Wired Access Deployment Overview

  • Article

Applies To: Windows Server 2008, Windows Vista

The following illustration shows the components that are required to deploy the wired access scenario documented in this guide.

Wired access deployment components

The following components are required for this wired access deployment:

802.1X-capable Ethernet switches

After the required network infrastructure services supporting your wired local area network are in place, you can begin the design process for deploying 802.1X-capable switches. The switch deployment design process involves these steps:

  • Determine how many RJ-45 Ethernet wall outlets are wired to your network. To have an effective 802.1X deployment, every RJ-45 wall outlet on your network must connect to an 802.1X-enabled port on a switch.

  • Determine how many 802.1X-capable switches you need to connect all of the RJ-45 Ethernet outlets.

  • Install 802.1X-capable switches on your network and configure network and 802.1X settings.

Active Directory Domain Services

Users and Computers

Use the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in to create one or more wired users security groups, and then add each user for whom you want to grant access to the wired Ethernet network to the appropriate group.

Wired Network (IEEE 802.3) Policies

Use the Group Policy Management extension of Wired Network (IEEE 802.3) Policies to configure network connectivity and security settings for your domain computers that are running Windows Vista.

NPS

Network Policy Server (NPS) enables you to create and enforce network access policies for client health, connection request authentication, and connection request authorization. When you use NPS as a RADIUS server, you configure network access servers, such as 802.1X-capable Ethernet switches, as RADIUS clients in NPS. You also configure the network policies that NPS uses to authenticate access clients and authorize their connection requests.

Wired client computers

Wired client computers are computers that are equipped with IEEE 802.3 Ethernet network adapters and that are running Windows Vista.

Certification authorities

Certification authorities (CAs) are the part of a public key infrastructure (PKI) that issues certificates that are used for identity validation. For this scenario, the CA is used only for the server certificate on the NPS server.

802.1X authenticated wired access with PEAP-MS-CHAP v2 deployment process

The process of configuring and deploying wired access occurs in these stages:

Stage 1

Plan, deploy, and configure 802.1X-capable switches for use with NPS. Depending on your preference and network dependencies, you can either pre-configure settings on your switches prior to installing them on your network, or you can configure them remotely after installation.

Stage 2

Create one or more wired users security groups in the Active Directory Users and Computers snap-in. Then, add each user for whom you want to allow access to your network to the appropriate wired users security group.

Stage 3

Configure the Group Policy extension of Wired Network (IEEE 802.3) Policies by using the Group Policy Management Editor MMC. The Wired Network (IEEE 802.3) Policies provision client computers with the configuration settings required for 802.1X authentication and connectivity. It is in this Group Policy extension that you specify network permission parameters, connection settings, and security settings.

For example, administrators can use the Wired Network (IEEE 802.3) Policies to specify the network authentication mode, which determines how user and computer domain credentials are used for authentication. Three of the network authentication modes that administrators can select, process domain credentials as follows:

  • User re-authentication specifies that authentication always uses security credentials based on the computer's current state. Authentication is performed by using the computer credentials when no users are logged on to the computer. When a console user logs on to the computer, authentication is always performed by using the user credentials.

Note

A console user is a user who is physically logged on to the computer locally, as opposed to a user who logs on to a computer by using a remote connection.

  • Computer only specifies that authentication is always performed by using only the computer credentials.

  • User authentication specifies that authentication is only performed when the user is logged on to the computer. When no user is logged on to the computer, the computer is not connected to the network.

For domain member computers, newly configured Group Policy settings are automatically applied when Group Policy is refreshed. Group Policy is automatically refreshed at pre-determined intervals, or by restarting the client computer. Additionally, you can force Group Policy to refresh by running gpupdate at the command prompt.

Stage 4

Use a configuration wizard in NPS to add your 802.1X-capable switches as RADIUS clients, and to create the network policies that NPS uses when processing connection requests. When using the wizard to create the network policies, specify PEAP as the EAP type, and the wired users security group that was created in the second stage.

Stage 5

Use client computers to connect to the network. Because the necessary configuration settings are automatically applied when Group Policy is refreshed, computers will automatically connect to the network, and users need only supply their domain user name and password credentials when prompted by Windows.