Planning your 802.1X authenticated wired access deployment

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Deploying 802.1X authenticated wired access involves several stages. Most stages have dependencies on actions that you have taken in previous stages. Therefore, plan your wired access deployment to follow the sequence of the following stages:

Stage 1

Plan, deploy, and configure 802.1X-capable switches for use with Network Policy Server (NPS). Depending on your preference and network dependencies, you can either pre-configure settings on your switches prior to installing them on your network, or you can configure them remotely after installation. If you are planning to add new computers to your domain, it is advisable to purchase and join the new computers to your domain at this time.

Stage 2

Create one or more wired users security groups in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Then add each user for whom you want to allow access to your network to the appropriate wired users security group.

Stage 3

Configure the Group Policy extension of Wired Network (IEEE 802.3) Policies by using the Group Policy Management Editor. The Wired Network (IEEE 802.3) Policies providethe configuration settings required for 802.1X authentication and connectivity to client computers. It is in this Group Policy extension that you specify network permission parameters, connection settings, and Extensible Authentication Protocol (EAP) and other security settings.

For domain member computers, newly configured Group Policy settings are automatically applied when Group Policy is refreshed. Group Policy is automatically refreshed at pre-determined intervals, or by restarting the client computer. Additionally, you can force Group Policy to refresh by running gpupdate at the command prompt.

Stage 4

Use a configuration wizard in NPS to add your 802.1X-capable switches as Remote Authentication Dial-In User Service (RADIUS) clients, and to create the network policies that NPS uses when processing connection requests. When using the wizard to create the network policies, for each policy specify the EAP type that you are deploying, and the wired users security group that corresponds to the network policy that you are configuring.

Stage 5

Use client computers to connect to the network. Because the necessary configuration settings are automatically applied when Group Policy is refreshed, computers will automatically connect to the network, and users need only to supply their domain user name and password credentials when prompted by Windows.