Planning Wired Access
Updated: January 9, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
Before you deploy wired access, you must plan the following items:
- Switch acquisition and installation
- Client network and security configuration
When you design your network access solution, you must determine which brand and model of 802.1X-capable switch can best meet your needs. For secure deployments, the switches that you deploy must support several specific standards, and provide specific security features. After you have determined which brand and model of switch you need, you must determine how many switches your wired access deployment requires.
For consistency and ease of deployment, it is recommended that you purchase 802.1X-capable switches of the same brand and model.
The 802.1X-capable switches that you deploy must support the following:
- IEEE 802.1X
- Remote Authentication Dial-In User Service (RADIUS) authentication
In addition, to provide enhanced security for the network, the 802.1X-capable switches must support the following filtering options:
The switches that you deploy on your network must filter on IP ports to prevent the transmission of Dynamic Host Configuration Protocol (DHCP) broadcast messages in those cases in which the client is a DHCP server. The switch must block the client from sending IP packets from UDP port 68 to the network.
Switches must filter on IP ports to prevent a client from performing as a Domain Name System (DNS) server. The switch must block the client from sending IP packets on TCP or UDP port 53 to the network.
In addition, if the 802.1X-capable switches require vendor-specific attributes (VSAs) or additional RADIUS attributes for special features or customized configuration of the switch, you must add the VSAs or RADIUS attributes to the wired NPS network policy on the servers running Network Policy Server (NPS). If you add VSAs or RADIUS attributes to the wired NPS network policy on the primary NPS server, copy the primary NPS server configuration to the secondary NPS server.
Use architectural drawings to create a schematic diagram of your wired network. Determine the location of every RJ-45 Ethernet wall outlet that is connected to your wired network. For example, indicate on your diagram every RJ-45 outlet in all offices, meeting rooms, reception areas and break areas.
Using your diagram, or a physical inspection of your site, determine the number of RJ-45 wall outlets that you need to control by using 802.1X-capable switches. Use this number to determine how many switches are required for your wired deployment.
According to the general naming conventions used on your network, give a friendly name to each of your switches, and then track those names in a list. For example, if you determine that your deployment requires 50 switches, you might name your switches: switch_001, switch_002, switch_003, and so on. If your deployment has multiple wiring closets or server closets where switches are installed, update your architectural drawings to indicate — by name — the installation location of each switch.
On your diagram, mark zones that contain the same number or RJ-45 wall outlets as there are ports on a switch. Indicate on your architectural drawing — by name — which switch is associated with each zone. For example, for a switch named switch_003 that has 24 ports that are dedicated to wired client connections, mark a zone on your diagram that contains the 24 RJ-45 wall outlets that you will connect to that switch, and then mark that zone to indicate that it is associated with switch_003.
|In deployments that involve multiple subnets for wired clients, it is beneficial to also indicate the IP address range and subnet mask that is used by each zone.|
Next, on the architectural diagram or on a spread sheet, indicate the relationship of each RJ-45 port with each switch and switch port. For example, for a single RJ-45 outlet in office number 294, in zone 02, that will connect to port 14 on a switch named switch_02c, your records should capture information similar to the following table.
|Zone||Location||Switch||Switch Port Number|
Having an accurate switch and wiring diagram and related records will assist later during troubleshooting operations, when you want to upgrade or replace switches, or if you change the physical Ethernet wiring in the building.
In addition, for each 802.1X authenticating switch that you deploy on your network, record the RADIUS shared secret, and then store that information in a secured location, such as an office safe.
When planning the deployment of 802.1X authenticated wired access, you must consider several factors:
Planning restricted access
Do you want to provide all of your users with the same level of access to your network, or do you want to restrict access for some of your users?
Adding new client computers to your wired network
Although there are several alternatives, the preferred method adds a new computer as a member of the domain and has the configuration performed by a member of the IT staff.
You might want to provide groups of users in your organization with varying levels of access to the network. For example, you might want to allow some users unrestricted access, any hour of the day, every day of the week. For other users, you might only want to allow access during core work hours, Monday through Friday, and completely deny access on Saturday and Sunday.
The 802.1X Authenticated Wired Access Deployment Guide provides instructions to create an access environment that places all of your users in one security group. You create one wired users security group by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, and then make every user for whom you want to grant wired access a member of that group. When you configure NPS network policies, specify the wired users security group as the object that NPS processes when determining authorization.
However, if your deployment requires support for varying levels of access you need only do the following:
- Create one or more additional security groups for your wired users in the Active Directory Users and Computers snap-in, each security group specifying a unique name.
- Make each user a member of the appropriate security group.
- Configure an additional set of NPS network policies for each additional wired users security group.
To add new computers to your network, the computers must first be joined to the domain. In a network that uses 802.1X authentication for IEEE 802.3 wired Ethernet connections, the preferred method to add new computers to the domain is for an administrator or member of the IT staff to join the computer to the domain by using a wired connection to a segment of the LAN that has access to domain controllers, and that is not protected by an 802.1X-capable switch. After joining the computer to the domain, the computer is distributed to the user.
|Make sure that uncontrolled connections are only accessible to your IT personnel.|
The steps to join computers to the domain by using a wired connection are documented in the Windows Server 2008 Foundation Network Guide, in the section titled Joining computers to the Domain and Logging On.