Foundation Network Companion Guide:Deploying 802.

1X Authenticated Wired Access with PEAP-MS-CHAP v2

Microsoft Corporation Published: November 2008 Author: Brit Weston Editor: Scott Somohano

Abstract
The Windows Server 2008 Foundation Network Guide provides instructions about how to plan for and deploy the core components that are required for a fully functioning network. It also explains how to set up a new Active Directory Domain Services (AD DS) domain in a new forest. This companion guide to the Foundation Network Guide provides instructions about how to deploy 802.1X authenticated IEEE 802.3 wired Ethernet access by using secure password authentication with Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law. 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

Contents
Foundation Network Companion Guide: Deploying 802.1X Authenticated Wired Access with PEAP-MS-CHAP v2 ................................................................................................................. 5 About this guide ....................................................................................................................... 5 Requirements ....................................................................................................................... 6 What this guide does not provide ............................................................................................. 6 Technology overviews .............................................................................................................. 8 IEEE 802.1X ......................................................................................................................... 8 802.1X-capable switches ...................................................................................................... 8 Client computers ................................................................................................................... 8 Active Directory Domain Services (AD DS) ........................................................................... 9 Active Directory Users and Computers .................................................................................. 9 Group Policy Management .................................................................................................... 9 Server certificates ............................................................................................................... 10 EAP, PEAP, and PEAP-MS-CHAP v2 ................................................................................. 10 Network Policy Server ......................................................................................................... 11 Wired Access Deployment Overview ......................................................................................... 12 Wired access deployment components .................................................................................. 13 802.1X-capable Ethernet switches ...................................................................................... 14 Active Directory Domain Services ....................................................................................... 14 NPS .................................................................................................................................... 14 Wired client computers ....................................................................................................... 14 Certification authorities ....................................................................................................... 14 802.1X authenticated wired access with PEAP-MS-CHAP v2 deployment process ................. 15 Wired Access Deployment Planning .......................................................................................... 16 Planning switch acquisition and installation ............................................................................ 16 Verify switch support for standards...................................................................................... 16 Determine how many switches you need ............................................................................ 17 Planning wired client configuration and access ....................................................................... 18 Planning restricted access to the wired LAN ........................................................................ 18 Planning methods for adding new wired clients ................................................................... 19 Wired Access Deployment......................................................................................................... 19 Deploying and Configuring 802.1X-Capable Switches ............................................................... 19 Configure 802.1X-Capable Switches ......................................................................................... 20 Procedures ............................................................................................................................ 20 Creating Security Groups for Wired Users ................................................................................. 21

Create a Wired Users Security Group ........................................................................................ 21 Procedures ............................................................................................................................ 21 Add Users to a Wired Users Security Group .............................................................................. 22 Procedures ............................................................................................................................ 22 Configuring Wired Network (IEEE 802.3) Policies ...................................................................... 23 Open or Add and Open a Group Policy Object ........................................................................... 23 Procedures ............................................................................................................................ 23 Activate the Default Wired Network (IEEE 802.3) Policies .......................................................... 24 Procedures ............................................................................................................................ 24 Open Wired Network (IEEE 802.3) Policies for Editing ............................................................... 25 Procedures ............................................................................................................................ 25 Configure Windows Vista Wired Network (IEEE 802.3) Policies ................................................. 26 Procedures ............................................................................................................................ 26 Configuring your NPS Server for Wired 802.1X Authentication .................................................. 28 Register NPS in Active Directory Domain Services .................................................................... 28 Procedures ............................................................................................................................ 28 Configure an 802.1X-Capable Switch as an NPS RADIUS Client ............................................... 29 Procedures ............................................................................................................................ 29 Create NPS Policies for 802.1X Wired by Using a Wizard .......................................................... 30 Procedures ............................................................................................................................ 30 Additional Resources for Deploying Wired Access with PEAP-MS-CHAP v2 .............................. 33

Foundation Network Companion Guide: Deploying 802.1X Authenticated Wired Access with PEAP-MS-CHAP v2
This is a companion guide to the Windows Server 2008 Foundation Network Guide, which is available for download at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252). The Windows Server 2008 Foundation Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory Domain Services (AD DS) domain in a new forest. This guide explains how to build upon a foundation network and server certificate infrastructure by providing instructions about how to deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated IEEE 802.3 wired access using Protected Extensible Authentication Protocol - Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAP v2). Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is easier and less expensive to deploy than Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) or Protected Extensible Authentication Protocol - Transport Layer Security (PEAP-TLS). Note In this guide, IEEE 802.1X authenticated wired access with PEAP-MS-CHAP v2 is abbreviated to wired access.

About this guide

This guide provides instructions on how to deploy a wired access infrastructure the following components: One or more 802.1X-capable 802.3 wired Ethernet switches Active Directory Users and Computers Group Policy Management One or more servers running Network Policy Server (NPS) Server certificates for NPS servers Client computers running Windows Vista that are joined to the domain Followed the instructions in the Windows Server 2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies 5

This guide is designed for network and system administrators who have:

included in the foundation network, including AD DS, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS). Either followed the instructions in the Windows Server 2008 Foundation Network Companion Guide: Deploying Server Certificates to deploy and use Active Directory Certificate Services (AD CS) to autoenroll server certificates to computers running NPS, or who have purchased a server certificate from a public certification authority (CA), such as VeriSign, that client computers already trust. A client computer trusts a CA if that CA certificate is already in the Trusted Root Certification Authorities certificate store on the client computer. By default, computers running Windows have multiple public CA certificates installed in their Trusted Root Certification Authorities certificate store. The Foundation Network Companion Guide: Deploying Server Certificates is available for download in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258). It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.

Requirements
Following are the requirements for deploying wired access by using this guide: Before deploying this scenario, you must first purchase and install 802.1X-capable Ethernet switches on your network. Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide. Server certificates are required when you deploy the PEAP-MS-CHAP v2 certificate-based authentication method for network access authentication. PEAP-MS-CHAP v2 requires that each NPS server deployed on your network must have a server certificate issued by your network AD CS certification authority (CA), or by a public CA that your Windows-based clients already trust, unless the administrator deselects Validate server certificate in the PEAP properties within Wired Network (IEEE 802.3) Policies. You or someone else in your organization is familiar with the IEEE 802.3 standards that are supported by your network switches and the Ethernet network adapters installed in the client computers on your network.

What this guide does not provide

Following are some items this guide does not provide: Comprehensive guidance for selecting 802.1X-capable Ethernet switches

Because many differences exist between brands and models of 802.1X-capable switches, this guide does not provide detailed information about: Determining which brand or model of switch is best suited to your needs. The physical deployment of switches on your network. Advanced switch configuration. Instructions on how to configure switch vendor-specific attributes in NPS.

Additionally, terminology and names for settings vary between switch brands and models, and might not match the generic setting names referenced in this guide. For switch configuration details, you must use the product documentation provided by the manufacturer of your switches. NPS server certificates This guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. In general, however, the choices you face are: Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows clients. This option is typically recommended for smaller networks. Advantages: Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers. Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network. This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server you deploy. Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.

Disadvantages:

Deploying a private CA on your network by using AD CS. Advantages: AD CS is included with Windows Server 2008. This solution scales very well. After you have deployed a private CA on your network, AD CS will automatically issue certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network. AD CS will automatically issue a server certificate to new NPS servers that you add to your network. If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you will be able to do so by using your AD CS-based private CA.

Disadvantages: 7

Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy. It is possible to expose your network to specific security vulnerabilities if the proper precautions are not taken when deploying a private CA on your network.

NPS network policies and other NPS settings Beyond the configuration settings made when you run the Configure 802.1X wizard as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints or other NPS settings. The Additional Resources for Deploying Wired Access with PEAP-MS-CHAP v2 section in this guide provides links to comprehensive NPS documentation. DHCP This deployment guide does not provide information about designing or deploying DHCP subnets. For more information about DHCP, see the Additional Resources for Deploying Wired Access with PEAP-MS-CHAP v2 section in this guide.

Technology overviews
Following are technology overviews for deploying wired access.

IEEE 802.1X
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. 802.1X-capable switches will deny access to a port if the authentication process fails. 802.1X port-based access control prevents computers that are not joined to the domain from obtaining TCP/IP configuration settings from DHCP servers, and prevents the transmission of any TCP/IP packets by these computers. Although this standard was designed for wired Ethernet networks, it has also been adapted for use on 802.11 wireless LANs.

802.1X-capable switches
This deployment scenario requires the one or more switches that are compatible with both the Remote Authentication Dial-In User Service (RADIUS) protocol and 802.1X. 802.1X-capable RADIUS-compliant switches, when deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.

Client computers
This guide provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network by using client computers running Windows Vista.

Note If you are using computers running Windows Server 2008 as client computers, you can configure 802.1X security and connectivity settings on those computers by using the same Wired Network (IEEE 802.3) Policies Group Policy extension as for computers running Windows Vista. Note You can use the Windows Vista Wired Network (IEEE 802.3) Policies to configure computers running Windows Vista and Windows Server 2008. You cannot use this policy to configure computers running Windows XP. Computers running Windows XP cannot interpret settings in a Windows Vista Wired Network (IEEE 802.3) Policies.

Active Directory Domain Services (AD DS)

AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller. As it relates to this guide, AD DS contains the user accounts, computer accounts, and security groups that are used when authenticating wired connection requests in 802.1X deployments that use PEAP-MS-CHAP v2.

Active Directory Users and Computers

Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are referred to as group members. This guide provides instructions to create a wired users security group. Each domain member for whom you want to grant access is added as a member the wired users security group. Then, when you create and configure network policies in NPS, you will base the network policy on, and grant access to the wired users security group that you created in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. NPS will automatically deny access for any connection request that originates from a user that is not a member of the wired users security group.

Group Policy Management

Group Policy Management is a Windows Server 2008 feature that enables directory-based change and configuration management of user and computer settings, including security and user data. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify settings for registry entries, security, software installation, scripts, 9

folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containerssites, domains, and OUsyou can apply the GPO's settings to the users and computers in those Active Directory containers. You can use Group Policy Management to create an individual GPO or to manage Group Policy objects across an enterprise. This guide provides detailed instructions about how to specify settings in the Wired Network (IEEE 802.3) Policies as a Group Policy Management extension, which in turn provisions client computers with the necessary network and security settings for wired access.

Server certificates
This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication. A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service. A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates. AD CS is a Windows Server 2008 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also known as a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise. NPS servers use server certificates to prove their identity to client computers during PEAP-MS-CHAP v2 authentication.

EAP, PEAP, and PEAP-MS-CHAP v2

EAP Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2008 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2008 are: Transport Layer Security (TLS) Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)

Strong EAP types (such as those that are based on certificates) offer better security against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP, version 1). 10

PEAP Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer or computer that connects to the LAN through an 802.1X-capable switch, and a PEAP authenticator, such as an NPS server or other RADIUS servers. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MSCHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers (NASs): 802.1X-capable Ethernet switches 802.1X-capable wireless access points (APs) Computers running Windows Server 2008 and the Routing and Remote Access service (RRAS) that are configured as virtual private network (VPN) servers Computers running Windows Server 2008 and Terminal Services Gateway

PEAP-MS-CHAP v2 PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients. This guide provides instructions to configure your wired clients and your NPS servers to use PEAP-MS-CHAP v2 for 802.1X authenticated access.

Network Policy Server

Network Policy Server (NPS) allows you to centrally configure and manage network policies by using the following three components: RADIUS server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is an optional service of a foundation network, but it is required to deploy 802.1X wired access. When you configure your 802.1X-capable switches as RADIUS clients in NPS, NPS processes the connection requests sent by the switches. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. This is explained in more detail as follows: Authentication: Successful mutual PEAP-MS-CHAP v2 authentication has two main parts: 1. The first part of mutual authentication requires the client to authenticate the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. To successfully authenticate the NPS server, the client computer must trust the CA that issued 11

the NPS server certificate. The client trusts this CA when the CAs certificate is present in the Trusted Root Certification Authorities certificate store on the client computer. If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, ensure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store. 2. The second part of mutual authentication requires the NPS server to authenticate the user. After the client successfully authenticates the server, the client sends password-based user credentials to the NPS server, which verifies the user credentials against the user accounts database in Active Directory Doman Services (AD DS). If the credentials are valid, the server running NPS proceeds to the authorization phase of processing the connection request. Otherwise, NPS sends an Access Reject message and the connection request is terminated. Authorization: The server running NPS performs authorization, as follows: NPS checks for restrictions in the user or computer account dial-in properties in AD DS. NPS then processes its network policies to find a policy that matches the connection request. If a matching policy is found, NPS either grants or denies the connection based on that policy.

If both authentication and authorization are successful, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions. To deploy wired access, you must configure NPS network policies. This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wired access.

Wired Access Deployment Overview

The following illustration shows the components that are required to deploy the wired access scenario documented in this guide.

12

Wired access deployment components

The following components are required for this wired access deployment:

13

802.1X-capable Ethernet switches

After the required network infrastructure services supporting your wired local area network are in place, you can begin the design process for deploying 802.1X-capable switches. The switch deployment design process involves these steps: Determine how many RJ-45 Ethernet wall outlets are wired to your network. To have an effective 802.1X deployment, every RJ-45 wall outlet on your network must connect to an 802.1X-enabled port on a switch. Determine how many 802.1X-capable switches you need to connect all of the RJ-45 Ethernet outlets. Install 802.1X-capable switches on your network and configure network and 802.1X settings.

Active Directory Domain Services

Users and Computers Use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to create one or more wired users security groups, and then add each user for whom you want to grant access to the wired Ethernet network to the appropriate group. Wired Network (IEEE 802.3) Policies Use the Group Policy Management extension of Wired Network (IEEE 802.3) Policies to configure network connectivity and security settings for your domain computers that are running Windows Vista.

NPS
Network Policy Server (NPS) enables you to create and enforce network access policies for client health, connection request authentication, and connection request authorization. When you use NPS as a RADIUS server, you configure network access servers, such as 802.1X-capable Ethernet switches, as RADIUS clients in NPS. You also configure the network policies that NPS uses to authenticate access clients and authorize their connection requests.

Wired client computers

Wired client computers are computers that are equipped with IEEE 802.3 Ethernet network adapters and that are running Windows Vista.

Certification authorities
Certification authorities (CAs) are the part of a public key infrastructure (PKI) that issues certificates that are used for identity validation. For this scenario, the CA is used only for the server certificate on the NPS server.

14

802.1X authenticated wired access with PEAP-MSCHAP v2 deployment process

The process of configuring and deploying wired access occurs in these stages: Stage 1 Plan, deploy, and configure 802.1X-capable switches for use with NPS. Depending on your preference and network dependencies, you can either pre-configure settings on your switches prior to installing them on your network, or you can configure them remotely after installation. Stage 2 Create one or more wired users security groups in the Active Directory Users and Computers snap-in. Then, add each user for whom you want to allow access to your network to the appropriate wired users security group. Stage 3 Configure the Group Policy extension of Wired Network (IEEE 802.3) Policies by using the Group Policy Management Editor MMC. The Wired Network (IEEE 802.3) Policies provision client computers with the configuration settings required for 802.1X authentication and connectivity. It is in this Group Policy extension that you specify network permission parameters, connection settings, and security settings. For example, administrators can use the Wired Network (IEEE 802.3) Policies to specify the network authentication mode, which determines how user and computer domain credentials are used for authentication. Three of the network authentication modes that administrators can select, process domain credentials as follows: User re-authentication specifies that authentication always uses security credentials based on the computer's current state. Authentication is performed by using the computer credentials when no users are logged on to the computer. When a console user logs on to the computer, authentication is always performed by using the user credentials. Note A console user is a user who is physically logged on to the computer locally, as opposed to a user who logs on to a computer by using a remote connection. Computer only specifies that authentication is always performed by using only the computer credentials. User authentication specifies that authentication is only performed when the user is logged on to the computer. When no user is logged on to the computer, the computer is not connected to the network.

For domain member computers, newly configured Group Policy settings are automatically applied when Group Policy is refreshed. Group Policy is automatically refreshed at pre-determined intervals, or by restarting the client computer. Additionally, you can force Group Policy to refresh by running gpupdate at the command prompt. Stage 4

15

Use a configuration wizard in NPS to add your 802.1X-capable switches as RADIUS clients, and to create the network policies that NPS uses when processing connection requests. When using the wizard to create the network policies, specify PEAP as the EAP type, and the wired users security group that was created in the second stage. Stage 5 Use client computers to connect to the network. Because the necessary configuration settings are automatically applied when Group Policy is refreshed, computers will automatically connect to the network, and users need only supply their domain user name and password credentials when prompted by Windows.

Wired Access Deployment Planning

Before you deploy wired access, you must plan the following items: Switch acquisition and installation. Client network and security configuration.

Planning switch acquisition and installation

When you design your network access solution, you must determine which brand and model of 802.1X-capable switch can best meet your needs. For secure deployments, the switches that you deploy must support several specific standards, and provide specific security features. After you have determined which brand and model of switch you need, you must determine how many switches your wired access deployment requires. Finally, you must install the switches on your network, and configure the necessary security and network settings.

Verify switch support for standards

For consistency and ease of deployment, it is recommended that you purchase 802.1X-capable switches of the same brand and model. The 802.1X-capable switches that you deploy must support the following: IEEE 802.1X Remote Authentication Dial-In User Service (RADIUS) authentication

In addition, to provide enhanced security for the network, the 802.1X-capable switches must support the following filtering options: DHCP filtering The switches that you deploy on your network must filter on IP ports to prevent the transmission of Dynamic Host Configuration Protocol (DHCP) broadcast messages in those cases in which the client is a DHCP server. The switch must block the client from sending IP packets from UDP port 68 to the network. DNS filtering 16

Switches must filter on IP ports to prevent a client from performing as a Domain Name System (DNS) server. The switch must block the client from sending IP packets from TCP or UDP port 53 to the network. Additional considerations: If the 802.1X-capable switches require vendor-specific attributes (VSAs) or additional RADIUS attributes for special features or customized configuration of the switch, you must add the VSAs or RADIUS attributes to the wired NPS network policy on the NPS servers. If you add VSAs or RADIUS attributes to the wired NPS network policy on the primary NPS server, copy the primary NPS server configuration to the secondary NPS server.

Determine how many switches you need

Use architectural drawings to create a schematic diagram of your wired network. Determine the location of every RJ-45 Ethernet wall outlet that is connected to your wired network. For example, indicate on your diagram every RJ-45 outlet in all offices, meeting rooms, reception areas and break areas. Using your diagram, or a physical inspection of your site, determine the number of RJ-45 wall outlets that you need to control using 802.1X-capable switches. Use this number to determine how many switches are required for your wired deployment. According to the general naming conventions used on your network, give a friendly name to each of your switches, and then track those names in a list. For example, if you determine that your deployment requires 50 switches, you might name your switches: switch_001, switch_002, switch_003, and so forth. If your deployment has multiple wiring closets or server closets where switches are installed, update your architectural drawings to indicate by name the installation location of each switch. On your diagram, mark zones that contain the same number or RJ-45 wall outlets as there are ports on a switch. Indicate on your architectural drawing by name which switch is associated with each zone. For example, for a switch named switch_003 that has 24 ports that are dedicated to wired client connections, mark a zone on your diagram that contains the 24 RJ45 wall outlets that you will connect to that switch, and then mark that zone to indicate that it is associated with switch_003. Tip In deployments that involve multiple subnets for wired clients, it is beneficial to also indicate the IP address range and subnet mask that is used by each zone. Next, on the architectural diagram or on a spread sheet, indicate the relationship of each RJ-45 port with each switch and switch port. For example, for a single RJ-45 outlet in office number 294, in zone 02, that will connect to port 14 on a switch named switch_02c, your records should capture information similar to the following table.
Zone Location Switch Switch Port Number

Zone 02

Office 294

Switch_02c

14 17

Having an accurate switch and wiring diagram and related records will assist later during troubleshooting operations, when you want to upgrade or replace switches, or if you change the physical Ethernet wiring in the building.

Planning wired client configuration and access

When planning the deployment of 802.1X-authenticated wired access, you must consider several factors: Planning restricted access Do you want to provide all of your users with the same level of access to your network, or do you want to restrict access for some of your users? Adding new client computers to your wired network Although there are several alternatives, the preferred method adds a new computer as a member of the domain and has the configuration performed by a member of the IT staff.

Planning restricted access to the wired LAN

You might want to provide groups of users in your organization with varying levels of access to the network. For example, you might want to allow some users unrestricted access, any hour of the day, every day of the week. For other users, you might only want to allow access during core work hours, Monday through Friday, and completely deny access on Saturday and Sunday. This guide provides instructions to create an access environment that places all of your users in one security group. You create one wired users security group in the Active Directory Users and Computers snap-in, and then make every user for whom you want to grant wired access a member of that group. When you configure Network Policy Server (NPS) network policies, you specify the wired users security group as the object that NPS processes when determining authorization. However, if your deployment requires support for varying levels of access you need only do the following: 1. Follow the procedure Create a Wired Users Security Group in this guide, to create one or more additional security groups for your wired users in Active Directory Users and Computers, each security group specifying a unique name. 2. Follow the procedure Add Users to a Wired Users Security Group to make each user a member of the appropriate security group. 3. Finally, follow the procedure in Create NPS Policies for 802.1X Wired by Using a Wizard to configure an additional set of NPS policies for each additional wired users security group. In step 9 of the procedure, in Specify User Groups, click Add, and then type the name of the appropriate security group that you configured in Active Directory Users and Computers.

18

Planning methods for adding new wired clients

To add new computers to your network, the computers must first be joined to the domain. In a network that uses 802.1X authentication for IEEE 802.3 wired Ethernet connections, the preferred method to add new computers to the domain is for an administrator or member of the IT staff to join the computer to the domain by using a wired connection to a segment of the LAN that has access to domain controllers, and that is not protected by an 802.1X-capable switch. After joining the computer to the domain, the computer is distributed to the user. Note Make sure that uncontrolled connections are only accessible to your IT personnel. The steps to join computers to the domain by using a wired connection is documented in the Windows Server 2008 Foundation Network Guide, in the section titled Joining computers to the Domain and Logging On.

Wired Access Deployment

Follow these steps to deploy wired access: Deploying and Configuring 802.1X-Capable Switches Creating Security Groups for Wired Users Configuring Wired Network (IEEE 802.3) Policies Configuring your NPS Server for Wired 802.1X Authentication Note The procedures in this guide do not include instructions for cases in which the User Account Control dialog box opens to request your permission to continue. If this dialog box opens while you are performing the procedures in this guide, and if the dialog box was opened in response to your actions, click Continue.

Deploying and Configuring 802.1X-Capable Switches

Follow the instruction in this section to deploy 802.1X-capable switches for wired authenticated access: Configure 802.1X-Capable Switches

19

Configure 802.1X-Capable Switches

Procedures
To configure 802.1X-capable switches 1. Configure the following TCP/IP and network settings on your 802.1X-capable switches: IP address (static): Configure a unique static IP address that falls within the exclusion range of the Dynamic Host Configuration Protocol (DHCP) scope for the subnet associated with that switch. Subnet mask: Configure this to match the subnet mask settings of the LAN to which you have connected the switch. DNS name: Some switches can be configured with a Domain Name System (DNS) name. The DNS service on the network can resolve DNS names to an IP address. On each switch that supports this feature, enter a unique name for DNS resolution. Default Gateway: On each switch configure the default gateway for the subnet on which the switch is placed. DHCP service: If your switch has a built-in DHCP service, disable it.

2. Configure your 802.1X-capable switches with the following Remote Authentication Dial-In User Service (RADIUS) settings: Primary RADIUS server IP address: Configure the IPv4 address, IPv6 address, or DNS name of a primary RADIUS server. Secondary RADIUS server: Configure the IPv4 address, IPv6 address, or DNS name of a secondary RADIUS server, as well as the RADIUS shared secret, UDP ports for authentication and accounting, and failure detection settings. RADIUS shared secret: Use a unique RADIUS shared secret for each switch. Each shared secret should be a random sequence at least 22 characters long of uppercase and lowercase letters, numbers, and punctuation. To ensure randomness, use a random character generation program to create the shared secrets. The RADIUS shared secret must match the shared secret that you specify in when you configure the switch as a RADIUS client in Network Policy Server (NPS). Record the shared secret for each switch and store it in a secure location, such as an office safe. You must need to know the shared secret for each switch when you configure RADIUS clients in the NPS. Tip Alternately, you can use NPS to generate random shared secrets when you configure new RADIUS clients in NPS, then use the shared secret generated by NPS to configure your 802.1X-compatible switches. UDP port(s): Verify UDP port information is specified for authentication, accounting, 20

and failure detection. By default, NPS uses UDP ports 1812 and 1645 for authentication messages and UDP ports 1813 and 1646 for accounting messages. Tip Recommendation: Do not change the default RADIUS UDP ports settings. VSAs Some switches require vendor-specific attributes (VSAs) to provide full RADIUS and 802.1X switch functionality. VSAs are added in NPS network policy.

Creating Security Groups for Wired Users

Follow these steps to create one or more security groups for wired users, and then add users to the wired users security group: Create a Wired Users Security Group Add Users to a Wired Users Security Group

Create a Wired Users Security Group

You can use this procedure to create one or more wired users security groups in Active Directory Users and Computers. Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure.

Procedures
To create a wired users security group 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC snap-in opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, right-click the folder in which you want to add a new group (for example, right-click Users), point to New, and then click Group. 3. In New Object Group, in Group name, type the name of the new group. For example, type Wired Users. 4. In Group scope, select one of the following options: a. Domain local b. Global 21

c.

Universal

1. In Group type, select Security, and then click OK. To create additional security groups, repeat steps 2 - 6 of this procedure.

Add Users to a Wired Users Security Group

You can use this procedure to add a user, computer, or group to your wired users security group in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Membership in Domain Admins, or equivalent is the minimum required to perform this procedure.

Procedures
To add users to the wired users security group 1. Click Start, click Administrative Tools, and then click Active Directory Users and Computers. The Active Directory Users and Computers MMC opens. If it is not already selected, click the node for your domain. For example, if your domain is example.com, click example.com. 2. In the details pane, double-click the folder that contains your wired users security group. 3. In the details pane, right-click your wired users security group, and then click Properties. The Properties dialog box for the security group opens. 4. On the Members tab, click Add, and then copmplete one of the following procedures. To add a user or group 1. In Enter the object names to select, type the name of the user or group that you want to add, and then click OK. 2. To assign group membership to other users or groups, repeat step 1 of this procedure. To add a computer 1. Click Object Types. The Object Types dialog box opens. 2. In Object types, select Computers, and then click OK. 3. In Enter the object names to select, type the name of the computer that you want to add, and then click OK. 4. To assign group membership to other computers, repeat steps 1 - 3 of this procedure.

22

Configuring Wired Network (IEEE 802.3) Policies

Follow these steps to configure Wired Network (IEEE 802.3) Policies Group Policy extension: Open or Add and Open a Group Policy Object Activate the Default Wired Network (IEEE 802.3) Policies Open Wired Network (IEEE 802.3) Policies for Editing Configure Windows Vista Wired Network (IEEE 802.3) Policies

Open or Add and Open a Group Policy Object

By default, the Group Policy Management Console (GPMC) is installed on computers running Windows Server 2008 when the Active Directory Domain Services (AD DS) server role is installed. The procedure that follows describes how to open the GPMC on your domain controller running Windows Server 2008. The procedure then describes how to either open an existing domain-level Group Policy object (GPO) for editing, or create a new domain GPO and open it for editing. Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure.

Procedures
To open or add and open a Group Policy object 1. On your domain controller running Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management. The Group Policy Management Console opens. 2. In the left pane, double-click your forest. For example, double-click Forest: example.com. 3. In the left pane, double-click Domains, and then double-click the domain for which you want to manage a Group Policy object. For example, double-click example.com. 4. Do one of the following: a. To open an existing Domain Policy for editing, double click the domain that contains the Group Policy object that you want to manage, right-click the domain policy you want to manage, and then click Edit. b. To create a new Group Policy object and open for editing, right-click the domain in which you want to create a new Group Policy object, and then click Create a GPO 23

in this domain, and link it here. In New GPO, in Name, type a name for the new Group Policy object, and then click OK. Right-click your new Group Policy object, and then click Edit. Group Policy Management Editor opens. Important When you configure settings in a new GPO, client computers must be restarted to obtain the configuration settings that are specified within that GPO.

Activate the Default Wired Network (IEEE 802.3) Policies

This procedure describes how to activate the default Wired Network (IEEE 802.3) Policies by using the Group Policy Management Editor. Membership in Domain Admins, or equivalent, is the minimum required to perform this procedure.

Procedures
To activate default Wired Network (IEEE 802.3) Policies 1. On your domain controller running Windows Server 2008, if Group Policy Management Editor is not already open, do the following: click Start, point to Administrative Tools, and then click Group Policy Management. The Group Policy Management Microsoft Management Console (MMC) snap-in opens. 2. In the left pane, double-click your forest. For example, double-click Forest: example.com. 3. In the left pane, double-click Domains, and then double-click the domain in which you want to manage a Group Policy 0bject. For example, double-click example.com. 4. Right-click the domain-level GPO you want to manage, and then click Edit. The Group Policy Management Editor MMC opens. 5. In the Group Policy Management Editor, in the left pane, double-click Computer Configuration, double-click Windows Settings, and then double-click Security Settings. 6. In Security Settings, right-click Wired Network (IEEE 802.3) Policies, and then click Create a new Windows Vista Policy. The Wired Network Policies properties dialog 24

opens. 7. Click OK. The default New Vista Wireless Network Policy is activated and listed in the details pane of the GPME. Tip After you activate the Wired Network Policies, it is removed from the list of options when you right-click Wired Network (IEEE 802.3) Policies, and is added in the details pane of the Group Policy Management Editor when you select the Wired Network (IEEE 802.3) Policies node. This state remains until the policy is deleted, at which time the GPO returns to the menu when you right-click Wired Network (IEEE 802.3) Policies in the GMPE. The wired policies are only listed in the GPMC details pane when the Wired Network (IEEE 802.3) Policies node is selected. To access the properties of a GPO you have already created, select Wired Network (IEEE 802.3) Policies. In the details pane, right-click the GPO, and then click Properties.

Open Wired Network (IEEE 802.3) Policies for Editing

You can use this procedure to open the activated Wired Network (IEEE 802.3) Policies for editing. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Procedures
To open activated Wired Network (IEEE 802.3) Policies for editing 1. On your domain controller running Windows Server 2008, if Group Policy Management Editor is not already open, do the following: click Start, point to Administrative Tools, and then click Group Policy Management. The Group Policy Management Microsoft Management Console (MMC) snap-in opens. 2. In the left pane, double-click your forest. For example, double-click Forest: example.com. 3. In the left pane, double-click Domains, and then double-click the domain in which you want to manage a Group Policy object. For example, double-click example.com. 4. Right-click the Group Policy object you want to manage, and then click Edit. For example, right-click Default Domain Policy, and then click Edit. The Group Policy Management Editor opens. 25

Note The Group Policy object that you select must be the same object that you specified when you activated the Wired Network (IEEE 802.3) Policies. 5. In Group Policy Management Editor, in the right pane, open Computer Configuration, open Policies, open Windows Settings, open Security Settings, and then select Wired Network (IEEE 802.3) Policies. 6. In the details pane, right-click New Wired Network Policy, and then click Properties. The New Wired Network Policy Properties dialog box opens. The wired network policies node is not necessarily listed as New Wired Network Policy in the details pane of the Group Policy Management Editor. If the default policy name was previously changed from to another name, the name change is reflected in the Group Policy Management Editor details pane.

Configure Windows Vista Wired Network (IEEE 802.3) Policies

Use the procedure in this topic to configure the Wired Network (IEEE 802.3) Policies for client computers running Windows Vista that connect to your wired Ethernet network by using 802.1Xcapable switches. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Note You can use the Windows Vista Wired Network (IEEE 802.3) Policies to configure computers running Windows Vista and Windows Server 2008. You cannot use this policy to configure computers running Windows XP. Computers running Windows XP cannot interpret settings in a Windows Vista Wired Network (IEEE 802.3) Policies.

Procedures
To configure a wired connection profile for PEAP-MS-CHAP v2 1. Open Wired Network (IEEE 802.3) Policies. 2. On the General tab, do the following: a. In Policy Name, type a name for the wired network policy. b. In Description, type a brief description of the policy. c. Ensure that Use Windows Wired AutoConfig service for clients is selected.

26

Note For more information about the settings on any tab, press F1 while viewing that tab. 3. On the Security tab, do the following: a. Select Enable use of IEEE 802.1X authentication for network access. b. In Select a network authentication method, select Protected EAP (PEAP). c. In Authentication mode, select User re-authentication.

d. In Max Authentication Failures, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. e. To specify that user credentials are held in cache, select Cache user information for subsequent connections to this network. 4. Click Advanced. On the Advanced tab, do the following: a. To configure advanced 802.1X settings, select Enforce advanced 802.1X settings, and then modify only as necessary the settings for: Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, and Eapol-Start Message. b. To configure Single Sign On, select Enable Single Sign On for this network, and then modify as necessary the settings for: Perform Immediately before User Logon Perform Immediately after User Logon Max delay for connectivity Allow additional dialogs to be displayed during Single Sign On Max delay with dialogs This network uses different VLAN for authentication with machine and user credentials

5. Click OK. On the Security tab, click Properties. 6. In the Protected EAP Properties dialog box, do the following: a. Select Validate server certificate. b. In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your server running Network Policy Server (NPS). Note This setting limits the root CAs that clients trust to the selected values. If you do not specify a trusted root CA, then clients will trust all root CAs in their trusted root certification authority store. c. To specify that PEAP Fast Reconnect is enabled, select Enable Fast Reconnect.

d. If Network Access Protection (NAP) is configured on your network, select Enable Quarantine checks. Otherwise, clear this check box. 27

e. Click OK, to save the Protected EAP (PEAP) settings. 7. Click OK to save the changes to the wired policy, and then close the Group Policy Management console.

Configuring your NPS Server for Wired 802.1X Authentication

Follow these procedures to configure your NPS server: Register NPS in Active Directory Domain Services Configure an 802.1X-Capable Switch as an NPS RADIUS Client Create NPS Policies for 802.1X Wired by Using a Wizard

Register NPS in Active Directory Domain Services

You can use this procedure to register a server running Network Policy Server (NPS) in Active Directory Domain Services(AD DS) in the domain where NPS is a member. For NPS servers to be granted permission to read the dial-in properties of user accounts during the authorization process, each NPS server must be registered in Active Directory. Registering an NPS server adds the server to the RAS and IAS Servers security group in AD DS. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Procedures
To register an NPS server in its default domain 1. On your NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS Microsoft Management Console (MMC) snap-in opens. 2. Right-click NPS (Local), and then click Register Server in Active Directory. The Network Policy Server dialog box opens. 3. In Network Policy Server, click OK, and then click OK again.

28

Configure an 802.1X-Capable Switch as an NPS RADIUS Client

Use this procedure to configure an 802.1X-capable switch as a Remote Authentication Dial-In User Service (RADIUS) client by using the NPS Microsoft Management Console (MMC) snap-in. Important Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access serverssuch as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up serversbecause they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Procedures
To add a 802.1X-capable switch as a RADIUS client in NPS 1. On the NPS server, click Start, click Administrative Tools, and then click Network Policy Server. The NPS Microsoft Management Console (MMC) snap-in opens. 2. In the NPS snap-in, double-click RADIUS Clients and Servers. Right-click RADIUS Clients, and then click New RADIUS Client. 3. In New RADIUS Client, verify that the Enable this RADIUS client check box is selected. 4. In New RADIUS Client, in Friendly name, type a display name for the NAS. For example, if you want to add a switch named switch-01, type switch-01. 5. In Address (IP or DNS), type the IP address or fully qualified domain name (FQDN) of the 802.1X-capable switch. If you enter the FQDN, to verify that the name is correct and maps to a valid IP address, click Verify, and then in Verify Client, in Client, click Resolve. If the FQDN name maps to a valid IP address, the IP address of that switch automatically appears in IP Address. If the FQDN does not resolve to an IP address you will receive a message indicating that no such host is known. 6. In New RADIUS Client, in Vendor, specify the switch manufacturer name. If you are not sure of the NAS manufacturer name, select RADIUS standard. 7. In New RADIUS Client, in Shared secret, do one of the following: a. To manually configure a RADIUS shared secret, ensure that Manual is selected, and then in Shared secret, type the strong password that is also entered on the switch. Retype the shared secret in Confirm shared secret. b. To automatically generate a shared secret, select the Generate check box, and then 29

click the Generate button. Save the generated shared secret, and then use that value to configure the NAS so that it can communicate with the NPS server. 1. In New RADIUS Client, in Additional Options, if you are using any authentication methods other than EAP and PEAP, and if your NAS supports use of the message authenticator attribute, select Access Request messages must contain the Message Authenticator attribute. 2. In New RADIUS Client, in Additional Options, if you plan on deploying Network Access Protection (NAP) and your NAS supports NAP, select RADIUS client is NAP-capable. 3. Click OK. Your NAS appears in the list of RADIUS clients configured on the NPS server.

Create NPS Policies for 802.1X Wired by Using a Wizard

You can use this procedure to create the connection request policies and network policies required to deploy 802.1X-authenticating Ethernet switches as Remote Authentication Dial-In User Service (RADIUS) clients to the RADIUS server running Network Policy Server (NPS). Important Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access serverssuch as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up serversbecause they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers. After you run the wizard, the following policies are created: One connection request policy One network policy Note You can run the New IEEE 802.1X Secure Wired and Wireless Connections wizard every time you need to create new policies for 802.1X authenticated access. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Procedures
Create policies for 802.1X authenticated wired access by using a wizard 1. Open the NPS Microsoft Management Console (MMC) snap-in. If it is not already selected, click NPS (Local). If you are running the NPS MMC snap-in and want to create 30

policies on a remote NPS server, select the server. 2. In Getting Started and Standard Configuration, use the combination box to select RADIUS server for 802.1X Wireless or Wired Connections. The text and links below the text change to reflect your selection. 3. Click Configure 802.1X. The Configure 802.1X wizard opens. 4. On the Select 802.1X Connections Type wizard page, in Type of 802.1X connections, select Secure Wired Connections, and in Name, type a name for your policy. Click Next. 5. On the Specify 802.1X Switches wizard page, in RADIUS clients, all 802.1X switches and wireless access points that you have added as RADIUS clients in the NPS snap-in are shown. Do any of the following: Warning Removing a RADIUS client from within the Configure 802.1X wizard deletes the client from the NPS server configuration. All additions, modifications, and deletions that you make within the Configure 802.1X wizard to RADIUS clients are reflected in the NPS snap-in, in the RADIUS Clients node under NPS / RADIUS Clients and Servers. For example, if you use the wizard to remove an 802.1X switch, the switch is also removed from the NPS snap-in. a. To add additional network access servers (NASs), such as 802.1X-capable switches, in RADIUS clients, click Add, and then in New RADIUS client, enter the information for: Friendly name, Address (IP or DNS), and Shared Secret. b. To modify the settings for any switch, in RADIUS clients, select the AP for which you want to modify the settings, and then click Edit. Modify the settings as required. c. To remove a switch from the list, in RADIUS clients, select the switch, and then click Remove.

1. Click Next. In Configure an Authentication Method, in Type (based on method of access and network configuration), select Microsoft: Protected EAP (PEAP), and then click Configure. Tip If you receive an error message indicating that a certificate cannot be found for use with the authentication method, and you have configured Active Directory Certificate Services to automatically issue certificates to RAS and IAS servers on your network, first ensure that you have followed the steps to Register NPS in Active Directory Domain Services, then use the following steps to update Group Policy: Click Start, click Run, in Open, type gpupdate, and then press ENTER. When the command returns results indicating that both user and computer Group Policy have updated successfully, select Microsoft: Protected EAP (PEAP) again, and then click Configure. Tip 31

If after refreshing Group Policy you continue to receive the error message indicating that a certificate cannot be found for use with the authentication method, the certificate is not being displayed because it does not meet the minimum server certificate requirements as documented in the Foundation Network Companion Guide: Deploying Server Certificates. If this happens, you must discontinue NPS configuration, revoke the certificate issued to your NPS server, and then follow the instructions in the Foundation Network Companion Guide: Deploying Server Certificates to configure a new certificate. 2. On the Edit Protected EAP Properties wizard page, in Certificate issued, ensure that the correct NPS server certificate is selected, and then do the following: Note Verify that the value in Issuer is correct for the certificate selected in Certificate issued. For example, the expected issuer for a certificate issued by a CA running Windows Server 2008 Active Directory Certificate Services (AD CS) named CA01, in the domain example.com, is example-CA-01-CA. d. To allow users with mobile computers to move to a location that uses a different switch without requiring them to reauthenticate each time they connect to the network, select Enable Fast Reconnect. e. To specify that connecting clients will end the network authentication process if the RADIUS server does not present cryptobinding Type-Length-Value (TLV), select Disconnect Clients without Cryptobinding. Note Cryptobinding TLV increases the security of the TLS tunnel by combining the inner method and the outer method authentications together so that attackers cannot perform man-in-the-middle attacks by redirecting an MS-CHAP v2 authentication through the PEAP channel. f. To modify the policy settings for the EAP type, in EAP Types, click Edit, in EAP MSCHAPv2 Properties, modify the settings as needed, and then click OK.

1. Click OK. The Edit Protected EAP Properties dialog box closes, returning you to the Configure 802.1X wizard. Click Next. 2. In Specify User Groups, click Add, and then type the name of the wired users security group that you configured for your network clients in the Active Directory Users and Computers snap-in. For example, if you named your wired users security group Wired Users, type Wired Users. Click Next. 3. Click Configure to configure RADIUS standard attributes and vendor-specific attributes for virtual LAN (VLAN), and then modify the attributes as needed, and as specified by the documentation provided by your Ethernet switch hardware manufacturer. Click Next. 4. Review the configuration summary details, and then click Finish.

32

Additional Resources for Deploying Wired Access with PEAP-MS-CHAP v2

For more information about the technologies in this guide, see the following resources: Active Directory Certificate Services in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=110923 Active Directory Domain Services in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=96418 Deployment Planning (Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure) in Windows Server TechCenter at http://go.microsoft.com/fwlink/?LinkId=106049 Domain Name System (DNS) in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=110949 Dynamic Host Configuration Protocol (DHCP) in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=96419 Group Policy in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=110930 Netsh Commands for Wired Local Area Network (LAN) in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkID=105684 Network Policy Server (NPS) in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=104545 and Network Policy Server at http://go.microsoft.com/fwlink/?LinkId=93758 TCP/IP in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=103329 Windows Internet Name Service (WINS) in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=103331 "Joining Computers to the Domain and Logging On" topic in the Windows Server 2008 Foundation Network Guide in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=106051

33