The Cable Guy - December 2002

Microsoft 802.1X Authentication Client

By The Cable Guy

A valuable feature of Windows XP is the availability of IEEE 802.1X authentication for all LAN adapters. The IEEE 802.1X standard defines port-based, network access control that is used to provide authenticated network access for Ethernet and IEEE 802.11 wireless networks. With port-based network access control, a network device cannot send any frames on the network until access has been granted by the switch (for Ethernet) or wireless access point (for wireless). Permission is granted through an authentication process in which credentials of the connecting network device are verified. This is similar to using a set of credentials to access the Internet (through an Internet service provider) or your employer's intranet (through a dial-up or virtual private network remote access connection).

IEEE 802.1X reduces the security vulnerabilities that are associated with connections to IEEE 802.11 wireless networks. The IEEE 802.11 wireless network standards specify two authentication methods: One that is based on the identification of the wireless adapter (open system authentication) and another that is based on the proof of knowledge of a secret key (shared key authentication). Unlike open system or shared key authentication, IEEE 802.1X enforces verification of user-based credentials for a wireless computer or user before allowing access to the wireless network and, depending on the authentication method used, dynamically determines encryption keys for wireless communication. If you connect to an IEEE 802.11 wireless local area network (WLAN) without IEEE 802.1X authentication enabled, the data that you send is more vulnerable to attacks.

Microsoft 802.1X Authentication Client is a free download that enables computers running Windows 2000 with Service Pack 3 to use IEEE 802.1X to authenticate network connections (including wireless). Windows 2000 Service Pack 4 includes all of the features of Microsoft 802.1X Authentication Client.

Microsoft 802.1X Authentication Client does not include the Windows XP Wireless Zero Configuration (WZC) service, which dynamically connects to wireless networks based on the sets of available networks and configured preferred networks. You must still configure your wireless connections to wireless networks using the configuration tools provided with the wireless adapter.

IEEE 802.1X authentication uses the Extensible Authentication Protocol (EAP) to exchange messages during the authentication process. Microsoft 802.1X Authentication Client uses the following EAP methods for wireless authentication:

• EAP-Transport Level Security (EAP-TLS) is used in certificate-based security environments. It provides the strongest authentication and key determination method. EAP-TLS provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authentication server'typically a Remote Authentication Dial-In User Service (RADIUS) server.
• Protected EAP (PEAP) is an authentication method that uses TLS to enhance the security of other EAP authentication methods. PEAP for Microsoft 802.1X Authentication Client provides support for TLS (PEAP-TLS), which uses certificates for both server authentication and client authentication; and Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), which uses certificates for server authentication and password-based credentials for client authentication.

Windows XP Service Pack 1 (SP1) also supports PEAP-TLS and PEAP-MS-CHAP v2.

When installed on a computer running a member of the Windows 2000 Server family, Microsoft 802.1X Authentication Client provides additional support for PEAP authentication (both PEAP-TLS and PEAP-MS-CHAP v2) for the Internet Authentication Service (IAS), which is the Microsoft implementation of a RADIUS server. A computer running a member of the Windows 2000 Server family, Microsoft 802.1X Authentication Client, and IAS can act as a RADIUS server that performs authentication and authorization for 802.1X-based wireless clients that use EAP-TLS, PEAP-TLS, or PEAP-MS-CHAP v2 authentication.

Before Installing Microsoft 802.1X Authentication Client

Before installing Microsoft 802.1X Authentication Client, you must:

• Ensure that the wireless adapter is installed on the computer.
• Ensure that the miniport driver (provided by the manufacturer of the wireless adapter) is installed on the computer.
• Install the configuration utility (also provided by the manufacturer of the wireless adapter) to configure the adapter.
• Use the configuration utility to configure the card to connect to an available wireless network and enable IEEE 802.1X.
• Obtain valid certificates. Contact your network administrator for information about obtaining a certificate. For PEAP-MS-CHAP v2, you only need to install a certificate if the root certification authority (CA) certificate of the issuer of the computer certificates installed on your RADIUS servers is not already installed on your wireless clients.
• Ensure that Windows 2000 Service Pack 3 is installed.

To install Microsoft 802.1X Authentication Client, copy the installer program to your computer and run it. The installer program checks your system and installs Microsoft 802.1X Authentication Client.

Configuring Microsoft 802.1X Authentication Client for Windows 2000

For computers running Windows 2000, Microsoft 802.1X Authentication Client (the Wireless Configuration service) is disabled by default. To change the Wireless Configuration service to automatically start each time the computer is started, use the Services snap-in to set the Startup value for the Wireless Configuration service to Automatic, and then start the service. Once started, the properties of LAN connections, including wireless LAN connections, in the Dial-up and Network Connections folder now have an additional Authentication tab, as shown in the following figure.

To configure Microsoft 802.1X Authentication Client for Windows 2000 for a wireless connection, obtain properties of the wireless LAN connection, click the Authentication tab, and select the required options for your wireless deployment. To remove Microsoft 802.1X Authentication Client, use Add or Remove Programs in Control Panel.

Obtaining certificates

A computer with Microsoft 802.1X Authentication Client can obtain certificates for authentication of wireless connections in the following ways:

• Use auto-enrollment of computer certificates.

  For computers running Windows 2000, auto-enrollment is the automatic request for and issue of certificates based on Computer Configuration Group Policy. By configuring the Automatic Certificate Request Settings Group Policy setting (found in Computer Configuration\Windows Settings\Security Settings\Public Key Policies), the computers that are members of the configured domain system container automatically request a certificate of specified types when Computer Group Policy settings are refreshed.

• Import a certificate file.

  Certificate files can be created and distributed individually for each user. Alternately, a single certificate file can be distributed to all users. The use of a single certificate for a group of users is known as a group certificate, which is the least secure certificate deployment, because anyone who obtains the certificate file could use it to successfully authenticate a wireless connection.

  For Windows 2000, use the Certificates snap-in to import either a computer certificate into the local computer store (found in Local Computer\Personal\Certificates), or a user certificate into the current user store (found in Current User\Personal\Certificates).

• Use Internet Explorer and Web enrollment to request a certificate from a CA.

  If you are using a CA that supports Web enrollment for certificates, use Internet Explorer to request a certificate from the CA. For a CA running Microsoft Windows 2000 and Certificate Services, use the address https://CAComputerName/certsrv, where CAComputerName is the name of the CA computer. You might be prompted for Windows domain credentials. If so, type the credentials for the appropriate user name for this certificate, click OK, and then follow the directions on the Web pages to request a user certificate from the CA. If you are not prompted for Windows domain credentials, then the user name recorded in the certificate is based on the credentials with which you are currently logged on (unless there is a separate connection to the CA computer through a different set of credentials).

After certificates are installed, you can view them in the Certificates snap-in.

For More Information

For more information about Windows support for IEEE 802.11 wireless networks and IEEE 802.1X authentication, see the following resources:

• Microsoft 802.1X Authentication Client
• Microsoft Wireless Networks Web site
• PEAP with MS-CHAP Version 2 for Secure Password-based Wireless Access (July 2002 Cable Guy article)
• IEEE 802.1X Authentication for Wireless Connections (April 2002 Cable Guy article)

For a list of all The Cable Guy articles, click here.