802.1X Authenticated Wired Access Design Guide
Updated: January 9, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
The Windows Server® 2008 operating system provides the networking services needed to deploy a secure and manageable 802.1X authenticated network infrastructure. This guide provides comprehensive guidance to help you design an 802.1X authenticated wired access solution.
Authentication prevents users without valid credentials from being able to connect to your domain over the wired network. Authorization verifies that the wired node meets all of the conditions that are required to make a connection to the switch. IEEE 802.1X uses the Extensible Authentication Protocol (EAP) to exchange authentication credentials. IEEE 802.1X authentication can be based on different EAP authentication methods such as those using secured passwords (user name and password) or a digital certificate.
Many Ethernet switches are capable of providing port-based network access control, a technology that prevents communication from traversing ports on the switch until the computer that is physically connected to the port is authenticated and access is authorized. The IEEE 802.1X standard defines how switches perform port-based network access control. IEEE 802.1X authentication is designed for wired LANs that contain an authentication infrastructure consisting of one or more Remote Authentication Dial-In User Service (RADIUS) servers and account databases such as Active Directory and 802.1X-capable Ethernet switches. An 802.1X-capable Ethernet switch prevents any computer that is connected to the switch from sending or receiving communications on a wired network until that computer is successfully authenticated and authorized.
This guide is intended for infrastructure specialists, system architects, and IT professionals.
The purpose of this guide is to help you to plan and design a new 802.1X authenticate wired access deployment.
Following are the requirements for deploying a wired access infrastructure as documented in this guide:
- Before deploying authenticated wired access, you must first purchase and install 802.1X-capable switches at your site.
- Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide. You can view The Foundation Network Guide online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=106252. You can download The Foundation Network Guide in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=105231.
- Server certificates are required when you deploy the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) certificate-based authentication method. For information about deploying server certificates, see Foundation Network Companion Guide: Deploying Server Certificates. You can view Foundation Network Companion Guide: Deploying Server Certificates online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=108258. You can download Foundation Network Companion Guide: Deploying Server Certificates in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=108259.
- Server certificates and computer and user certificates are required when you deploy Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). For information about deploying user and computer certificates, see Foundation Network Companion Guide: Deploying Computer and User Certificates. You can view Foundation Network Companion Guide: Deploying Computer and User Certificates online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=113884. You can download Foundation Network Companion Guide: Deploying Computer and User Certificates in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=115742.
- You or someone else in your organization is familiar with the IEEE 802.3 standards that are supported by your switches and network adapters installed in the client computers on your network.
This guide uses a step-by-step approach to help you decide which design best fits your wired access needs and to help you create a design based on the most common wired access design goals. The two scenarios are:
- Wired access by using PEAP-MS-CHAP v2 for secure password authentication. This design is well suited to small businesses and medium organizations. Secure password authentication provides strong security, and uses domain account credentials (user name and password) for client authentication. When deploying wired access by using PEAP-MS-CHAP v2, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using Active Directory Certificate Services (AD CS).
- Wired access by using either EAP-TLS or PEAP-TLS for authentication using digital certificates. This design is well suited to medium and enterprise-sized networks. Digital certificates provide more robust security than secure password authentication. In this design guide, digital certificates are either smart cards, or certificates issued to your users and computers by the CA you deploy on your network. If your wired access solution uses either EAP-TLS or PEAP-TLS, you must deploy a private CA on your network by using AD CS.
After reading this guide you will have the information necessary to begin deploying wired access by using the 802.1X Authenticated Wired Deployment Guide in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=137750.