Configure 802.1X Wired Clients Running Windows Vista with Group Policy

  • Article

Applies To: Windows Server 2008

Use the procedures in this topic to configure the Wired Network (IEEE 802.3) Policies for client computers running Windows Vista® that connect to your wired Ethernet network through 802.1X authenticating switches.

This document provides the detailed steps to create and configure the Wired Network (IEEE 802.3) Policies and wired configuration profile for computers running Windows Vista.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Configure 802.1X Wired Clients by using Wired Network (IEEE 802.3) Policies

This document provides the detailed steps to add and configure the Wired Network (IEEE 802.3) Policies, and to configure a configuration profile for computers running Windows Vista. For example, you can configure a profile to use smart cards or Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), and enable Single Sign On for computers connecting to the wired network through an 802.1X authenticating switch.

Note

You can use the Windows Vista Wired Network (IEEE 802.3) Policies to configure computers running Windows Vista and Windows Server 2008. You cannot use this policy to configure computers running Windows XP. Computers running Windows XP cannot interpret settings in a Windows Vista Wired Network (IEEE 802.3) Policies.

You can use these features to configure security and authentication settings, manage wireless profiles, and specify permissions for wireless networks that are not configured as preferred networks.

Opening the Wired Network (IEEE 802.3) Policies properties

Use this procedure to access the Wired Network (IEE 802.3) Policy.

To open the Wired Network (IEEE 802.3) Policies properties

  1. Open the Group Policy Management Console (GPMC).

  2. In Default Domain Policy, open Computer Configuration, open Windows Settings, open Security Settings, and then select Wired Network (IEEE 802.3) Policies.

    • If there is an activated Windows Vista wired network policy in the details pane:

      Right-click the New Vista Wired Network Policy, and then click Properties, to access the properties of the wired network policy.

Note

The wired policy is not necessarily listed as New Vista Wired Network Policy in the details pane of the GPMC. If the default policy name was previously changed from New Vista Wired Network Policy to another name, the name change is reflected in the GPMC details pane. 

  - If there is not an activated Windows Vista wired policy in the details pane:  
      
    Right-click **Wired Network (IEEE 802.3) Policies**, and then click **Create A New Windows Vista Policy** to activate and open the New Vista Wired Network Policy Properties.

Note

After the Windows Vista Wired Policy is added, it is only listed in the GPMC details pane when Wireless Network (IEEE 802.11) Policies is selected.

Configure wired clients running Windows Vista by using the Wired Network (IEEE 802.3) Policies

This section contains procedures that will demonstrate the features provided in the Wired Network (IEEE 802.3) Policies for Windows Vista. You can use these features to configure security and authentication settings for computers running Windows Vista that are connecting to your network through an 802.1X authenticating switch.

Configuring a PEAP-MS-CHAP v2 profile

This procedure provides the steps required to configure a PEAP-MS-CHAP v2 profile.

To configure a profile for PEAP-MS-CHAP v2 wired connections

  1. On the General tab, do the following:

    1. In Policy Name, type a name for the wired network policy.

    2. In Description, type a brief description of the policy.

    3. Ensure that Use Windows Wired Auto Config service for clients is selected.

Note

For more information about the settings on any tab, press F1 while viewing that tab.

  1. On the Security tab, do the following:

    1. Select Enable use of IEEE 802.1X authentication for network access.

    2. In Select a network authentication method, select Protected EAP (PEAP).

    3. In Authentication mode, select User re-authentication.

    4. In Max Authentication Failures, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed.

    5. To specify that user credentials are held in cache, select Cache user information for subsequent connections to this network.

  2. To configure Single Sign On or advanced 802.1X settings, click Advanced. On the Advanced tab, do the following:

    1. To configure advanced 802.1X settings, select Enforce advanced 802.1X settings, and then modify — only as necessary — the settings for: Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, Eapol-Start Message.

    2. To configure Single Sign On, select Enable Single Sign On for this network, and then modify — as necessary — the settings for:

      Perform Immediately before User Logon

      Perform Immediately after User Logon

      Max delay for connectivity

      Allow additional dialogs to be displayed during Single Sign On

      Max delay with dialogs

      This network uses different VLAN for authentication with machine and user credentials

  3. Click OK. On the Security tab, click Properties.

  4. On the Protected EAP Properties dialog box, do the following:

    1. Select Validate server certificate.

    2. In Trusted Root Certification Authorities, select the Trusted Root Certification Authority (CA) that issued the server certificate to your Network Policy (NPS) Server.

Note

This setting limits the trusted root certification authorities (CAs) that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store. 

3.  To specify that PEAP Fast Reconnect is enabled, select **Enable Fast Reconnect**.  
      
4.  To specify that system health checks are preformed on clients to ensure they meet health requirements, before connections to the network are permitted, select **Enable Quarantine checks**.  
      
5.  Click **OK**, to save the Protected EAP (PEAP) settings.
  1. Click OK to save the changes to the wired policy, and then close the Group Policy Management console.
Configuring a Smart Card or other certificate profile

This procedure provides the steps required to configure a PEAP-MS-CHAP v2 profile.

To configure a Smart Card or other certificate profile

  1. On the General tab, do the following:

    1. In Policy Name, type a name for the wired network policy.

    2. In Description, type a brief description of the policy.

    3. Ensure the user is notified that that Use Windows Wired Auto Config service for clients is selected.

Note

For more information about the settings on any tab, press F1 while viewing that tab.

  1. On the Security tab, do the following:

    1. Select Enable use of IEEE 802.1X authentication for network access.

    2. In Select a network authentication method, select Smart Card or other certificate.

    3. In Authentication mode, select User re-authentication.

    4. In Max Authentication Failures, specify the maximum number of failed attempts allowed before the user is notified that authentication has failed.

    5. To specify that user credentials are held in cache, select Cache user information for subsequent connections to this network.

  2. To configure Single Sign On or advanced 802.1X settings, click Advanced. On the Advanced tab, do the following:

    1. To configure advanced 802.1X settings, select Enforce advanced 802.1X settings, and then modify — only as necessary — the settings for: Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, Eapol-Start Message.

    2. To configure Single Sign On, select Enable Single Sign On for this network, and then modify — as necessary — the settings for:

      Perform Immediately before User Logon

      Perform Immediately after User Logon

      Max delay for connectivity

      Allow additional dialogs to be displayed during Single Sign On

      Max delay with dialogs

      This network uses different VLAN for authentication with machine and user credentials

  3. Click OK. On the Security tab, click Properties.

  4. On the Smart Card or other Certificate Properties dialog box, configure the following:

    1. Select Validate server Certificate.

    2. In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your Network Policy Server (NPS).

Note

This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store. 

3.  To specify that PEAP Fast Reconnect is enabled, select **Enable Fast Reconnect**.  
      
4.  To specify that system health checks are preformed on clients to ensure they meet health requirements, before connections to the network are permitted, select **Enable Quarantine checks**.  
      
5.  Click **OK**, to save the Protected EAP (PEAP) settings.
  1. Click OK to save the changes to the wired policy, and then close the Group Policy Management Console.