Windows 7 / Networking

802.1X Network Authentication

802.1X is a protocol for authenticating computers to your network infrastructure before allowing them access. 802.1X is commonly used to protect IEEE 802.11 wireless networks. If a client computer cannot provide a set of valid credentials for a wireless network, the wireless access point will not allow the client to join the network.

802.1X can also be used to protect wired networks. For example, if you physically connect a computer to an Ethernet network, the Ethernet switch can use 802.1X to require the client computer to authenticate to the network infrastructure. If the computer passes the authentication requirements, the network infrastructure will forward network traffic freely to and from the client computer. If the client computer does not provide valid credentials or otherwise cannot meet specified requirements, it can be denied access or placed onto a restricted network.

Windows Vista and Windows 7 support 802.1X authentication for both wired and wireless networks. Clients can authenticate themselves using a user name and password or a certificate, which can be stored locally on the computer or on a smart card. With compatible network hardware and a Remote Authentication Dial-in User Service (RADIUS) authentication server (such as a computer running Windows Server 2003 or Windows Server 2008), you can control both wired and wireless access to your intranet centrally. This means that an attacker with physical access to your facilities cannot simply plug a computer into an available Ethernet port and gain access to your intranet. When you combine 802.1X authentication with Network Access Protection (NAP), you can ensure that computers have required security updates and meet other system health requirements before allowing them unlimited access to your intranet.

Although almost all wireless access points support 802.1X, only newer wired network switches support the authentication protocol. When a computer is connected to your network, the switch must detect this connection, initiate the authentication process with the connected computer, send an authentication request to the RADIUS server you have configured, and then use the server's response to determine whether the client computer should be connected to your private intranet, a restricted network, another virtual LAN (VLAN), or whether other restrictions should be applied. Figure below illustrates this process. In addition to restricting network access, 802.1X can be used to apply user-specific bandwidth or QoS policies.

You can use 802.1X to protect both your wired and wireless networks
  1. User connects a computer to a wired Ethernet port.
  2. 802.1X switch notices the connection and initiates authentication by passing the request to the RADIUS server.
  3. The RADIUS server authenticates the computer and sends a message to the switch.
  4. The switch opens the Ethernet port to allow intranet access and enforces any restrictions or QoS policies.

To configure 802.1X for a network adapter on a single computer, use the Authentication tab on the network adapter's properties. This tab enables you to configure the authentication type and the certificate to use for authentication. In addition, you can configure 802.1X from the command line using the Netsh Lan command. The Authentication tab appears only if the Wired AutoConfig service is started, and the Netsh Lan command also requires this service to be running.

Warning 802.1X improves security, but it is not foolproof. An attacker with both physical access to your network and a computer configured to authenticate successfully with 802.1X can insert a hub (or even a wireless access point) between the legitimate computer and the network. When the computer authenticates the network port, the network infrastructure will allow all communications through that port, whether they originate from an unauthenticated computer connected to the hub or from the legitimate computer. For better security, require both 802.1X and IPsec.

To configure computers in an AD DS domain to use 802.1X authentication, follow these high-level steps:

  1. Configure AD DS for accounts and groups. Set the remote access permission on the Dial-up tab of the user or computer account properties dialog box to either Allow Access or Control Access Through Remote Access Policy.
  2. Configure primary and redundant Network Policy Server (NPS) servers. Then, create a wired remote access policy on the NPS server. (For more information about NPS, visit http://technet.microsoft.com/network/bb545879.aspx.)
  3. Deploy and configure your authenticating switches. You will need to configure the switches with the IP addresses of your primary and secondary IAS servers.
  4. Configure client computers. If necessary, configure a certificate infrastructure to issue certificates that client computers and users will use for authentication. In addition, you should start the Wired AutoConfig service and configure it to start automatically.

To manage 802.1X using Group Policy, extend the AD DS schema as described in "Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements" at http://technet.microsoft.com/en-us/library/bb727029.aspx.

In addition, Windows Vista and Windows 7 also support the new EAPHost architecture to enable easier development of 802.1X authentication mechanisms. For more information, see the section titled "EAPHost Architecture" later in this tutorial.

[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Windows Networking
  2. Usability Improvements
  3. Network And Sharing Center
  4. Network Explorer
  5. How Windows Finds Network Resources
  6. How Windows Publishes Network Resources
  7. How Windows Creates the Network Map
  8. Network Map
  9. Set Up A Connection Or Network Wizard
  10. Manageability Improvements
  11. Network Location Types
  12. Policy-Based QoS
  13. Selecting DSCP Values
  14. Planning Traffic Throttling
  15. Configuring QoS Policies
  16. Configuring System-Wide QoS Settings
  17. Configuring Advanced QoS Settings
  18. Testing QoS
  19. Windows Firewall and IPsec
  20. Windows Connect Now in Windows 7
  21. Core Networking Improvements
  22. Networking BranchCache
  23. How Hosted Cache Works
  24. How Distributed Cache Works
  25. Configuring BranchCache
  26. BranchCache Protocols
  27. File Sharing Using SMB
  28. Web Browsing with HTTP (Including HTTPS)
  29. DNSsec
  30. GreenIT
  31. Efficient Networking
  32. What Causes Latency, How to Measure It, and How to Control It
  33. TCP Receive Window Scaling
  34. Scalable Networking
  35. Improved Reliability
  36. IPv6 Support
  37. 802.1X Network Authentication
  38. Server Message Block (SMB) 2.0
  39. Strong Host Model
  40. Wireless Networking
  41. Improved APIs
  42. Network Awareness
  43. Improved Peer Networking
  44. Services Used by Peer-to-Peer Networking
  45. Managing Peer-to-Peer Networking
  46. Peer-to-Peer Name Resolution
  47. EAP Host Architecture
  48. Layered Service Provider (LSP)
  49. Windows Sockets Direct Path for System Area Networks
  50. How to Configure Wireless Settings
  51. Configuring Wireless Settings Manually
  52. Using Group Policy to Configure Wireless Settings
  53. How to Configure TCP/IP
  54. DHCP
  55. Configuring IP Addresses Manually
  56. Command Line and Scripts
  57. How to Connect to AD DS Domains
  58. How to Connect to a Domain When 802.1X Authentication Is Not Enabled
  59. How to Connect to a Domain When 802.1X Authentication Is Enabled