The Cable Guy IEEE 802.1X Wired Authentication
This article is based on a prerelease version of Windows Server 2008. Details herein is subject to change.
With the rise in popularity of IEEE 802.1X authentication for IEEE 802.11 wireless networks, network administrators want to use this standard for their wired network connections as well. Just as a wireless client must submit a set of credentials to be validated prior to allowing wireless frames to be forwarded to the intranet, an
IEEE 802.1X wired client must perform an authentication prior to being able to use its switch port. IEEE 802.1X authentication provides an additional security barrier for your intranet—you can prevent guest, rogue, or unmanaged computers that cannot perform a successful authentication from connecting to your intranet.
IEEE 802.1X authentication is probably already supported by your wired switches and just needs to be enabled and configured. For authentication and authorization of a wired connection, 802.1X-capable switches typically use the Remote Authentication Dial-In User Service (RADIUS) protocol to send connection request information to a RADIUS server, such as a Windows Server® 2008-based Network Policy Server (NPS) or a Windows Server 2003 Internet Authentication Service (IAS) server.
After you configure your switches for RADIUS but before you require 802.1X authentication, you will have to enable and configure 802.1X authentication on your wired computers. IEEE 802.1X authentication for wired network connections has been supported in Microsoft® Windows® since Windows XP. However, you must manually configure 802.1X authentication settings in Windows XP SP2 and prior and Windows Server 2003 on each individual wired client (from the Authentication tab for the properties of a network connection in the Network Connections folder). Unfortunately, there is no way to centrally configure or script wired 802.1X settings for these earlier operating systems. Computers running Windows XP with SP3 support Group Policy-based central configuration.
Fortunately, support for wired settings in Group Policy and scripting support with the Netsh tool in Windows Vista® and Windows Server 2008 mean that deployment of 802.1X wired settings is much simpler than before.
Wired Network Settings in Group Policy
Using the Wired AutoConfig Service
In Windows XP and Windows Server 2003, the 802.1X behavior on wired connections is controlled by the Wireless Zero Configuration service. On those operating systems, this service was enabled by default and wired network connections were placed in a passive listening mode, waiting for the switch to initiate authentication.
In contrast, in Windows Vista and Windows Server 2008, the Wired AutoConfig service controls 802.1X behavior on wired connections, but it is disabled by default. Therefore, the Authentication tab for the properties of network connections does not appear until after the Wired AutoConfig service is started.
For an individual wired client running Windows Vista or Windows Server 2008, you can use the Services snap-in to start the Wired AutoConfig service and configure it for automatic startup. When the Wired AutoConfig service is started, wired network connections operate in an active listening mode in which the network connection attempts to initiate authentication with the switch.
For an Active Directory domain, you can use Group Policy to configure the Wired AutoConfig service for automatic startup. Using the Group Policy Management Editor snap-in, configure the Computer Configuration | Windows Settings | Security Settings | System Services | Wired AutoConfig setting for Automatic startup mode.
To centralize and automate the configuration of wired network settings, Windows Server 2008 and Windows Server 2003 Active Directory® domain services support wired policy settings in Group Policy. These settings allow you to configure wired network settings as part of Computer Configuration Group Policy for a domain-based Group Policy Object.
With these wired policy settings, you can specify the authentication method and other 802.1X settings for wired clients running Windows Server 2008 or Windows Vista. When joining the domain, starting up, or periodically after starting, these operating systems automatically download the wired Group Policy settings and apply them. Just note that a Windows Server 2003 Active Directory domain must be extended to support these new policies. For information about how to extend a Windows Server 2003 Active Directory domain, take a look at technet.microsoft.com/bb727029.
You can configure wired policies from the Computer Configuration | Windows Settings | Security Settings | Wired Network (IEEE 802.3) Policies node in the Group Policy Management Editor snap-in. By default, there are no Wired Network (IEEE 802.3) policies. To create a new policy, right-click Wired Network (IEEE 802.3) Policies in the console tree and click Create a New Windows Vista Policy.
The properties dialog box of a Windows Vista wired policy consists of a General tab and a Security tab. Figure 1 shows the default General tab. On the General tab, you can configure a name and description for the policy and specify whether to use the Wired AutoConfig service, which controls 802.1X behavior on wired connections. For more information, see the "Using the Wired AutoConfig Service" sidebar in this column.
Figure 1 The default General tab of a Windows Vista wired policy
Figure 2 shows the default Security tab for a Windows Vista wired policy. On the Security tab, you can enable or disable 802.1X authentication, select and configure the Extensible Authentication Protocol (EAP) authentication method, select the authentication mode (user re-authentication, computer only, user authentication, or guest authentication), configure the number of times authentication attempts can fail before authentication is abandoned, and configure whether to cache user information for subsequent connections. When caching is disabled, Windows removes the user credential data from the registry when the user logs off. The result is that the next user will be prompted for his or her credentials (such as user name and password) at logon.
Figure 2 The default Security tab of a Windows Vista wired policy
When you click the Advanced button on the Security tab, you can configure advanced settings for 802.1X and Single Sign-On. Figure 3 shows the default Advanced security settings dialog box for a Windows Vista wired policy. From the Advanced security settings dialog box, you can configure 802.1X settings shown in Figure 4.
Figure 4 802.1X settings in the Advanced security settings box
|Max EAPOL-Start Messages||The number of successive EAP over LAN (EAPOL)-Start messages that are sent out when no response to the initial EAPOL-Start messages is received.|
|Held Period||The time interval between the retransmission of EAPOL-Start messages when no response to the previously sent EAPOL-Start message is received.|
|Start Period||The period during which the authenticating client will not perform any 802.1X authentication activity after it has received an authentication failure indication from the authenticator.|
|Auth Period||The period of time the authenticating client will wait before retransmitting any 802.1X requests after end-to-end 802.1X authentication has been initiated.|
|EAPOL-Start Message||When the wired client sends the EAPOL-Start message.|
Figure 3 The default Advanced security settings dialog box for a Windows Vista wired policy
Wired clients running Windows Server 2008 support Single Sign-On for wired connections. This feature is also planned for the forthcoming release of Windows Vista Service Pack 1. More information is available online at technetmagazine.com/issues/2007/11/CableGuy.
There are Single Sign-On settings available to perform user-level 802.1X authentication prior to the user logon process or after the user logon process, and to wait the configured number of seconds for user-level 802.1X authentication to complete before starting the user logon process. You can determine whether or not to display dialog boxes for user-level authentication beyond the consolidation of input fields on the Windows logon screen. For example, if an EAP type wants the user to confirm the certificate sent from the RADIUS server during authentication, the EAP type can display the dialog box.
Additionally, you can specify that after performing user-level authentication, the system initiates a Dynamic Host Configuration Protocol (DHCP) renewal of the TCP/IP configuration of the wired adapter. Select this option if there are separate virtual LANs (VLANs) for computer-level and user-level authenticated wired clients and if those VLANs are different IPv4 or IPv6 subnets.
Scripting Support with the Netsh Tool
Windows Server 2008 and Windows Vista support commands in the netsh lan context of the Netsh tool to configure wired settings or export or import a wired profile, which is a named set of wired settings in XML format. With command-line configuration of wired settings, you can more easily deploy wired networks by creating automated scripts for wired settings without using Group Policy. The Wired Network (IEEE 802.3) Policies Group Policy settings apply only in an Active Directory domain. For an environment without a Group Policy infrastructure, a script that automates the configuration of wired connections with a wired profile can be run manually or automatically, including as part of the logon script.
To perform command-line configuration of wired clients running Windows Vista or Windows Server 2008, run netsh lan commands with the appropriate parameters. For example, the following command enables Single Sign-On for the network connection named "Local Area Connection" and configures Single Sign-On to perform user authentication before user logon:
netsh lan set profileparameter interface="Local Area Connection" ssomode=prelogon
For more information about netsh lan command syntax, see technet.microsoft.com/aa905084.
Wired XML profiles can be exported from a Windows Server 2008 or Windows Vista wired client and then imported to a Windows Server 2008 or Windows Vista wired client using the Netsh tool. To export a wired profile, use the netsh lan export profile command. If you want to import a wired profile, use the netsh lan add profile command. For some useful examples of wired profiles, see msdn2.microsoft.com/aa816372.
With command-line and XML profile support, you can bootstrap a wired client onto the organization's 802.1X-authenticated wired network. A wired client computer that is not a member of the domain cannot connect to the wired network using computer credentials. Additionally, a computer cannot join the domain until it has successfully connected to the wired network. However, command-line and XML profile support allow a wired computer to connect to the organization's wired network using user credentials and then join the computer to the domain. For more information, see technet.microsoft.com/bb727031.
Joseph Davies is a technical writer with Microsoft and has been teaching and writing about Windows networking topics since 1992. He has written five books for Microsoft Press and is the author of the monthly online TechNet Cable Guy column.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.