802.1X Authenticated Wired and Wireless Access
Applies To: Windows Server 2008
Windows Server® 2008 has interesting new features to support 802.1X authenticated wired 802.3 Ethernet connections and 802.11 wireless connections for clients running Windows Vista® and Windows Server 2008, These features enable you to use Group Policy to configure settings on multiple domain-member clients running Windows Vista and Windows Server 2008 so that they can connect to an 802.1X Ethernet network. As an alternative to Group Policy-based client configuration for 802.1X wired and wireless network access, you can now use wired Netsh (Netsh lan) commands and wireless Netsh (Netsh wlan) commands in logon scripts. Additionally, Windows Server 2008 provides more configuration options. Administrators can now configure multiple profiles to connect to one wireless network, using a common Service Set Identifier, but with each profile specifying unique security properties.
What does 802.1X wired and wireless access do?
The Institute of Electrical and Electronics Engineers (IEEE) 802.1X standard, RFC 3580 (https://go.microsoft.com/fwlink/?LinkId=93318), defines authenticated access for wired Ethernet (IEEE 802.3) and wireless (IEEE 802.11) connections. This 802.1X authenticated access relies on 802.1X-compatible Ethernet switches and wireless access points (APs) to provide port-based network access control in order to prevent unauthenticated and unauthorized users and computers from accessing network resources, or sending any packets onto the network.
You can use features in Windows Server 2008 with 802.1X-compatible switches to provide and manage 802.1X-authenticated wired Ethernet access for computers running Windows Vista and Windows Server 2008. You can use features in Windows Server 2008 with 802.1X-compatible wireless APs to provide and manage 802.1X-authenticated IEEE 802.11 wireless access for computers running Windows® XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
Note
In this topic, all references to 802.1X, 802.3 wired Ethernet, and 802.11 wireless assume that hardware, hardware drivers, and software follow the standards defined by the IEEE for that technology.
The 802.1X authentication for 802.3 wired Ethernet and 802.11 wireless connections prevents unauthenticated and unauthorized users and computers from connecting to your network. Windows Server 2008 provides the features that work with 802.1X-compatible Ethernet switches and wireless APs to fully support deployment and management of 802.1X-authenticated network infrastructures.
In this and previous versions of Windows Server, most features are self-contained; they are installed as a specific item. Once installed, the self-contained features are managed from a single location within Administrative Tools, which is accessed through the Windows Server 2008 Start menu. Examples of self-contained features include:
Active Directory Certificate Services (AD CS)
Application Server
Dynamic Host Configuration Protocol (DHCP)
Fax and E-mail Services
Network File and Print Services
Windows Internet Name Service (WINS)
Unlike self-contained features, 802.1X-authenticated wired Ethernet and wireless are not discrete, installable features. Instead, Windows Server-based 802.1X wired and wireless deployments provide 802.1X authenticated network access by leveraging specific components within multiple features within Windows Server 2008 to work with 802.1X-compatible wireless access points and Ethernet switches.
Who will be interested in these technologies?
System engineers and system architects that are evaluating or planning 802.1X-authenticated access for wired Ethernet or 802.11 wireless clients.
IT professionals who want to control access to their network by using 802.1X network authentication.
IT Professionals who have deployed 802.1X-compatible Ethernet switches or 802.1X-compatible wireless APs.
IT Professionals who want to use, or who already use Windows Server 2008 to provide 802.1X infrastructure features, such as Active Directory Certificate Services (AD CS), Remote Authentication Dial-In User Service (RADIUS) authentication using Extensible Authentication Protocol (EAP), user accounts database, client computer TCP/IP addressing, and Group Policy or scripting to configure 802.1X settings on Windows-based client computers.
What new functionality supports 802.1X-authenticated wired Ethernet and wireless access?
As is the case with Windows Server 2003, Windows Server 2008 supports 802.1X-authenticated wired Ethernet and 802.11 wireless deployments by combining specific components within multiple features. The following table highlights the name changes for features that are relevant to 802.1X deployments between Windows Server 2003 and Windows Server 2008. The table is intended to orient anyone who is familiar with Windows Server 2003 features with the new and changed features in Windows Server 2008. In several instances, key controls within a particular service are listed to better demonstrate associations.
Summary of new or changed features
| Windows Server 2003 | Windows Server 2008 | ||
|---|---|---|---|
Active Directory |
Active Directory Domain Services |
||
Active Directory, computer and user account Dial-in properties
|
Active Directory Domain Services, computer and user account Dial-in properties
|
||
Certificate Services |
Active Directory Certificate Services |
||
Internet Authentication Service (IAS)
|
Network Policy Server (NPS)
|
||
Group Policy (connection policies)
|
Group Policy (connection policies)
|
||
Group Policy (adapter configuration service)
|
Group Policy (adapter configuration services)
|
||
N/A |
Netsh commands for:
|
.gif)
NoteThe remainder of this section provides information about the new features in Windows Server 2008 that were specifically designed to support 802.1X authenticated Wired Ethernet access and 802.1X authenticated Wireless access for computers running Windows Vista and Windows Server 2008:
Vista Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension
Wired Network (IEEE 802.3) Policies Group Policy and client-side extension
WLAN AutoConfig (WLANSVC) Group Policy settings
Wired AutoConfig (dot3svc) Group Policy settings
Netsh commands for wireless local area network (Netsh wlan)
Netsh commands for wired local area network (Netsh lan)
Vista Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension
Although similar is some ways to the Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension provided in Windows Server 2003, in Windows Server 2008 the Wireless Network (IEEE 802.11) Policies Group Policy and client side extension enables you to configure two separate Wireless Network (IEEE) Policies; one policy for computers running Windows XP and Windows Server 2003, the other policy for computers running Windows Vista and Windows Server 2008.
Note
In this topic, all subsequent references to “Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension” are abbreviated to "Wireless Network (IEEE 802.11) Policies."
With Windows Vista Wireless Network (IEEE 802.11) Policies, you can specify enhanced wireless network configuration, security, and management settings that are only available to wireless computers running Windows Vista and Windows Server 2008. Windows Vista. Wireless Network (IEEE 802.11) Policies provides much greater configuration flexibility; the enhanced wireless settings provide more configuration options, and allow more control over security and connectivity settings. You cannot configure computers running Windows XP, Windows Server 2003 by using Windows Vista Wireless Network (IEEE 802.11) Policies.
Why is this functionality important?
Wireless clients running Windows Vista and Windows Server 2008 support enhancements available in Windows Vista Wireless Network (IEEE 802.11) Policies, which enable administrators to accomplish the following:
Integrate with Network Access Protection (NAP) to restrict wireless clients that do not meet system health requirements from gaining unlimited access to the private network.
Separate the service management of 802.1X wired Ethernet and wireless.
Configure separate settings in Wireless Network (IEEE 802.11) Policies for clients running Windows XP and clients running Windows Vista.
Provide strong security by using Wi-Fi Protected Access 2 (WPA2) authentication options for Windows Vista and Windows Server 2008.
Configure wireless clients running Windows Vista and Windows Server 2008 for either automatic or manual connections to preferred wireless networks.
Configure allow and deny lists to specify whether wireless network clients can view or attempt to connect to other wireless networks that are not controlled by the network administrator.
Configure multiple profiles specifying the same Service Set Identifier (SSID), but with different network security and authentication methods.
Allow or deny connections to non-broadcast networks.
Import and export independent hardware vendor (IHV) connection profiles to configure wireless client computers running Windows Vista or Windows Server 2008.
What works differently?
To leverage the account name and password-based authentication infrastructure that already exists in Active Directory, in Windows Vista and Windows Server 2008, the default Extensible Authentication Protocol (EAP) authentication method for 802.1X-authenticated wireless connections now uses Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or PEAP-MS-CHAP v2.
Note
By default, Windows Server 2008 supports the EAP methods: PEAP-MS-CHAP v2, EAP with Transport Layer Security (TLS) or EAP-TLS, and PEAP-TLS. If you need to manage an EAP method other than the three default methods, you must first install that EAP method on the server.
Wired Network (IEEE 802.3) Policies Group Policy and client-side extension
The Wired Network (IEEE 802.3) Policies Group Policy and client-side extension is a new feature in Windows Server 2008. You can use the Wired Network (IEEE 802.3) Policies Group Policy and client-side extension to specify network settings for computers running Windows Vista and Windows Server 2008 that connect to an Ethernet network through an 802.1X-compatible switch in an Active Directory environment.
Note
In this topic, all subsequent references to “Wired Network (IEEE 802.3) Policies Group Policy and client-side extension” are abbreviated to "Wireless Network (IEEE 802.3) Policies."
You cannot configure computers running Windows XP or Windows Server 2003 by using Wired Network (IEEE 802.3) Policies.
Why is this functionality important?
The new functionality in Wired Network (IEEE 802.3) Policies in Windows Server 2008 enables administrators to programmatically configure 802.1X-based connectivity and security setting on domain member computers running Windows Vista or Windows Server 2008.
Additionally, you can use Wired Network (IEEE 802.3) Policies to integrate client wired Ethernet connectivity and security settings with Network Access Protection (NAP) to restrict network access for clients that do not meet system health requirements.
WLAN AutoConfig (WLANSVC) Group Policy settings
The WLAN AutoConfig (WLANSVC) service enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to wireless networks. The WLAN AutoConfig System Services Group Policy settings enable administrators to specify the service startup type of the WLAN AutoConfig service for domain member computers running Windows Vista and Windows Server 2008 that have wireless network adapters and the associated Windows Vista adapter drivers installed.
The WLAN AutoConfig System Services Group Policy settings are located in the Group Policy Management Console at:
Domain Policy/Computer Configuration/Windows Settings/Security Settings/System Services
Why is this functionality important?
WLAN AutoConfig Group Policy settings enable administrators to prevent domain member users from altering the startup mode of the WLAN AutoConfig service.
Wired AutoConfig (dot3svc) Group Policy settings
The Wired AutoConfig (dot3svc) service enumerates Ethernet network adapters, and manages both connections to Ethernet networks through 802.1X-compatible switches, and the wired profile that contains the settings required to configure a network client for 802.1X-authenticated network access. The Wired AutoConfig Group Policy settings enable administrators to specify the service startup type of the Wired AutoConfig service for domain member computers running Windows Vista and Windows Server 2008 that have Ethernet network adapters and the associated Windows Vista network adapter drivers installed.
Why is this functionality important?
The Wired AutoConfig Group Policy enables administrators to prevent domain member users from altering the startup mode of the Wired AutoConfig service.
The Wired AutoConfig Group Policy settings are located in the Group Policy Management Console at:
Domain Policy/Computer Configuration/Windows Settings/Security Settings/System Services
Netsh commands for wireless local area network (Netsh wlan)
The Windows Vista Netsh commands for wireless local area network (WLAN) provide methods to configure connectivity and security settings. You can use the Netsh wlan commands to configure the local computer, or to configure multiple computers by using a logon script. You can also use the Netsh wlan commands to view applied wireless Group Policy settings.
The wireless Netsh interface has the following benefits:
Easier wireless deployment. Provides a light-weight alternative to using Group Policy to configure wireless connectivity and security settings.
Mixed mode support. Allows administrators to configure clients to support multiple security options. For example, a client can be configured to support both the Wi-Fi Protected Access version 2 (WPA2) and the Wi-Fi Protected Access (WPA) authentication standards. This allows the client to use WPA2 to connect to networks that support WPA2 and use WPA to connect to networks that only support WPA.
Block undesirable networks. Administrators can block and hide access to non-corporate wireless networks by adding specific networks or network types to the list of denied networks. Similarly, administrators can allow access to corporate wireless networks.
Troubleshooting wireless connectivity. You can use Netsh wlan commands to gather detailed information about wireless network adapter capabilities and settings, and wireless profile configuration settings.
Why is this functionality important?
Because these commands can be run as scripts, Netsh wlan commands provide a lightweight alternative to using Windows Vista Wireless Network (IEEE 802.11) Policies for configuring multiple computers.
Netsh commands for wired local area network (Netsh lan)
The Windows Vista Netsh commands for wired local area network (LAN) provide methods to configure connectivity and security settings. You can use the Netsh lan commands to configure the local computer, or to configure multiple computers by using a logon script. You can also use the Netsh lan commands to view Wired Network (IEEE 802.3) Policies settings, and to administer user wired 802.1X settings.
Why is this functionality important?
The wired Netsh commands assist in deploying a secure 802.1X wired Ethernet deployment by providing an alternative to using the Windows Vista Wired Network (IEEE 802.3) Policies in Windows Server 2008 Group Policy to configure wired connectivity and security settings.
What settings are added or changed in Windows Server 2008?
This section contains a series of tables that highlight the Group Policy settings that are new and dramatically different from the Group Policy settings in Windows Server 2003. The tables in this section focus on the configuration settings for:
Vista Wireless Network (IEEE 802.11) Policies
Wired Network (IEEE 802.3) Policies
Vista Wireless Network (IEEE 802.11) Policies
Wireless Network (IEEE 802.11) Policies is located in the Group Policy Management Console at:
Domain Policy/Computer Configuration/Windows Settings/Security Settings/ Wireless Network (IEEE 802.11) Policies
This section defines the settings for the following tabs for the Windows Vista Wireless Network (IEEE 802.11) Policies:
General tab
Connection tab
Advanced Security Settings tab
Network Permissions tab
New Permissions Entry tab
General tab
Use the General tab to create and manage wireless network profiles and to define a list of preferred wireless networks, which prioritizes the order in which your domain member clients attempt to connect. You can also specify whether the WLAN AutoConfig Service is used to configure 802.11 wireless adapters to connect to wireless networks.
| Setting name | Default value | Description | ||
|---|---|---|---|---|
Vista Policy Name |
New Vista Wireless Network Policy |
Provides a location for a friendly name for the Wireless Network Policies. |
||
Use Windows WLAN AutoConfig service for clients |
Enabled |
Specifies that the WLAN AutoConfig Service is used to configure and connect clients running Windows Vista to the wireless network. |
||
Connect to available networks in the order of profiles listed below |
No entries |
Click the desired profile, and then use the Move Up and Move down buttons to specify the preferred order for clients to attempt connections.
Note By default, there are no network profiles listed in Profile Name. Before you can access Edit, Remove or Import controls on this tab You must use Add, to configure at least one network profile, or Import, to import a profile.
|
Import and Export Wireless Network Profiles
Profile import and export are managed by using the following two interfaces. You can use Import a Profile to add a wireless network profile from a location you specify into the list of available wireless networks. You can use Save Export Profile to export any profile listed under Connect to available networks in the order of profiles listed below on the General tab, and save it to a location you specify.
Open for import a profile (Import Profiles)
| Setting name | Description |
|---|---|
File name |
Provides a location for a name for the profile. |
Save as type |
Specifies the file type used to save the profile. |
Save export profile as (Export Profiles)
| Setting name | Description |
|---|---|
Name |
Lists saved profiles. Select the profile you want to export, and then click Open. |
File name |
Provides a location for a new name or modify the existing profile name. |
Connection tab
The Connection tab for Wireless Network (IEEE 802.11) Policies allows you to create wireless network connection profiles for each wireless network to which domain-member wireless clients can connect. A profile is the collection of configuration settings for a wireless network, saved as an Extensible Markup Language (XML) file.
In Windows Server 2003, you can save only one profile for any given Service Set Identifier (SSID). This design in Windows Server 2003 restricts mixed-mode deployments. In Windows Server 2008, administrators can configure multiple wireless connection profiles for any given SSID. The name used to save each profile must be unique, but need not be tied to the SSID. The advantage of this design is that it supports mixed-mode deployments. For example, in Windows Server 2008, you can configure two wireless connection profiles that use the same SSID, but with one using PEAP-MS-CHAP v2, and one profile using EAP-TLS. When combined with management features in NPS, you can design policies to allow some users unrestricted access to the network, while others can only connect at specific times, all while using the same access points and SSID.
| Setting name | Default value | Description |
|---|---|---|
Profile name |
New Profile |
Provides a space for the friendly name for the wireless network profile. |
Network Name (SSID) |
New Profile |
Provides a space for the broadcast name of the wireless network. This must match the Service Set Identifier (SSID) configured on the wireless access points for this network. |
Advanced Security Settings tab
The Wireless Network (IEEE 802.11) Policies Advanced Settings tab contains settings associated with 802.1X authentication requests. Advanced settings are exposed only by enabling Wi-Fi Protected Access 2 (WPA2)-Enterprise, WPA-Enterprise, or Open with 802.1X as the network authentication setting on the Security tab in the Windows Vista Wireless Network (IEEE 802.11) Policies.
Advanced security settings are separated into three groups of configuration items IEEE 802.1X configuration items, single sign-on (SSO) configuration items, Fast Roaming configuration items.
SSO configuration items
In Windows Server 2008 and Windows Vista, single sign-on (SSO) performs 802.1X authentication based on the network security configuration during the user logon process. This feature enables scenarios—such Group Policy updates, running of logon scripts, and joining of wireless clients to domains—that require network connectivity prior to user logon.
You can use Wireless Network (IEEE 802.11) Policies to configure SSO profiles for your wireless client computers. When an SSO profile is configured, 802.1X authentication is conducted prior to computer logon to the domain; users are only prompted for credential information if needed.
| Setting name | Default value | Description |
|---|---|---|
Allow additional dialogs to be displayed during Single Sign On |
Enabled, if Enable SSO for this network is Enabled |
This setting specifies that different dialog boxes are presented to the user at logon for SSO, if applicable. |
This network uses different VLAN for authentication with machine and user credentials |
Not enabled |
Specifies that wireless computers are placed on one virtual local area network (VLAN) at startup, and then—based on user permissions—moved to a different VLAN network after the user logs on to the computer. This setting is used in scenarios where it is desirable to separate traffic by using VLANs. For example, one VLAN, "VLAN-a," allows access only to authenticated computers, typically with a restricted set of assets. A second VLAN, "VLAN-b," provides authenticated and authorized users with access to a broader set of assets, such as e-mail, build servers, or the intranet. |
Network Permissions tab
You can use the Network Permissions tab to list and configure wireless networks that are not defined on the General tab in the Connect to available networks in the order of profiles listed below preferred list. You can use these settings to define additional wireless networks and specify whether you want to allow or deny connections by your domain member wireless clients. Alternatively, you can block the additional wireless networks from being displayed to your domain member wireless clients. These settings are specific to the wireless networks listed on the Network Permissions tab under Network Name (SSID).
Connections to the wireless networks that are listed under Network Name (SSID) on the Network Permissions tab are possible only if the permission is set to Allow. If the permission is set to Allow, your domain-member wireless clients first attempt to connect to a preferred network before attempting to connect to non-preferred networks. However, domain members can actively attempt to connect to listed networks that have permissions set to Allow.
| Setting name | Default value | Description |
|---|---|---|
Network Name (SSID) |
No entries |
Lists wireless networks, for which you want to allow or deny permissions, but that are not defined on the General tab in Connect to available networks in the order of profiles listed below. |
Prevent connections to ad-hoc networks |
Not enabled |
Specifies that domain member wireless clients cannot form a new ad-hoc network or connect to any ad-hoc networks in the permission list. |
Prevent connections to infrastructure networks |
Not enabled |
Specifies that domain member wireless clients cannot connect to any infrastructure networks in the permission list. |
Allow user to view denied networks |
Enabled |
Specifies whether domain member wireless clients can view wireless networks in the permission list that have permissions set to Deny. |
Only use Group Policy profiles for allowed networks |
|
Specifies that domain member clients can only connect to allowed networks by using wireless network profiles specified in the Windows Vista Wireless Network (IEEE 802.11) Policies. |
New Permissions Entry tab
Use the Wireless Network (IEEE 802.11) Policies New Permissions Entry tab to add new wireless networks to the permission list on the Networks Permissions tab. You can use New Permissions tab to specify by Service Set Identifier (SSID) which wireless networks your wireless domain members are allowed to connect to, and which are denied.
| Setting name | Default value | Description |
|---|---|---|
Network Name (SSID) |
NEWSSID |
Provides a location for the name for the wireless network for which you want to set permissions. |
Network Type |
Infrastructure |
Specifies whether the network is infrastructure (uses a wireless access point) or ad-hoc (computer-to-computer). |
Permission |
Deny |
Specifies whether to permit or deny connections to the selected network. |
Wired Network (IEEE 802.3) Policies
Wired Network (IEEE 802.3) Policies is located in the Group Policy Management Console at:
Domain Policy/Computer Configuration/Windows Settings/Security Settings/Wired Network (IEEE 802.3) Policies
This section defines the settings on the following tabs for the Windows Vista Wired Network (IEEE 802.3) Policies:
General tab
Advanced tab
General tab
Use the Wired Network (IEEE 802.3) Policies, General tab to specify whether the Wired AutoConfig Service is used to configure local area network (LAN) adapters to connect to the wired network. You can also specify the policy name and description.
| Setting name | Default value | Description |
|---|---|---|
Policy Name |
New Vista Wired Network Policy |
Provides a location for a name for the wired network policies that are applied to your wired clients running Windows Vista and Windows Server 2008. |
Use Windows wired Auto Config service for clients |
Enabled |
Specifies that Wired AutoConfig Service is used to configure and connect clients running Windows Vista to the 802.3 wired Ethernet network. |
Advanced tab
In Windows Server 2008 and Windows Vista the SSO feature enables scenarios—such Group Policy updates, running of logon scripts, and joining of wireless clients to domains—requiring network connectivity that is prevented by 802.1X prior to user logon.
You can use Wired Network (IEEE 802.3) Policies to configure SSO profiles for your client computers that are connecting to the wired Ethernet network through an 802.1X-compatible switch. When a SSO profile is configured, 802.1X authentication is conducted prior to computer logon to the domain; users are prompted for credential information only if needed.
| Setting name | Default value | Description |
|---|---|---|
Enable Single Sign On for this network |
Not enabled |
Specifies that SSO is activated for the network profile for this network. |
Allow additional dialogs to be displayed during Single Sign On |
Enabled, if Enable Single Sign On for this network is enabled |
Specifies that different dialog boxes are presented to the user at logon for SSO, if applicable. |
This network uses different VLAN for authentication with machine and user credentials |
Not enabled |
Specifies that wireless computers are placed on one virtual local area network (VLAN) at startup, and then—based on user permissions—moved to a different VLAN network after the user logs on to the computer. |