802.1X Authenticated Wired Access Overview
Updated: September 18, 2013
Applies To: Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8
This document provides introductory information about Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated access for IEEE 802.3 wired Ethernet connections. Links to resources with information about technologies that are closely related to 802.1X Authenticated Wired Access, or otherwise relevant to wired access are also provided.
In addition to this topic, the following 802.1X Authenticated Wired Access documentation is available.
Did you mean…
IEEE 802.1X authentication provides an additional security barrier for your intranet that you can use to prevent guest, rogue, or unmanaged computers that cannot perform a successful authentication from connecting to your intranet.
For the same reason that administrators deploy IEEE 802.1X authentication for IEEE 802.11 wireless networks—enhanced security—network administrators want to implement the IEEE 802.1X standard to help protect their wired network connections. Just as an authenticated wireless client must submit a set of credentials to be validated before being allowed to send wireless frames to the intranet, an IEEE 802.1X wired client must also perform authentication prior to being able to send traffic over its switch port.
Following are overviews that will help you to understand the various technologies that are required to deploy 802.1X authenticated wired access.
In this document, 802.1X authenticated wired access is referred to as wired access.
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated wired access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched Local Area Network (LAN) infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has also been adapted for use on 802.11 wireless LANs.
To deploy 802.1X wired access you must install and configure one or more 802.1X-capable Ethernet switches on your network. The switches must be compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.
When 802.1X and RADIUS-compliant switches are deployed in a RADIUS infrastructure, with a RADIUS server such as an NPS server, they are called RADIUS clients.
IEEE 802.3 is a collection of standards that defines the Layer-1 (physical layer) and Layer-2 (data-link layer media access control (MAC)) of wired Ethernet. 802.3 Ethernet is typically implemented on a LAN, and also in some wide area network (WAN) applications.
Network Policy Server (NPS) lets you centrally configure and manage network policies by using the following three components: RADIUS server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is required to deploy 802.1X wired access.
Wired access deployment requires server certificates for each NPS server that performs 802.1X authentication.
A server certificate is a digital document that is commonly used for authentication and to help secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority (CA), and they can be issued for a user, a computer, or a service.
A CA is an entity responsible for establishing and vouching for the authenticity of public keys that belong to subjects (usually users or computers) or other CAs. Activities of a CA can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Active Directory Certificate Services (AD CS) is a Windows Server 2012 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also called a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by enabling additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as an NPS server) must support the same EAP type for successful authentication to occur.
In Windows Server 2012, wired access includes only minimal changes to the wired access solution provided in Windows Server 2008 R2. That change is summarized as follows:
Previous operating system
New operating system
The addition of EAP-Tunneled Transport Layer Security (EAP-TTLS) to the list of network authentication methods that are included by default
Included by default
Following is a table of resources related to 802.1X authenticated wired access.
IEEE 802.1X Authenticated Wired Access – Cable Guy article |
Windows Server 2008 802.1X Authenticated Wired Access Design Guide |
Windows Server 2008 802.1X Authenticated Wired Access Deployment Guide | Windows Server 2008 R2 Core Network Companion Guide: Deploying Password-based 802.1X Authenticated Wireless Access
Windows Server 2008 R2 Netsh Commands for Wired Local Area Network (LAN) |
Windows Server 2008 R2 Network Diagnostics Framework (NDF) and Network Tracing |
Tools and settings
Content not available
Content not available