則物件 (GPO)。The Group Policy settings that you create are contained in a Group Policy object (GPO). 選取 Active Directory 系統容器與關聯 GPO — 網站、網域及 Ou,您可以將這些 Active Directory 容器中的 [電腦與使用者套用 GPO 的設定。By associating a GPO with selected Active Directory system containers — sites, domains, and OUs — you can apply the GPO's settings to the users and computers in those Active Directory containers. 若要管理企業的群組原則物件,您可以使用群組原則編輯器] 管理 Microsoft Management Console (MMC)。To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).

本指南指定無線網路設定的相關詳細的指示 \ (IEEE 802.11) 原則延伸的群組原則管理。This guide provides detailed instructions about how to specify settings in the Wireless Network (IEEE 802.11) Policies extension of Group Policy Management. Wireless 網路 \ (IEEE 802.11) 原則設定需要連接 domain\ 成員 wireless client 電腦和 wireless 設定 802.1 X 驗證 wireless 存取。The Wireless Network (IEEE 802.11) Policies configure domain-member wireless client computers with the necessary connectivity and wireless settings for 802.1X authenticated wireless access.

伺服器的憑證Server certificates

本案例中部署需要執行 802.1 X 驗證的每個 NPS 伺服器伺服器的憑證。This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication.

伺服器的憑證是一種數位件常用的驗證並保護的開放網路上的資訊。A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. 憑證確實繫結到對應私密金鑰實體公用按鍵。A certificate securely binds a public key to the entity that holds the corresponding private key. 透過 CA,以數位簽署的憑證,它們可以發行的使用者,電腦上或服務。Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.

憑證授權單位 (CA) 是負責建立和 vouching 公用按鍵屬於主題的真確性的實體 \(通常為使用者或 computers\)或其他 Ca。A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. 憑證授權單位活動可以包含繫結公用按鍵分辨透過簽署的憑證,管理憑證序號和撤銷憑證的名稱。Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.

Active Directory 憑證服務 (AD CS) 是憑證問題與網路 CA 伺服器角色。Active Directory Certificate Services (AD CS) is a server role that issues certificates as a network CA. AD CS 憑證基礎結構,也就是公用基礎結構 (PKI),提供自訂服務發行和管理企業的憑證。An AD CS certificate infrastructure, also known as a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.

EAP、PEAP,以及 PEAP-MS-CHAP v2EAP, PEAP, and PEAP-MS-CHAP v2

延伸驗證通訊協定 (EAP) 延伸 Point\ to\ 點的通訊協定,允許使用 credential 和資訊的額外的驗證方法 (PPP) 交換的任意長度。Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing additional authentication methods that use credential and information exchanges of arbitrary lengths. EAP 驗證,這兩個網路存取 client 和 authenticator \(例如 NPS server) 必須支援成功驗證相同 EAP 類型發生。With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2016 包含 EAP 基礎結構,支援兩種 EAP 類型,以及 EAP 訊息通過 NPS 伺服器的能力。Windows Server 2016 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. 您可以藉由使用 EAP,支援額外的驗證方式,稱為eapBy using EAP, you can support additional authentication schemes, known as EAP types. 支援的 Windows Server 2016 EAP 類型︰The EAP types that are supported by Windows Server 2016 are:

  • 傳輸層安全性 (TLS)Transport Layer Security (TLS)

  • Microsoft 挑戰交換驗證通訊協定第 2 \ (MS-CHAP v2)Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

重要

強 eap \(例如這些 certificates\ 為基礎)提供更好的安全性防護 brute\ 攻擊、字典攻擊及密碼猜測比 password\ 驗證通訊協定攻擊 \(例如 CHAP 或 MS-CHAP 版本 1)。Strong EAP types (such as those that are based on certificates) offer better security against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP version 1).

保護的 EAP (PEAP) 使用 TLS 建立加密的通道之間驗證 PEAP client,例如 wireless 電腦,以及 PEAP authenticator,例如 NPS 伺服器或其他 RADIUS 伺服器。Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS server or other RADIUS servers. PEAP 未指定的驗證方法,但其他 EAP 驗證通訊協定提供額外的安全性 \(例如 EAP-MS-CHAP v2),可以透過提供 PEAP TLS 加密通道運作。PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MS-CHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP 連接到透過下列類型的網路存取伺服器 (NASs) 貴組織的網路的存取戶端會使用的驗證方法為:PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers (NASs):

  • 802.1X-能 wireless 存取點802.1X-capable wireless access points

  • 802.1X-能驗證切換802.1X-capable authenticating switches

  • 電腦執行的 Windows Server 2016 和遠端存取服務 (RAS) 設定為 virtual 私人網路 (VPN) 伺服器,DirectAccess 伺服器或兩者Computers running Windows Server 2016 and the Remote Access Service (RAS) that are configured as virtual private network (VPN) servers, DirectAccess Servers, or both

  • 電腦執行的 Windows Server 2016 和遠端桌面服務Computers running Windows Server 2016 and Remote Desktop Services

PEAP-MS-CHAP v2 是更輕鬆地部署比 EAP\ TLS 因為來使用 password\ 認證執行使用者驗證 \(使用者名稱和 password\),而不是憑證或智慧卡。PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. 只有 NPS 或其他 RADIUS 伺服器需要有憑證。Only NPS or other RADIUS servers are required to have a certificate. NPS 伺服器的憑證在會使用 NPS 伺服器的驗證程序將其身份 PEAP 戶端。The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.

本指南指示來設定您 wireless 戶端和您 NPS server(s) PEAP-MS-CHAP v2 使用 802.1 X 驗證的存取。This guide provides instructions to configure your wireless clients and your NPS server(s) to use PEAP-MS-CHAP v2 for 802.1X authenticated access.

網路原則伺服器Network Policy Server

網路原則伺服器 (NPS) 可讓您集中設定和管理使用遠端驗證 Dial-In 使用者服務 (RADIUS) 伺服器與 RADIUS proxy 的網路原則。Network Policy Server (NPS) allows you to centrally configure and manage network policies by using Remote Authentication Dial-In User Service (RADIUS) server and RADIUS proxy. 當您部署 802.1 X wireless 存取需要 NPS。NPS is required when you deploy 802.1X wireless access.

當您在 NPS RADIUS 戶端以設定您 802.1 X wireless 存取點時,NPS 處理連接要求 Ap 所傳送。When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. 連接要求處理,期間 NPS 會執行驗證授權。During connection request processing, NPS performs authentication and authorization. 驗證判斷是否 client 提供有效的憑證。Authentication determines whether the client has presented valid credentials. 如果 NPS 成功驗證要求 client、NPS 會判斷是否 client 授權可要求的連接,並且可讓或拒絕連接。If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. 這是所述更多詳細資料,如下所示:This is explained in more detail as follows:

驗證Authentication

成功互加好友的 PEAP-MS-CHAP v2 驗證有兩個主要部分:Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:

  1. Client 驗證 NPS 伺服器。The client authenticates the NPS server. 在此階段的互加好友的驗證,NPS 伺服器傳送它伺服器的憑證 client 的電腦,以便 client 可以驗證憑證的 NPS 伺服器的身分。During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. 若要通過 NPS 伺服器,client 的電腦必須信任 CA 發出 NPS 伺服器的憑證。To successfully authenticate the NPS server, the client computer must trust the CA that issued the NPS server certificate. Client 信任此 CA 憑證時 client 電腦上的受信任的根憑證授權單位憑證存放區中。The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.

    如果您要部署私人授權,CA 憑證會自動安裝目前使用者和本機電腦的受信任的根憑證授權單位憑證存放區網域成員 client 電腦上重新整理群組原則時。If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. 如果您要部署公開 CA 憑證伺服器,請確定公開 CA 憑證已受信任的根憑證授權單位憑證存放區中。If you decide to deploy server certificates from a public CA, ensure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.

  2. NPS 伺服器驗證使用者。The NPS server authenticates the user. Client 成功驗證 NPS 伺服器之後,client 會傳送至 NPS 伺服器,確認使用者在 Active Directory 網域服務 (AD DS) 帳號資料庫的使用者的認證的使用者的認證 password-為基礎。After the client successfully authenticates the NPS server, the client sends the user’s password-based credentials to the NPS server, which verifies the user’s credentials against the user accounts database in Active Directory Doman Services (AD DS).

如果是有效的認證成功驗證,NPS 伺服器開始處理連接要求的授權階段。If the credentials are valid and authentication succeeds, the NPS server begins the authorization phase of processing the connection request. 如果是無效的憑證,並驗證失敗,NPS 傳送存取拒絕訊息和遭拒連接要求。If the credentials are not valid and authentication fails, NPS sends an Access Reject message and the connection request is denied.

授權Authorization

執行 NPS 伺服器會執行授權,如下所示:The server running NPS performs authorization as follows:

  1. NPS 檢查中的使用者或電腦 account dial\ 屬性 AD DS 中的限制。NPS checks for restrictions in the user or computer account dial-in properties in AD DS. Active Directory 使用者電腦中的每個使用者和電腦 account 包括多個屬性,包括位於Dial\ 在索引標籤。在這個] 索引標籤,在網路存取權限,如果的值可讓存取,授權的使用者或電腦已連上網路。Every user and computer account in Active Directory Users and Computers includes multiple properties, including those found on the Dial-in tab. On this tab, in Network Access Permission, if the value is Allow access, the user or computer is authorized to connect to the network. 如果價值,是拒絕,連上網路未經授權的使用者或電腦。If the value is Deny access, the user or computer is not authorized to connect to the network. 如果價值,是控制透過 NPS 的網路原則、NPS 評估以判斷您連上網路獲得授權的使用者或電腦的設定的網路原則。If the value is Control access through NPS Network Policy, NPS evaluates the configured network policies to determine whether the user or computer is authorized to connect to the network.

  2. NPS 然後處理尋找符合連接要求原則的網路原則。NPS then processes its network policies to find a policy that matches the connection request. 如果找不到對應的原則,NPS 授與或拒絕連接依照該原則的設定。If a matching policy is found, NPS either grants or denies the connection based on that policy’s configuration.

如果驗證與授權使用成功,且對應的網路原則授與的存取權,NPS 授與的存取權的網路,並電腦與使用者都可以連接到網路資源的他們的權限。If both authentication and authorization are successful, and if the matching network policy grants access, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions.

注意

若要部署 wireless 存取,您必須設定 NPS 原則。To deploy wireless access, you must configure NPS policies. 本指南使用的指示執行設定 802.1 X 精靈中建立 NPS 原則,針對 802.1 X 驗證 wireless 存取 NPS。This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wireless access.

開機設定檔Bootstrap profiles

在 [802.1X-驗證 wireless 網路 wireless 戶端必須提供 RADIUS 伺服器的驗證為了連上網路的安全性憑證。In 802.1X-authenticated wireless networks, wireless clients must provide security credentials that are authenticated by a RADIUS server in order to connect to the network. 為保護 EAP [PEAP]-Microsoft 挑戰交換驗證通訊協定第 2 [MS-CHAP v2] 的安全性憑證的使用者名稱和密碼。For Protected EAP [PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2], the security credentials are a user name and password. 適用於 EAP-Tls [TLS] 或 PEAP\ TLS 的安全性憑證中的憑證,例如憑證的 client 使用者與電腦或智慧卡。For EAP-Transport Layer Security [TLS] or PEAP-TLS, the security credentials are certificates, such as client user and computer certificates or smart cards.

連接到執行 PEAP-MS-CHAP v2、PEAP\ TLS 或 EAP\ 進行驗證,預設設定網路時,Windows wireless 戶端也必須驗證電腦傳送 RADIUS 伺服器的憑證。When connecting to a network that is configured to perform PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS authentication, by default, Windows wireless clients must also validate a computer certificate that is sent by the RADIUS server. 每個驗證工作階段 RADIUS 伺服器來傳送電腦憑證通常稱為伺服器的憑證。The computer certificate that is sent by the RADIUS server for every authentication session is commonly referred to as a server certificate.

如之前所述,您可以選擇發行 RADIUS 伺服器中有兩種他們伺服器的憑證:從 commercial CA \ (VeriSign,Inc.,例如 ),或從您網路部署私人 CA。As mentioned previously, you can issue your RADIUS servers their server certificate in one of two ways: from a commercial CA (such as VeriSign, Inc.,), or from a private CA that you deploy on your network. 如果 RADIUS 伺服器傳送電腦憑證是核發給 commercial ca 已經安裝 client 的受信任的根憑證授權單位憑證存放區中的根憑證、wireless client 可以驗證 RADIUS 伺服器電腦憑證,無論 wireless client 是否已加入 Active Directory domain。If the RADIUS server sends a computer certificate that was issued by a commercial CA that already has a root certificate installed in the client's Trusted Root Certification Authorities certificate store, then the wireless client can validate the RADIUS server's computer certificate, regardless of whether the wireless client has joined the Active Directory domain. 在這種情形下 wireless client 可以連接到 wireless 網路,然後您可以加入網域的電腦。In this case the wireless client can connect to the wireless network, and then you can join the computer to the domain.

注意

您可以停用需要驗證伺服器的憑證 client 的行為,但 production 環境中不建議停用伺服器的憑證驗證。The behavior requiring the client to validate the server certificate can be disabled, but disabling server certificate validation is not recommended in production environments.

Wireless 開機設定檔會暫時在這種方式可以連接到 802.1X\ wireless client 使用者設定的設定檔-驗證 wireless 網路之前電腦已經加入網域,and\ 日或之前使用者成功登入網域第一次使用特定 wireless 的電腦。Wireless bootstrap profiles are temporary profiles that are configured in such a way as to enable wireless client users to connect to the 802.1X-authenticated wireless network before the computer is joined to the domain, and/or before the user has successfully logged on to the domain by using a given wireless computer for the first time. 本章節摘要 wireless 的電腦加入網域,或的使用者來登入網域使用 domain\ 加入 wireless 電腦中的第一次嘗試時遇到問題。This section summarizes what problem is encountered when trying to join a wireless computer to the domain, or for a user to use a domain-joined wireless computer for the first time to log on to the domain.

針對部署 IT 系統管理員的使用者無法實際電腦連接到有線乙太網路加入網域的電腦和電腦不需要必要發行根憑證安裝在其受信任的根憑證授權單位憑證存放區,您可以設定 wireless 戶端暫時 wireless 連接設定檔名為啟動設定檔、連接到 wireless 網路。For deployments in which the user or IT administrator cannot physically connect a computer to the wired Ethernet network to join the computer to the domain, and the computer does not have the necessary issuing root CA certificate installed in its Trusted Root Certification Authorities certificate store, you can configure wireless clients with a temporary wireless connection profile, called a bootstrap profile, to connect to the wireless network.

A啟動設定檔不需要驗證電腦的 RADIUS 伺服器的憑證。A bootstrap profile removes the requirement to validate the RADIUS server's computer certificate. 此暫存設定可讓 wireless 使用者將電腦加入的網域,此時網路無線 \ (IEEE 802.11) 套用原則和適當 ca 憑證會自動安裝在電腦上。This temporary configuration enables the wireless user to join the computer to the domain, at which time the Wireless Network (IEEE 802.11) Policies are applied and the appropriate root CA certificate is automatically installed on the computer.

執行互加好友的驗證的需求一或多個連接 wireless 設定檔套用群組原則時,會套用到電腦。已不再需要的開機設定檔,並且移除。When Group Policy is applied, one or more wireless connection profiles that enforce the requirement for mutual authentication are applied on the computer; the bootstrap profile is no longer required and is removed. 加入網域的電腦,開機之後使用者可以使用 wireless 連接到網域登入。After joining the computer to the domain and restarting the computer, the user can use a wireless connection to log on to the domain.

概觀使用這些技術 wireless 存取部署程序,請查看Wireless 存取部署概觀For an overview of the wireless access deployment process using these technologies, see Wireless Access Deployment Overview.