802.1X Authenticated Wired Access Design Guide

Applies To: Windows Server 2008, Windows Server 2008 R2

The Windows Server® 2008 operating system provides the networking services needed to deploy a secure and manageable 802.1X authenticated network infrastructure. This guide provides comprehensive guidance to help you design an 802.1X authenticated wired access solution.

Authentication prevents users without valid credentials from being able to connect to your domain over the wired network. Authorization verifies that the wired node meets all of the conditions that are required to make a connection to the switch. IEEE 802.1X uses the Extensible Authentication Protocol (EAP) to exchange authentication credentials. IEEE 802.1X authentication can be based on different EAP authentication methods such as those using secured passwords (user name and password) or a digital certificate.

Many Ethernet switches are capable of providing port-based network access control, a technology that prevents communication from traversing ports on the switch until the computer that is physically connected to the port is authenticated and access is authorized. The IEEE 802.1X standard defines how switches perform port-based network access control. IEEE 802.1X authentication is designed for wired LANs that contain an authentication infrastructure consisting of one or more Remote Authentication Dial-In User Service (RADIUS) servers and account databases such as Active Directory and 802.1X-capable Ethernet switches. An 802.1X-capable Ethernet switch prevents any computer that is connected to the switch from sending or receiving communications on a wired network until that computer is successfully authenticated and authorized.

About this guide

This guide is intended for infrastructure specialists, system architects, and IT professionals.

The purpose of this guide is to help you to plan and design a new 802.1X authenticate wired access deployment.


Following are the requirements for deploying a wired access infrastructure as documented in this guide:

This guide uses a step-by-step approach to help you decide which design best fits your wired access needs and to help you create a design based on the most common wired access design goals. The two scenarios are:

  • Wired access by using PEAP-MS-CHAP v2 for secure password authentication. This design is well suited to small businesses and medium organizations. Secure password authentication provides strong security, and uses domain account credentials (user name and password) for client authentication. When deploying wired access by using PEAP-MS-CHAP v2, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using Active Directory Certificate Services (AD CS).

  • Wired access by using either EAP-TLS or PEAP-TLS for authentication using digital certificates. This design is well suited to medium and enterprise-sized networks. Digital certificates provide more robust security than secure password authentication. In this design guide, digital certificates are either smart cards, or certificates issued to your users and computers by the CA you deploy on your network. If your wired access solution uses either EAP-TLS or PEAP-TLS, you must deploy a private CA on your network by using AD CS.

After reading this guide you will have the information necessary to begin deploying wired access by using the 802.1X Authenticated Wired Deployment Guide in the Windows Server 2008 Technical Library at https://go.microsoft.com/fwlink/?LinkId=137750.