Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access
Updated: December 5, 2012
Applies To: Windows 7, Windows Server 2008 R2, Windows Vista, Windows XP
This is a companion guide to the Windows Server® 2008 R2 Core Network Guide, which is available for download in Word format at the Microsoft Download Center https://go.microsoft.com/fwlink/?LinkId=157742, and in HTML format in the Windows Server® 2008 and Windows Server® 2008 R2 Technical Library: https://go.microsoft.com/fwlink/?LinkId=154884
The Windows Server 2008 R2 Core Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® Domain Services (AD DS) domain in a new forest.
This guide explains how to build upon a core network by providing instructions about how to deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated IEEE 802.11 wireless access using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).
Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is typically easier and less expensive to deploy than EAP-TLS or PEAP-TLS.
Note
In this guide, IEEE 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2 is abbreviated to “wireless access” and “WiFi access.”
About this guide
This guide provides instructions about how to deploy a WiFi access infrastructure that uses the following components:
One or more 802.1X-capable 802.11 wireless access points (APs).
Active Directory Users and Computers.
Group Policy Management.
One or more Network Policy Server (NPS) servers.
Server certificates for computers running NPS.
Wireless client computers running Windows® 7, Windows Vista® or Windows XP with Service Pack 2.
This guide is designed for network and system administrators who have:
Followed the instructions in the Windows Server 2008 R2 Core Network Guide to deploy a core network, or for those who have previously deployed the core technologies included in the core network, including AD DS, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS).
Either followed the instructions in the Windows Server 2008 R2 Core Network Companion Guide: Deploying Server Certificates to deploy and use Active Directory Certificate Services (AD CS) to autoenroll server certificates to computers running NPS, or who have purchased a server certificate from a public CA, such as VeriSign, that client computers already trust. A client computer trusts a CA if that CA cert is already in the Trusted Root Certification Authorities certificate store on Windows-based computers. By default, computers running Windows have multiple public CA certificates installed in their Trusted Root Certification Authorities certificate store.
The Core Network Companion Guide: Deploying Server Certificates is available for download in Word format at the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=158435) and in HTML format in the Windows Server 2008 Technical Library (https://go.microsoft.com/fwlink/?LinkId=154884).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Requirements
Following are the requirements for deploying a wireless access infrastructure by using the scenario documented in this guide:
Before deploying this scenario, you must first purchase and install 802.1X-capable wireless access points to provide wireless coverage in the desired locations at your site.
Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 R2 Core Network Guide.
Server certificates are required when you deploy the PEAP-MS-CHAP v2 certificate-based authentication method.
You or someone else in your organization is familiar with the IEEE 802.11 standards that are supported by your wireless APs and the wireless network adapters installed in the client computers on your network; for example, radio frequency types, 802.11 wireless authentication (WPA2 or WPA), and ciphers (AES or TKIP).
What this guide does not provide
Following are some items this guide does not provide:
Comprehensive guidance for selecting 802.1X-capable wireless access points
Because many differences exist between brands and models of 802.1X-capable wireless APs, this guide does not provide detailed information about:
Determining which brand or model of wireless AP is best suited to your needs.
The physical deployment of wireless APs on your network.
Advanced wireless AP configuration, such as for wireless VLAN.
Instructions on how to configure wireless AP vendor-specific attributes in NPS.
Additionally, terminology and names for settings vary between wireless AP brands and models, and might not match the generic setting names referenced in this guide. For wireless AP configuration details, you must review the product documentation provided by the manufacturer of your wireless APs.
Instructions for deploying NPS server certificates
There are two alternatives for deploying NPS server certificates. This guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. In general, however, the choices you face are:
Purchasing certificates from a public CA, such as VeriSign, that are already trusted by Windows-based clients. This option is typically recommended for smaller networks.
Deploying a Public Key Infrastructure (PKI) on your network by using AD CS.
The following table describes some of the main considerations for deciding whether to deploy a PKI or purchase a certificate from a public CA.
| Features | Purchased Public CA certificate | PKI |
|---|---|---|
Scales well |
No. Certificates must be purchased and installed on a per-server basis. |
Yes. If autoenrollment is used, NPS servers automatically enroll certificates. New NPS servers you add later will also automatically enroll certificates. |
Has recurring costs over time |
Yes. Public CA certificates must be renewed. |
No. When certificates expire, the CA automatically issues new ones. |
Requires extensive planning and knowledge |
No. On smaller networks, certificates can be purchased and installed on a per-server basis more easily than deploying a PKI. |
Yes. Deploying a PKI requires knowledge of AD CS. |
Requires additional hardware |
No. |
Maybe. To deploy one or more CAs, you must have additional servers or virtual machines. |
Is easily extensible |
No. |
Yes. You can use the PKI to deploy additional authentication methods and certificates used for other purposes. |
NPS network policies and other NPS settings
Except for the configuration settings made when you run the Configure 802.1X wizard, as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints or other NPS settings.
For more information about NPS, see Additional Resources in this guide.
DHCP
This deployment guide does not provide information about designing or deploying DHCP subnets for wireless LANs.
For more information about DHCP, see the Additional Resources in this guide.
Technology overviews
Following are technology overviews for deploying wireless access:
IEEE 802.1X
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
802.1X-capable wireless access points (APs)
This scenario requires the deployment of one or more 802.1X-capable wireless APs that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.
802.1X and RADIUS-compliant APs, when deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.
Wireless clients
This guide provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network with wireless client computers running Windows 7, Windows Vista or Windows XP with Service Pack 2 or later. Computers must be joined to the domain in order to successfully establish authenticated access.
Wireless computers that are running Windows Server 2008 R2 and Windows Server 2008 are configured by the same configuration settings as for Windows 7 and Windows Vista. Wireless computers running Windows Server 2003 are configured by the same wireless security and connectivity settings as for computers running Windows XP.
Support for IEEE 802.11 Standards
Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista Windows Server 2003, and, Windows XP, provide built-in support for 802.11 wireless networking. An installed 802.11 wireless network adapter appears as a wireless network connection in the Network Connections folder. Although there is built-in support for 802.11 wireless networking, the wireless components of Windows are dependent upon the following:
The capabilities of the wireless network adapter. The installed wireless network adapter must support the wireless LAN or wireless security standards that you require. For example, if the wireless network adapter does not support Wi-Fi Protected Access (WPA), you cannot enable or configure WPA security options.
The capabilities of the wireless network adapter driver. To allow you to configure wireless network options, the driver for the wireless network adapter must support the reporting of all of its capabilities to Windows. Verify that the driver for your wireless network adapter was written for the capabilities of Windows Vista or Windows XP and is the most current version by checking Microsoft Update or the Web site of the wireless network adapter vendor.
The following table shows the transmission rates and frequencies for common IEEE 802.11 wireless standards.
| Standards | Frequencies | Bit Transmission Rates | Usage |
|---|---|---|---|
802.11 |
S-Band Industrial, Scientific, and Medical (ISM) frequency range (2.4 to 2.5 GHz) |
2 megabits per second (Mbps) |
Obsolete. Not commonly used. |
802.11b |
S-Band ISM |
11 Mbps |
Commonly used. |
802.11a |
C-Band ISM (5.725 to 5.875 GHz) |
54 Mbps |
Not commonly used due to expense and limited range. |
802.11g |
S-Band ISM |
54 Mbps |
Widely used. 802.11g devices are compatible with 802.11b devices. |
802.11n (IEEE standards development are in progress) |
C-Band and S-Band ISM |
250 Mbps |
Devices based on the pre-ratification IEEE 802.11n standard became available in August 2007. Many 802.11n devices are compatible with 802.11a, b, and g devices. |
Wireless network security methods
Wireless network security methods is an informal grouping of wireless authentication (sometimes referred to as wireless security) and wireless security encryption. Wireless authentication and encryption are used in pairs to prevent unauthorized users from accessing the wireless network, and to protect wireless transmissions. When configuring wireless security settings in the Wireless Network Policies of Group Policy there are multiple combinations to choose from. However, only the WPA2-Enterprise, WPA-Enterprise, and Open with 802.1X authentication standards are supported for 802.1X Authenticated wireless deployments. You must select WPA2-Enterprise, WPA-Enterprise, or Open with 802.1X in order to gain access the EAP settings in the Wireless Network Policies that are required for 802.1X authenticated wireless deployments.
Wireless authentication
This guide recommends the use of two wireless authentication standards for 802.1X authenticated wireless deployments:
Wi-Fi Protected Access – Enterprise (WPA-Enterprise) WPA is an interim standard developed by the WiFi Alliance to comply with the 802.11 wireless security protocol. The WPA protocol was developed in response to a number of severe flaws that were discovered in the preceding Wired Equivalent Privacy (WEP) protocol.
WPA-Enterprise provides improved security over WEP by:
Requiring authentication that uses the 802.1X EAP framework as part of the infrastructure that ensures centralized mutual authentication and dynamic key management
Enhancing the Integrity Check Value (ICV) with a Message Integrity Check (MIC), to protect the header and payload
Implementing a frame counter to discourage replay attacks
Wi-Fi Protected Access 2 – Enterprise (WPA2-Enterprise) Like the WPA-Enterprise standard, WPA2-Enterprise uses the 802.1X and EAP framework. WPA2-Enterprise provides stronger data protection for multiple users and large managed networks. WPA2-Enterprise is a robust protocol that is designed to prevent unauthorized network access by verifying network users through an authentication server.
Wireless security encryption
Wireless security encryption is used to protect the wireless transmissions that are sent between the wireless client and the wireless AP. Wireless security encryption is used in conjunction with the selected network security authentication method. By default, computers running Windows 7 and Windows Vista support two encryption standards:
Temporal Key Integrity Protocol (TKIP) is an older encryption protocol that was originally designed to provide more secure wireless encryption than what was provided by the inherently weak Wired Equivalent Privacy (WEP) protocol. TKIP was designed by the IEEE 802.11i task group and the Wi-Fi Alliance to replace WEP without requiring the replacement of legacy hardware. TKIP is a suite of algorithms that encapsulates the WEP payload, and allows users of legacy WiFi equipment to upgrade to TKIP without replacing hardware. Like WEP, TKIP uses the RC4 stream encryption algorithm as its basis. The new protocol, however, encrypts each data packet with a unique encryption key, and the keys are much stronger than those by WEP. Although TKIP is useful for upgrading security on older devices that were designed to use only WEP, it does not address all of the security issues facing wireless LANs, and in most cases is not sufficiently robust to protect sensitive government or corporate data transmissions.
Advanced Encryption Standard (AES) is the preferred encryption protocol for the encryption of commercial and government data. AES offers a higher level of wireless transmission security than either TKIP or WEP. Unlike TKIP and WEP, AES requires wireless hardware that supports the AES standard. AES is a symmetric-key encryption standard that uses three block ciphers, AES-128, AES-192 and AES-256.
Important
Wired Equivalency Privacy (WEP) was the original wireless security standard that was used to encrypt network traffic. You should not deploy WEP on your network as there are well-known vulnerabilities in this outdated form of security.
Enhanced encryption
AES encryption is strengthened by enabling the Federal Information Processing Standard (FIPS) 140-2 standard. FIPS 140-2 is a U.S. government computer security standard that is used to certify cryptographic modules, and specify that wireless transmissions adhere to the FIPS 140-2 standard for cryptography. The option to enable FIPS 140-2 is only available when WPA2-Enterprise with AES, or WPA2-Personal with AES are selected. You must select WPA2-Enterprise with AES to deploy FIPS-140-2 in 802.1X authenticated wireless deployments.
Wireless authentication and encryption pairs
The following table shows wireless security standards (as listed in the Wireless Network Policies extensions of Group Policy) and their corresponding authentication and encryption methods that can be used in 802.1X authenticated deployments.
| Wireless network authentication type: | Wireless encryption: | Encryption key bit size: | Comments: |
|---|---|---|---|
WPA2-Enterprise |
Advanced Encryption Standard (AES) |
128 |
Strongest 802.1X-based wireless network authentication with very strong AES encryption. |
WPA2-Enterprise |
Temporal Key Integrity Protocol (TKIP) |
128 |
Strongest 802.1X-based wireless network authentication with less strong TKIP encryption. |
WPA-Enterprise |
Advanced Encryption Standard (AES) |
128 |
Mid-strength 802.1X-based wireless network authentication with very strong AES encryption. |
WPA-Enterprise |
Temporal Key Integrity Protocol (TKIP) |
128 |
Mid-strength 802.1X-based wireless network authentication with less strong TKIP encryption. |
IEEE 802.1X |
Open |
N/A |
Not recommended for production environments. |
IEEE 802.11 |
WEP |
40 or 104 |
Use in production environments is strongly discouraged due to weak Wi-Fi authentication and encryption. |
Active Directory Doman Services (AD DS)
AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and PEAP-MS-CHAP v2 to authenticate user credentials and to evaluate authorization for wireless connections.
Active Directory Users and Computers
Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are referred to as group members.
Group Policy Management
Group Policy Management is a Windows Server 2008 R2 feature that enables directory-based change and configuration management of user and computer settings, including security and user information. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's settings to the users and computers in those Active Directory containers. To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).
This guide provides detailed instructions about how to specify settings in the Wireless Network (IEEE 802.11) Policies extension of Group Policy Management. The Wireless Network (IEEE 802.11) Policies configure domain-member wireless client computers with the necessary connectivity and wireless settings for 802.1X authenticated wireless access.
Server certificates
This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication.
A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.
A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Active Directory Certificate Services (AD CS) is a Windows Server 2008 R2 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also known as a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.
EAP, PEAP, and PEAP-MS-CHAP v2
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2008 R2 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2008 R2 are:
Transport Layer Security (TLS)
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
.gif) Security Note |
|---|
| Strong EAP types (such as those that are based on certificates) offer better security against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP version 1). |
Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS server or other RADIUS servers. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MS-CHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers (NASs):
802.1X-capable wireless access points
802.1X-capable authenticating switches
Computers running Windows Server 2008 R2 and the Routing and Remote Access service (RRAS) that are configured as virtual private network (VPN) servers
Computers running Windows Server 2008 R2 and Terminal Services Gateway
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.
This guide provides instructions to configure your wireless clients and your NPS server(s) to use PEAP-MS-CHAP v2 for 802.1X authenticated access.
Network Policy Server
Network Policy Server (NPS) is included in Windows Server 2008 R2, and allows you to centrally configure and manage network policies by using the following three components: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is an optional service of a core network, but it is required to deploy 802.1X wireless access.
When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. This is explained in more detail as follows:
Authentication
Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
The client authenticates the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. To successfully authenticate the NPS server, the client computer must trust the CA that issued the NPS server certificate. The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.
If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, ensure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.
The NPS server authenticates the user. After the client successfully authenticates the NPS server, the client sends the user’s password-based credentials to the NPS server, which verifies the user’s credentials against the user accounts database in Active Directory Doman Services (AD DS).
If the credentials are valid and authentication succeeds, the NPS server begins the authorization phase of processing the connection request. If the credentials are valid and authentication succeeds, the NPS server begins the authorization phase of processing the connection request. If the credentials are not valid and authentication fails, NPS sends an Access Reject message and the connection request is denied.
Authorization
The server running NPS performs authorization as follows:
NPS checks for restrictions in the user or computer account dial-in properties in AD DS.
NPS then processes its network policies to find a policy that matches the connection request. If a matching policy is found, NPS either grants or denies the connection based on that policy’s configuration.
If both authentication and authorization are successful, and if the matching network policy grants access, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions.
Note
To deploy wireless access, you must configure NPS policies. This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wireless access.
Bootstrap profiles
In 802.1X-authenticated wireless networks, wireless clients must provide security credentials that are authenticated by a RADIUS server in order to connect to the network. For Protected EAP [PEAP]-Microsoft Challenge Handshake Authentication Protocol version 2 [MS-CHAP v2], the security credentials are a username and password. For EAP-Transport Layer Security [TLS], the security credentials are certificates, such as client user and computer certificates or smart cards.
When connecting to a network that is configured to perform either PEAP-MS-CHAP v2 or EAP-TLS authentication, by default, Windows wireless clients must also validate a computer certificate that is sent by the RADIUS server. The computer certificate that is sent by the RADIUS server for every authentication session is commonly referred to as a server certificate.
As mentioned previously, RADIUS servers can be issued server certificate in one of two ways: from a commercial CA (such as VeriSign, Inc.,), or from a private CA that you deploy on your network. If the RADIUS server sends a computer certificate that was issued by a commercial CA that already has a root certificate installed in the client's Trusted Root Certifications Authorities certificate store, then the wireless client can validate the RADIUS server's computer certificate, regardless of whether the wireless client has joined the Active Directory domain. In this case the wireless client can connect to the wireless network, and then join the computer to the domain.
Note
The behavior requiring the client to validate the server certificate can be disabled, but disabling server certificate validation is not recommended in production environments.
Wireless bootstrap profiles are temporary profiles that are configured in such a way as to enable wireless client users to connect to the 802.1X-authenticated wireless network before the computer is joined to the domain, and/or before the user has successfully logged on to the domain by using a given wireless computer for the first time. This section summarizes what problem is encountered when trying to join a wireless computer to the domain, or for a user to use a domain-joined wireless computer for the first time to log on to the domain.
For deployments in which the user or IT administrator cannot physically connect a computer to the wired Ethernet network to join the computer to the domain, and the computer does not have the necessary issuing root CA certificate installed in its Trusted Root Certification Authorities certificate store, you can configure wireless clients running Windows 7 and Windows Vista with a temporary wireless connection profile, called a bootstrap profile, to connect to the wireless network. A bootstrap profile removes the requirement to validate the RADIUS server's computer certificate. This temporary configuration enables the wireless user to join the computer to the domain, at which time the Wireless Network (IEEE 802.11) Policies are applied and the appropriate root CA certificate is then installed on the computer. When Group Policy is applied, one or more wireless connection profiles that enforce the requirement for mutual authentication are applied on the computer; the bootstrap profile is no longer removed. After joining the computer to the domain and restarting the computer, the user can use a wireless connection to log on to the domain.