802.1X Authenticated Wireless Access Design Guide
Updated: December 19, 2008
Applies To: Windows Server 2008, Windows Server 2008 R2
Wireless networking offers users a high degree of mobility and provides a networking option when traditional wired networks are impractical. The Windows Server® 2008 operating system provides the networking services needed to deploy a secure and manageable wireless local area network (WLAN) infrastructure for network environment ranging from a small business to an enterprise. This guide provides comprehensive guidance to help you design an 802.1X authenticated wireless access solution.
Wireless access can provide the following benefits:
Strong authentication. IEEE 802.1X was a standard that existed for Ethernet switches and was adapted to 802.11 wireless LANs to provide much stronger authentication than what was provided in the original 802.11 standard. Wireless network authentication can be based on different EAP authentication methods such as those using secure password (the user account name and password credentials) or a digital certificate. IEEE 802.1X prevents a wireless node from joining a wireless network until the node has performed a successful authentication. Additionally, a component of mutual authentication in EAP prevents wireless users from connecting to rogue wireless access points (APs), rogue NPS servers.
Although 802.1X authenticated access is optimal for medium and large wireless LANs, it can also be used for small organizations that require strong security. An 802.1X authenticated wireless access infrastructures consists chiefly of servers running Network Policy Server (NPS) and an account database such as the Active Directory® Domain Service (AD DS) account database. IEEE 802.1X uses Extensible Authentication Protocol (EAP).
Infrastructure flexibility. In general, WLANs can extend or replace a wired infrastructure in situations where it is costly, inconvenient, or impossible to lay cables. A wireless LAN can connect the networks in two buildings that are separated by physical obstacles or financial constraints. You can also use wireless LAN technologies to create a temporary network, which is in place for only a specific amount of time. Additionally, deploying a wireless network, in instances where a company needs to rapidly expand their workforce, can be a more efficient and cost effective alternative than installing the physical cabling required for a traditional Ethernet network. And even if no wireless infrastructure is present, wireless portable computers can still form their own ad hoc networks to communicate and share data with each other.
Mobility and productivity. Wireless access can increase productivity for employees that require mobility. Mobile users who are equipped with a portable computer can remain connected to the network. This enables the user to change locations—to meeting rooms, hallways, lobbies, cafeterias, classrooms, and so forth—and still have access to network resources. Without wireless access, the user must carry Ethernet cabling and is restricted to working near a network jack. Wireless LAN networking is a perfect technology for environments where movement is required.
This guide is intended for infrastructure specialists, system architects, and IT professionals.
The purpose of this guide is to help you to plan and design a new 802.1X authenticate wireless access deployment.
Following are the requirements for deploying a wireless access infrastructure by using the scenario documented in this guide:
- Before deploying this scenario, you must first purchase and install 802.1X-capable wireless APs to provide wireless coverage in the locations you want at your site.
- Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide. You can view The Foundation Network Guide online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=106252. You can download The Foundation Network Guide in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=105231.
- Server certificates are required when you deploy the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) certificate-based authentication method. For information about deploying server certificates, see Foundation Network Companion Guide: Deploying Server Certificates. You can view Foundation Network Companion Guide: Deploying Server Certificates online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=108258. You can download Foundation Network Companion Guide: Deploying Server Certificates in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=108259.
- Server certificates and computer and user certificates are required when you deploy Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). For information about deploying user and computer certificates, see Foundation Network Companion Guide: Deploying Computer and User Certificates. You can view Foundation Network Companion Guide: Deploying Computer and User Certificates online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=113884. You can download Foundation Network Companion Guide: Deploying Computer and User Certificates in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=115742.
- You or someone else in your organization is familiar with the IEEE 802.11 standards that are supported by your wireless APs and the wireless network adapters installed in the client computers on your network. For example, the must be familiar with radio frequency types, the personal and enterprise editions of 802.11 wireless authentication (Wi-Fi Protected Access [WPA] and WPA version 2 [WPA2]), and ciphers (such as Advanced Encryption Standard [AES] and Temporal Key Integrity Protocol [TKIP]).
This guide uses a step-by-step approach to help you decide which design best fits your wireless access needs and to help you create a design based on the most common wireless design goals. The two scenarios are:
- Wireless access by using PEAP-MS-CHAP v2 for secure password authentication. This design is well suited to small businesses and medium organizations. Secure password authentication provides strong security, and uses domain account credentials (user name and password) for client authentication. When deploying wireless access by using PEAP-MS-CHAP v2, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using Active Directory Certificate Services (AD CS).
- Wireless access by using either EAP-TLS or PEAP-TLS for authentication using digital certificates. This design is well suited to medium- and enterprise-sized networks. Digital certificates provide more robust security than secure password authentication. In this design guide, digital certificates are either smart cards, or certificates issued to your users and computers by the CA you deploy on your network. If your wireless solution uses either EAP-TLS or PEAP-TLS, you must deploy a private CA on your network by using AD CS.
After reading this guide you will have the information necessary to begin deploying wireless access by using the 802.1X Authenticated Wireless Deployment Guide in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=134848.