802.1X Authenticated Wired and Wireless Access

Applies To: Windows Server 2008

Windows Server® 2008 has interesting new features to support 802.1X authenticated wired 802.3 Ethernet connections and 802.11 wireless connections for clients running Windows Vista® and Windows Server 2008, These features enable you to use Group Policy to configure settings on multiple domain-member clients running Windows Vista and Windows Server 2008 so that they can connect to an 802.1X Ethernet network. As an alternative to Group Policy-based client configuration for 802.1X wired and wireless network access, you can now use wired Netsh (Netsh lan) commands and wireless Netsh (Netsh wlan) commands in logon scripts. Additionally, Windows Server 2008 provides more configuration options. Administrators can now configure multiple profiles to connect to one wireless network, using a common Service Set Identifier, but with each profile specifying unique security properties.

What does 802.1X wired and wireless access do?

The Institute of Electrical and Electronics Engineers (IEEE) 802.1X standard, RFC 3580 (https://go.microsoft.com/fwlink/?LinkId=93318), defines authenticated access for wired Ethernet (IEEE 802.3) and wireless (IEEE 802.11) connections. This 802.1X authenticated access relies on 802.1X-compatible Ethernet switches and wireless access points (APs) to provide port-based network access control in order to prevent unauthenticated and unauthorized users and computers from accessing network resources, or sending any packets onto the network.

You can use features in Windows Server 2008 with 802.1X-compatible switches to provide and manage 802.1X-authenticated wired Ethernet access for computers running Windows Vista and Windows Server 2008. You can use features in Windows Server 2008 with 802.1X-compatible wireless APs to provide and manage 802.1X-authenticated IEEE 802.11 wireless access for computers running Windows® XP, Windows Server 2003, Windows Vista, and Windows Server 2008.

Note

In this topic, all references to 802.1X, 802.3 wired Ethernet, and 802.11 wireless assume that hardware, hardware drivers, and software follow the standards defined by the IEEE for that technology.

The 802.1X authentication for 802.3 wired Ethernet and 802.11 wireless connections prevents unauthenticated and unauthorized users and computers from connecting to your network. Windows Server 2008 provides the features that work with 802.1X-compatible Ethernet switches and wireless APs to fully support deployment and management of 802.1X-authenticated network infrastructures.

In this and previous versions of Windows Server, most features are self-contained; they are installed as a specific item. Once installed, the self-contained features are managed from a single location within Administrative Tools, which is accessed through the Windows Server 2008 Start menu. Examples of self-contained features include:

  • Active Directory Certificate Services (AD CS)

  • Application Server

  • Dynamic Host Configuration Protocol (DHCP)

  • Fax and E-mail Services

  • Network File and Print Services

  • Windows Internet Name Service (WINS)

Unlike self-contained features, 802.1X-authenticated wired Ethernet and wireless are not discrete, installable features. Instead, Windows Server-based 802.1X wired and wireless deployments provide 802.1X authenticated network access by leveraging specific components within multiple features within Windows Server 2008 to work with 802.1X-compatible wireless access points and Ethernet switches.

Who will be interested in these technologies?

  • System engineers and system architects that are evaluating or planning 802.1X-authenticated access for wired Ethernet or 802.11 wireless clients.

  • IT professionals who want to control access to their network by using 802.1X network authentication.

  • IT Professionals who have deployed 802.1X-compatible Ethernet switches or 802.1X-compatible wireless APs.

  • IT Professionals who want to use, or who already use Windows Server 2008 to provide 802.1X infrastructure features, such as Active Directory Certificate Services (AD CS), Remote Authentication Dial-In User Service (RADIUS) authentication using Extensible Authentication Protocol (EAP), user accounts database, client computer TCP/IP addressing, and Group Policy or scripting to configure 802.1X settings on Windows-based client computers.

What new functionality supports 802.1X-authenticated wired Ethernet and wireless access?

As is the case with Windows Server 2003, Windows Server 2008 supports 802.1X-authenticated wired Ethernet and 802.11 wireless deployments by combining specific components within multiple features. The following table highlights the name changes for features that are relevant to 802.1X deployments between Windows Server 2003 and Windows Server 2008. The table is intended to orient anyone who is familiar with Windows Server 2003 features with the new and changed features in Windows Server 2008. In several instances, key controls within a particular service are listed to better demonstrate associations.

Summary of new or changed features

Windows Server 2003 Windows Server 2008

Active Directory

Active Directory Domain Services

Active Directory, computer and user account Dial-in properties

  • Control Access Through Remote Access Policy

Active Directory Domain Services, computer and user account Dial-in properties

  • Control access through NPS Network Policy

Certificate Services

Active Directory Certificate Services

Internet Authentication Service (IAS)

  • Remote Access Policy

Network Policy Server (NPS)

  • Network Policy

Group Policy (connection policies)

  • Wireless Network (IEEE 802.11) Policies

    Note
    In Windows Server 2003, the Windows Vista Wired Network (IEEE 802.3) Policies Group Policy and client-side extension for clients running Windows Vista are only available if the Windows Server 2003 domain controller is first configured as described in Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements (https://go.microsoft.com/fwlink/?LinkId=70195).

Group Policy (connection policies)

  • XP Wireless Network (IEEE 802.11) Policies

    Note

    The XP Wireless Network Policies Group Policy and client-side extension in Windows Server 2008 is equivalent to the default wireless policies in Windows Server 2003.

  • Vista Wireless Network (IEEE 802.11) Policies

  • Wired Network (IEEE 802.3) Policies

Group Policy (adapter configuration service)

  • System Services

    (Computer Configuration/Windows Settings/Security Settings/System Services)

  • Wireless Zero-Config

    (WZCSVC)

Group Policy (adapter configuration services)

  • System Services

    (Computer Configuration/Windows Settings/Security Settings/System Services)

    • WLAN AutoConfig

      (wlansvc)

    • Wired AutoConfig

      (dot3svc)

N/A

Netsh commands for:

  • Wired local area network (Netsh lan)

  • Wireless local area network (Netsh wlan)

The remainder of this section provides information about the new features in Windows Server 2008 that were specifically designed to support 802.1X authenticated Wired Ethernet access and 802.1X authenticated Wireless access for computers running Windows Vista and Windows Server 2008:

  • Vista Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension

  • Wired Network (IEEE 802.3) Policies Group Policy and client-side extension

  • WLAN AutoConfig (WLANSVC) Group Policy settings

  • Wired AutoConfig (dot3svc) Group Policy settings

  • Netsh commands for wireless local area network (Netsh wlan)

  • Netsh commands for wired local area network (Netsh lan)

Vista Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension

Although similar is some ways to the Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension provided in Windows Server 2003, in Windows Server 2008 the Wireless Network (IEEE 802.11) Policies Group Policy and client side extension enables you to configure two separate Wireless Network (IEEE) Policies; one policy for computers running Windows XP and Windows Server 2003, the other policy for computers running Windows Vista and Windows Server 2008.

Note

In this topic, all subsequent references to “Wireless Network (IEEE 802.11) Policies Group Policy and client-side extension” are abbreviated to "Wireless Network (IEEE 802.11) Policies."

With Windows Vista Wireless Network (IEEE 802.11) Policies, you can specify enhanced wireless network configuration, security, and management settings that are only available to wireless computers running Windows Vista and Windows Server 2008. Windows Vista. Wireless Network (IEEE 802.11) Policies provides much greater configuration flexibility; the enhanced wireless settings provide more configuration options, and allow more control over security and connectivity settings. You cannot configure computers running Windows XP, Windows Server 2003 by using Windows Vista Wireless Network (IEEE 802.11) Policies.

Why is this functionality important?

Wireless clients running Windows Vista and Windows Server 2008 support enhancements available in Windows Vista Wireless Network (IEEE 802.11) Policies, which enable administrators to accomplish the following:

  • Integrate with Network Access Protection (NAP) to restrict wireless clients that do not meet system health requirements from gaining unlimited access to the private network.

  • Separate the service management of 802.1X wired Ethernet and wireless.

  • Configure separate settings in Wireless Network (IEEE 802.11) Policies for clients running Windows XP and clients running Windows Vista.

  • Provide strong security by using Wi-Fi Protected Access 2 (WPA2) authentication options for Windows Vista and Windows Server 2008.

  • Configure wireless clients running Windows Vista and Windows Server 2008 for either automatic or manual connections to preferred wireless networks.

  • Configure allow and deny lists to specify whether wireless network clients can view or attempt to connect to other wireless networks that are not controlled by the network administrator.

  • Configure multiple profiles specifying the same Service Set Identifier (SSID), but with different network security and authentication methods.

  • Allow or deny connections to non-broadcast networks.

  • Import and export independent hardware vendor (IHV) connection profiles to configure wireless client computers running Windows Vista or Windows Server 2008.

What works differently?

To leverage the account name and password-based authentication infrastructure that already exists in Active Directory, in Windows Vista and Windows Server 2008, the default Extensible Authentication Protocol (EAP) authentication method for 802.1X-authenticated wireless connections now uses Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) or PEAP-MS-CHAP v2.

Note

By default, Windows Server 2008 supports the EAP methods: PEAP-MS-CHAP v2, EAP with Transport Layer Security (TLS) or EAP-TLS, and PEAP-TLS. If you need to manage an EAP method other than the three default methods, you must first install that EAP method on the server.

Wired Network (IEEE 802.3) Policies Group Policy and client-side extension

The Wired Network (IEEE 802.3) Policies Group Policy and client-side extension is a new feature in Windows Server 2008. You can use the Wired Network (IEEE 802.3) Policies Group Policy and client-side extension to specify network settings for computers running Windows Vista and Windows Server 2008 that connect to an Ethernet network through an 802.1X-compatible switch in an Active Directory environment.

Note

In this topic, all subsequent references to “Wired Network (IEEE 802.3) Policies Group Policy and client-side extension” are abbreviated to "Wireless Network (IEEE 802.3) Policies."

You cannot configure computers running Windows XP or Windows Server 2003 by using Wired Network (IEEE 802.3) Policies.

Why is this functionality important?

The new functionality in Wired Network (IEEE 802.3) Policies in Windows Server 2008 enables administrators to programmatically configure 802.1X-based connectivity and security setting on domain member computers running Windows Vista or Windows Server 2008.

Additionally, you can use Wired Network (IEEE 802.3) Policies to integrate client wired Ethernet connectivity and security settings with Network Access Protection (NAP) to restrict network access for clients that do not meet system health requirements.

WLAN AutoConfig (WLANSVC) Group Policy settings

The WLAN AutoConfig (WLANSVC) service enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to wireless networks. The WLAN AutoConfig System Services Group Policy settings enable administrators to specify the service startup type of the WLAN AutoConfig service for domain member computers running Windows Vista and Windows Server 2008 that have wireless network adapters and the associated Windows Vista adapter drivers installed.

The WLAN AutoConfig System Services Group Policy settings are located in the Group Policy Management Console at:

Domain Policy/Computer Configuration/Windows Settings/Security Settings/System Services

Why is this functionality important?

WLAN AutoConfig Group Policy settings enable administrators to prevent domain member users from altering the startup mode of the WLAN AutoConfig service.

Wired AutoConfig (dot3svc) Group Policy settings

The Wired AutoConfig (dot3svc) service enumerates Ethernet network adapters, and manages both connections to Ethernet networks through 802.1X-compatible switches, and the wired profile that contains the settings required to configure a network client for 802.1X-authenticated network access. The Wired AutoConfig Group Policy settings enable administrators to specify the service startup type of the Wired AutoConfig service for domain member computers running Windows Vista and Windows Server 2008 that have Ethernet network adapters and the associated Windows Vista network adapter drivers installed.

Why is this functionality important?

The Wired AutoConfig Group Policy enables administrators to prevent domain member users from altering the startup mode of the Wired AutoConfig service.

The Wired AutoConfig Group Policy settings are located in the Group Policy Management Console at:

Domain Policy/Computer Configuration/Windows Settings/Security Settings/System Services

Netsh commands for wireless local area network (Netsh wlan)

The Windows Vista Netsh commands for wireless local area network (WLAN) provide methods to configure connectivity and security settings. You can use the Netsh wlan commands to configure the local computer, or to configure multiple computers by using a logon script. You can also use the Netsh wlan commands to view applied wireless Group Policy settings.

The wireless Netsh interface has the following benefits:

  • Easier wireless deployment. Provides a light-weight alternative to using Group Policy to configure wireless connectivity and security settings.

  • Mixed mode support. Allows administrators to configure clients to support multiple security options. For example, a client can be configured to support both the Wi-Fi Protected Access version 2 (WPA2) and the Wi-Fi Protected Access (WPA) authentication standards. This allows the client to use WPA2 to connect to networks that support WPA2 and use WPA to connect to networks that only support WPA.

  • Block undesirable networks. Administrators can block and hide access to non-corporate wireless networks by adding specific networks or network types to the list of denied networks. Similarly, administrators can allow access to corporate wireless networks.

  • Troubleshooting wireless connectivity. You can use Netsh wlan commands to gather detailed information about wireless network adapter capabilities and settings, and wireless profile configuration settings.

Why is this functionality important?

Because these commands can be run as scripts, Netsh wlan commands provide a lightweight alternative to using Windows Vista Wireless Network (IEEE 802.11) Policies for configuring multiple computers.

Netsh commands for wired local area network (Netsh lan)

The Windows Vista Netsh commands for wired local area network (LAN) provide methods to configure connectivity and security settings. You can use the Netsh lan commands to configure the local computer, or to configure multiple computers by using a logon script. You can also use the Netsh lan commands to view Wired Network (IEEE 802.3) Policies settings, and to administer user wired 802.1X settings.

Why is this functionality important?

The wired Netsh commands assist in deploying a secure 802.1X wired Ethernet deployment by providing an alternative to using the Windows Vista Wired Network (IEEE 802.3) Policies in Windows Server 2008 Group Policy to configure wired connectivity and security settings.

What settings are added or changed in Windows Server 2008?

This section contains a series of tables that highlight the Group Policy settings that are new and dramatically different from the Group Policy settings in Windows Server 2003. The tables in this section focus on the configuration settings for:

  • Vista Wireless Network (IEEE 802.11) Policies

  • Wired Network (IEEE 802.3) Policies

Vista Wireless Network (IEEE 802.11) Policies

Wireless Network (IEEE 802.11) Policies is located in the Group Policy Management Console at:

Domain Policy/Computer Configuration/Windows Settings/Security Settings/ Wireless Network (IEEE 802.11) Policies

This section defines the settings for the following tabs for the Windows Vista Wireless Network (IEEE 802.11) Policies:

  • General tab

  • Connection tab

  • Advanced Security Settings tab

  • Network Permissions tab

  • New Permissions Entry tab

General tab

Use the General tab to create and manage wireless network profiles and to define a list of preferred wireless networks, which prioritizes the order in which your domain member clients attempt to connect. You can also specify whether the WLAN AutoConfig Service is used to configure 802.11 wireless adapters to connect to wireless networks.

Setting name Default value Description

Vista Policy Name

New Vista Wireless Network Policy

Provides a location for a friendly name for the Wireless Network Policies.

Use Windows WLAN AutoConfig service for clients

Enabled

Specifies that the WLAN AutoConfig Service is used to configure and connect clients running Windows Vista to the wireless network.

Connect to available networks in the order of profiles listed below

No entries

Click the desired profile, and then use the Move Up and Move down buttons to specify the preferred order for clients to attempt connections.

Note
Profiles for ad-hoc networks cannot be prioritized higher than infrastructure profiles.

Note

By default, there are no network profiles listed in Profile Name. Before you can access Edit, Remove or Import controls on this tab You must use Add, to configure at least one network profile, or Import, to import a profile.

Import and Export Wireless Network Profiles

Profile import and export are managed by using the following two interfaces. You can use Import a Profile to add a wireless network profile from a location you specify into the list of available wireless networks. You can use Save Export Profile to export any profile listed under Connect to available networks in the order of profiles listed below on the General tab, and save it to a location you specify.

Open for import a profile (Import Profiles)

Setting name Description

File name

Provides a location for a name for the profile.

Save as type

Specifies the file type used to save the profile.

Save export profile as (Export Profiles)

Setting name Description

Name

Lists saved profiles.

Select the profile you want to export, and then click Open.

File name

Provides a location for a new name or modify the existing profile name.

Connection tab

The Connection tab for Wireless Network (IEEE 802.11) Policies allows you to create wireless network connection profiles for each wireless network to which domain-member wireless clients can connect. A profile is the collection of configuration settings for a wireless network, saved as an Extensible Markup Language (XML) file.

In Windows Server 2003, you can save only one profile for any given Service Set Identifier (SSID). This design in Windows Server 2003 restricts mixed-mode deployments. In Windows Server 2008, administrators can configure multiple wireless connection profiles for any given SSID. The name used to save each profile must be unique, but need not be tied to the SSID. The advantage of this design is that it supports mixed-mode deployments. For example, in Windows Server 2008, you can configure two wireless connection profiles that use the same SSID, but with one using PEAP-MS-CHAP v2, and one profile using EAP-TLS. When combined with management features in NPS, you can design policies to allow some users unrestricted access to the network, while others can only connect at specific times, all while using the same access points and SSID.

Setting name Default value Description

Profile name

New Profile

Provides a space for the friendly name for the wireless network profile.

Network Name (SSID)

New Profile

Provides a space for the broadcast name of the wireless network. This must match the Service Set Identifier (SSID) configured on the wireless access points for this network.

Advanced Security Settings tab

The Wireless Network (IEEE 802.11) Policies Advanced Settings tab contains settings associated with 802.1X authentication requests. Advanced settings are exposed only by enabling Wi-Fi Protected Access 2 (WPA2)-Enterprise, WPA-Enterprise, or Open with 802.1X as the network authentication setting on the Security tab in the Windows Vista Wireless Network (IEEE 802.11) Policies.

Advanced security settings are separated into three groups of configuration items IEEE 802.1X configuration items, single sign-on (SSO) configuration items, Fast Roaming configuration items.

SSO configuration items

In Windows Server 2008 and Windows Vista, single sign-on (SSO) performs 802.1X authentication based on the network security configuration during the user logon process. This feature enables scenarios—such Group Policy updates, running of logon scripts, and joining of wireless clients to domains—that require network connectivity prior to user logon.

You can use Wireless Network (IEEE 802.11) Policies to configure SSO profiles for your wireless client computers. When an SSO profile is configured, 802.1X authentication is conducted prior to computer logon to the domain; users are only prompted for credential information if needed.

Setting name Default value Description

Allow additional dialogs to be displayed during Single Sign On

Enabled, if Enable SSO for this network is Enabled

This setting specifies that different dialog boxes are presented to the user at logon for SSO, if applicable.

This network uses different VLAN for authentication with machine and user credentials

Not enabled

Specifies that wireless computers are placed on one virtual local area network (VLAN) at startup, and then—based on user permissions—moved to a different VLAN network after the user logs on to the computer.

This setting is used in scenarios where it is desirable to separate traffic by using VLANs. For example, one VLAN, "VLAN-a," allows access only to authenticated computers, typically with a restricted set of assets. A second VLAN, "VLAN-b," provides authenticated and authorized users with access to a broader set of assets, such as e-mail, build servers, or the intranet.

Network Permissions tab

You can use the Network Permissions tab to list and configure wireless networks that are not defined on the General tab in the Connect to available networks in the order of profiles listed below preferred list. You can use these settings to define additional wireless networks and specify whether you want to allow or deny connections by your domain member wireless clients. Alternatively, you can block the additional wireless networks from being displayed to your domain member wireless clients. These settings are specific to the wireless networks listed on the Network Permissions tab under Network Name (SSID).

Connections to the wireless networks that are listed under Network Name (SSID) on the Network Permissions tab are possible only if the permission is set to Allow. If the permission is set to Allow, your domain-member wireless clients first attempt to connect to a preferred network before attempting to connect to non-preferred networks. However, domain members can actively attempt to connect to listed networks that have permissions set to Allow.

Setting name Default value Description

Network Name (SSID)

No entries

Lists wireless networks, for which you want to allow or deny permissions, but that are not defined on the General tab in Connect to available networks in the order of profiles listed below.

Prevent connections to ad-hoc networks

Not enabled

Specifies that domain member wireless clients cannot form a new ad-hoc network or connect to any ad-hoc networks in the permission list.

Prevent connections to infrastructure networks

Not enabled

Specifies that domain member wireless clients cannot connect to any infrastructure networks in the permission list.

Allow user to view denied networks

Enabled

Specifies whether domain member wireless clients can view wireless networks in the permission list that have permissions set to Deny.

Only use Group Policy profiles for allowed networks

 

Specifies that domain member clients can only connect to allowed networks by using wireless network profiles specified in the Windows Vista Wireless Network (IEEE 802.11) Policies.

New Permissions Entry tab

Use the Wireless Network (IEEE 802.11) Policies New Permissions Entry tab to add new wireless networks to the permission list on the Networks Permissions tab. You can use New Permissions tab to specify by Service Set Identifier (SSID) which wireless networks your wireless domain members are allowed to connect to, and which are denied.

Setting name Default value Description

Network Name (SSID)

NEWSSID

Provides a location for the name for the wireless network for which you want to set permissions.

Network Type

Infrastructure

Specifies whether the network is infrastructure (uses a wireless access point) or ad-hoc (computer-to-computer).

Permission

Deny

Specifies whether to permit or deny connections to the selected network.

Wired Network (IEEE 802.3) Policies

Wired Network (IEEE 802.3) Policies is located in the Group Policy Management Console at:

Domain Policy/Computer Configuration/Windows Settings/Security Settings/Wired Network (IEEE 802.3) Policies

This section defines the settings on the following tabs for the Windows Vista Wired Network (IEEE 802.3) Policies:

  • General tab

  • Advanced tab

General tab

Use the Wired Network (IEEE 802.3) Policies, General tab to specify whether the Wired AutoConfig Service is used to configure local area network (LAN) adapters to connect to the wired network. You can also specify the policy name and description.

Setting name Default value Description

Policy Name

New Vista Wired Network Policy

Provides a location for a name for the wired network policies that are applied to your wired clients running Windows Vista and Windows Server 2008.

Use Windows wired Auto Config service for clients

Enabled

Specifies that Wired AutoConfig Service is used to configure and connect clients running Windows Vista to the 802.3 wired Ethernet network.

Advanced tab

In Windows Server 2008 and Windows Vista the SSO feature enables scenarios—such Group Policy updates, running of logon scripts, and joining of wireless clients to domains—requiring network connectivity that is prevented by 802.1X prior to user logon.

You can use Wired Network (IEEE 802.3) Policies to configure SSO profiles for your client computers that are connecting to the wired Ethernet network through an 802.1X-compatible switch. When a SSO profile is configured, 802.1X authentication is conducted prior to computer logon to the domain; users are prompted for credential information only if needed.

Setting name Default value Description

Enable Single Sign On for this network

Not enabled

Specifies that SSO is activated for the network profile for this network.

Allow additional dialogs to be displayed during Single Sign On

Enabled, if Enable Single Sign On for this network is enabled

Specifies that different dialog boxes are presented to the user at logon for SSO, if applicable.

This network uses different VLAN for authentication with machine and user credentials

Not enabled

Specifies that wireless computers are placed on one virtual local area network (VLAN) at startup, and then—based on user permissions—moved to a different VLAN network after the user logs on to the computer.