802.1X Network Authentication
802.1X is a protocol for authenticating computers to your network infrastructure before allowing them access. 802.1X is commonly used to protect IEEE 802.11 wireless networks. If a client computer cannot provide a set of valid credentials for a wireless network, the wireless access point will not allow the client to join the network.
802.1X can also be used to protect wired networks. For example, if you physically connect a computer to an Ethernet network, the Ethernet switch can use 802.1X to require the client computer to authenticate to the network infrastructure. If the computer passes the authentication requirements, the network infrastructure will forward network traffic freely to and from the client computer. If the client computer does not provide valid credentials or otherwise cannot meet specified requirements, it can be denied access or placed onto a restricted network.
Windows Vista and Windows 7 support 802.1X authentication for both wired and wireless networks. Clients can authenticate themselves using a user name and password or a certificate, which can be stored locally on the computer or on a smart card. With compatible network hardware and a Remote Authentication Dial-in User Service (RADIUS) authentication server (such as a computer running Windows Server 2003 or Windows Server 2008), you can control both wired and wireless access to your intranet centrally. This means that an attacker with physical access to your facilities cannot simply plug a computer into an available Ethernet port and gain access to your intranet. When you combine 802.1X authentication with Network Access Protection (NAP), you can ensure that computers have required security updates and meet other system health requirements before allowing them unlimited access to your intranet.
Although almost all wireless access points support 802.1X, only newer wired network switches support the authentication protocol. When a computer is connected to your network, the switch must detect this connection, initiate the authentication process with the connected computer, send an authentication request to the RADIUS server you have configured, and then use the server's response to determine whether the client computer should be connected to your private intranet, a restricted network, another virtual LAN (VLAN), or whether other restrictions should be applied. Figure below illustrates this process. In addition to restricting network access, 802.1X can be used to apply user-specific bandwidth or QoS policies.
- User connects a computer to a wired Ethernet port.
- 802.1X switch notices the connection and initiates authentication by passing the request to the RADIUS server.
- The RADIUS server authenticates the computer and sends a message to the switch.
- The switch opens the Ethernet port to allow intranet access and enforces any restrictions or QoS policies.
To configure 802.1X for a network adapter on a single computer, use the Authentication tab on the network adapter's properties. This tab enables you to configure the authentication type and the certificate to use for authentication. In addition, you can configure 802.1X from the command line using the Netsh Lan command. The Authentication tab appears only if the Wired AutoConfig service is started, and the Netsh Lan command also requires this service to be running.
Warning 802.1X improves security, but it is not foolproof. An attacker with both physical access to your network and a computer configured to authenticate successfully with 802.1X can insert a hub (or even a wireless access point) between the legitimate computer and the network. When the computer authenticates the network port, the network infrastructure will allow all communications through that port, whether they originate from an unauthenticated computer connected to the hub or from the legitimate computer. For better security, require both 802.1X and IPsec.
To configure computers in an AD DS domain to use 802.1X authentication, follow these high-level steps:
- Configure AD DS for accounts and groups. Set the remote access permission on the Dial-up tab of the user or computer account properties dialog box to either Allow Access or Control Access Through Remote Access Policy.
- Configure primary and redundant Network Policy Server (NPS) servers. Then, create a wired remote access policy on the NPS server. (For more information about NPS, visit http://technet.microsoft.com/network/bb545879.aspx.)
- Deploy and configure your authenticating switches. You will need to configure the switches with the IP addresses of your primary and secondary IAS servers.
- Configure client computers. If necessary, configure a certificate infrastructure to issue certificates that client computers and users will use for authentication. In addition, you should start the Wired AutoConfig service and configure it to start automatically.
To manage 802.1X using Group Policy, extend the AD DS schema as described in "Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements" at http://technet.microsoft.com/en-us/library/bb727029.aspx.
In addition, Windows Vista and Windows 7 also support the new EAPHost architecture to enable easier development of 802.1X authentication mechanisms. For more information, see the section titled "EAPHost Architecture" later in this tutorial.
In this tutorial:
- Configuring Windows Networking
- Usability Improvements
- Network And Sharing Center
- Network Explorer
- How Windows Finds Network Resources
- How Windows Publishes Network Resources
- How Windows Creates the Network Map
- Network Map
- Set Up A Connection Or Network Wizard
- Manageability Improvements
- Network Location Types
- Policy-Based QoS
- Selecting DSCP Values
- Planning Traffic Throttling
- Configuring QoS Policies
- Configuring System-Wide QoS Settings
- Configuring Advanced QoS Settings
- Testing QoS
- Windows Firewall and IPsec
- Windows Connect Now in Windows 7
- Core Networking Improvements
- Networking BranchCache
- How Hosted Cache Works
- How Distributed Cache Works
- Configuring BranchCache
- BranchCache Protocols
- File Sharing Using SMB
- Web Browsing with HTTP (Including HTTPS)
- Efficient Networking
- What Causes Latency, How to Measure It, and How to Control It
- TCP Receive Window Scaling
- Scalable Networking
- Improved Reliability
- IPv6 Support
- 802.1X Network Authentication
- Server Message Block (SMB) 2.0
- Strong Host Model
- Wireless Networking
- Improved APIs
- Network Awareness
- Improved Peer Networking
- Services Used by Peer-to-Peer Networking
- Managing Peer-to-Peer Networking
- Peer-to-Peer Name Resolution
- EAP Host Architecture
- Layered Service Provider (LSP)
- Windows Sockets Direct Path for System Area Networks
- How to Configure Wireless Settings
- Configuring Wireless Settings Manually
- Using Group Policy to Configure Wireless Settings
- How to Configure TCP/IP
- Configuring IP Addresses Manually
- Command Line and Scripts
- How to Connect to AD DS Domains
- How to Connect to a Domain When 802.1X Authentication Is Not Enabled
- How to Connect to a Domain When 802.1X Authentication Is Enabled