802.1X Authenticated Wireless Access Design
Wireless access can provide the following benefits:
* Strong authentication. IEEE 802.1X was a standard that existed for Ethernet switches and was adapted to 802.11 wireless LANs to provide much stronger authentication than what was provided in the original 802.11 standard. Wireless network authentication can be based on different EAP authentication methods such as those using secure password (the user account name and password credentials) or a digital certificate. IEEE 802.1X prevents a wireless node from joining a wireless network until the node has performed a successful authentication. Additionally, a component of mutual authentication in EAP prevents wireless users from connecting to rogue wireless access points (APs), rogue NPS servers.
Although 802.1X authenticated access is optimal for medium and large wireless LANs, it can also be used for small organizations that require strong security. An 802.1X authenticated wireless access infrastructures consists chiefly of servers running Network Policy Server (NPS) and an account database such as the Active Directory® Domain Service (AD DS) account database. IEEE 802.1X uses Extensible Authentication Protocol (EAP).
* Infrastructure flexibility. In general, WLANs can extend or replace a wired infrastructure in situations where it is costly, inconvenient, or impossible to lay cables. A wireless LAN can connect the networks in two buildings that are separated by physical obstacles or financial constraints. You can also use wireless LAN technologies to create a temporary network, which is in place for only a specific amount of time. Additionally, deploying a wireless network, in instances where a company needs to rapidly expand their workforce, can be a more efficient and cost effective alternative than installing the physical cabling required for a traditional Ethernet network. And even if no wireless infrastructure is present, wireless portable computers can still form their own ad hoc networks to communicate and share data with each other.
* Mobility and productivity. Wireless access can increase productivity for employees that require mobility. Mobile users who are equipped with a portable computer can remain connected to the network. This enables the user to change locations—to meeting rooms, hallways, lobbies, cafeterias, classrooms, and so forth—and still have access to network resources. Without wireless access, the user must carry Ethernet cabling and is restricted to working near a network jack. Wireless LAN networking is a perfect technology for environments where movement is required.
Prerequisites
Following are the requirements for deploying a wireless access infrastructure by using the scenario documented in this guide:
* Before deploying this scenario, you must first purchase and install 802.1X-capable wireless APs to provide wireless coverage in the locations you want at your site.
* Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide.
* Server certificates are required when you deploy the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) certificate-based authentication method. For information about deploying server certificates, see Foundation Network Companion Guide: Deploying Server Certificates.
* Server certificates and computer and user certificates are required when you deploy Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). For information about deploying user and computer certificates, see Foundation Network Companion Guide: Deploying Computer and User Certificates. You can view Foundation Network Companion Guide: Deploying Computer and User Certificates online in the Windows Server 2008 Technical Library at http://go.microsoft.com/fwlink/?LinkId=113884. You can download Foundation Network Companion Guide: Deploying Computer and User Certificates in Word format at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=115742.
* You or someone else in your organization is familiar with the IEEE 802.11 standards that are supported by your wireless APs and the wireless network adapters installed in the client computers on your network. For example, the must be familiar with radio frequency types, the personal and enterprise editions of 802.11 wireless authentication (Wi-Fi Protected Access [WPA] and WPA version 2 [WPA2]), and ciphers (such as Advanced Encryption Standard [AES] and Temporal Key Integrity Protocol [TKIP]).
This is a step-by-step approach to help you decide which design best fits your wireless access needs and to help you create a design based on the most common wireless design goals. The two scenarios are:
* Wireless access by using PEAP-MS-CHAP v2 for secure password authentication. This design is well suited to small businesses and medium organizations. Secure password authentication provides strong security, and uses domain account credentials (user name and password) for client authentication. When deploying wireless access by using PEAP-MS-CHAP v2, you can either purchase certificates from a public certification authority (CA), such as VeriSign, or deploy a private CA on your network by using Active Directory Certificate Services (AD CS).
* Wireless access by using either EAP-TLS or PEAP-TLS for authentication using digital certificates. This design is well suited to medium- and enterprise-sized networks. Digital certificates provide more robust security than secure password authentication. In this design guide, digital certificates are either smart cards, or certificates issued to your users and computers by the CA you deploy on your network. If your wireless solution uses either EAP-TLS or PEAP-TLS, you must deploy a private CA on your network by using AD CS.
Deploying 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2
The Windows Server 2008 Foundation Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® Domain Services (AD DS) domain in a new forest.
This guide explains how to build upon a foundation network by providing instructions about how to deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated IEEE 802.11 wireless access using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).
Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is easier and less expensive to deploy than EAP-TLS or PEAP-TLS.
noteNote
In this guide, IEEE 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2 is abbreviated to “wireless access.”
About this guide
This guide provides instructions on how to deploy a WiFi access infrastructure using PEAP-MS-CHAP v2 and the following components:
* One or more 802.1X-capable 802.11 wireless access points (APs).
* Active Directory Users and Computers.
* Group Policy Management.
* One or more Network Policy Server (NPS) servers.
* Server certificates for computers running NPS.
* Wireless client computers running Windows Vista or Windows XP with Service Pack 2.
This is for network and system administrators who have:
* Followed the instructions in the Windows Server 2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies included in the foundation network, including AD DS, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS).
* Either followed the instructions in the Windows Server 2008 Foundation Network Companion Guide: Deploying Server Certificates to deploy and use Active Directory Certificate Services (AD CS) to autoenroll server certificates to computers running NPS, or who have purchased a server certificate from a public CA, such as VeriSign, that client computers already trust. A client computer trusts a CA if that CA cert is already in the Trusted Root Certification Authorities certificate store on Windows-based computers. By default, computers running Windows have multiple public CA certificates installed in their Trusted Root Certification Authorities certificate store.
The Foundation Network Companion Guide: Deploying Server Certificates is available for download in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in HTML format in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Requirements
Following are the requirements for deploying a wireless access infrastructure by using the scenario documented in this guide:
* Before deploying this scenario, you must first purchase and install 802.1X-capable wireless access points to provide wireless coverage in the desired locations at your site.
* Active Directory Domain Services (AD DS) is installed, as are the other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide.
* Server certificates are required when you deploy the PEAP-MS-CHAP v2 certificate-based authentication method.
* You or someone else in your organization is familiar with the IEEE 802.11 standards that are supported by your wireless APs and the wireless network adapters installed in the client computers on your network; for example, radio frequency types, 802.11 wireless authentication (WPA2 or WPA), and ciphers (AES or TKIP). For information about determining which wireless standards are supported on wireless client computers running Windows Vista and Windows Server 2008.
What this guide does not provide
Following are some items this guide does not provide:
Comprehensive guidance for selecting 802.1X-capable wireless access points
Because many differences exist between brands and models of 802.1X-capable wireless APs, this guide does not provide detailed information about:
* Determining which brand or model of wireless AP is best suited to your needs.
* The physical deployment of wireless APs on your network.
* Advanced wireless AP configuration, such as for wireless VLAN.
* Instructions on how to configure wireless AP vendor-specific attributes in NPS.
Additionally, terminology and names for settings vary between wireless AP brands and models, and might not match the generic setting names referenced in this guide. For wireless AP configuration details, you must review the product documentation provided by the manufacturer of your wireless APs.
Instructions for deploying NPS server certificates
There are two alternatives for deploying NPS server certificates. This guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. In general, however, the choices you face are:
* Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
o Advantages:
+ Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers.
+ Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.
o Disadvantages:
+ This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server you deploy.
+ Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
* Deploying a private CA on your network by using AD CS.
o Advantages:
+ AD CS is included with Windows Server 2008.
+ This solution scales very well. After you have deployed a private CA on your network, AD CS automatically issues certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network.
+ AD CS automatically issues a server certificate to new NPS servers that you add to your network.
+ If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you can do so by using your AD CS-based private CA.
o Disadvantages:
+ Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy.
+ It is possible to expose your network to specific security vulnerabilities if the proper precautions are not taken when deploying a private CA on your network.
NPS network policies and other NPS settings
Except for the configuration settings made when you run the Configure 802.1X wizard, as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints or other NPS settings.
For more information about NPS, see Additional Resources in this guide.
DHCP
This deployment guide does not provide information about designing or deploying DHCP subnets for wireless LANs.
For more information about DHCP, see the Additional Resources in this guide.
Technology overviews
Following are technology overviews for deploying wireless access:
IEEE 802.1X
IEEE 802.1X
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
802.1X-capable wireless access points (APs)
This scenario requires the deployment of one or more 802.1X-capable wireless APs that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.
802.1X and RADIUS-compliant APs, when deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.
Wireless clients
This provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network with wireless client computers running either Windows Vista or Windows XP with Service Pack 2 or later. Computers must be joined to the domain in order to successfully establish authenticated access.
If you are using computers running Windows Server 2008 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of Windows Vista Wireless Network (IEEE 802.1) Policies as for computers running Windows Vista. If you are using computers running Windows Server 2003 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of Windows XP Wireless Network (IEEE 802.1) Policies as for computers running Windows XP.
Active Directory Doman Services (AD DS)
AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.
AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and PEAP-MS-CHAP v2 to authenticate user credentials and to evaluate authorization for wireless connections.
Active Directory Users and Computers
Active Directory Users and Computers is a component of AD DS that contains accounts that represent physical entities, such as a computer, a person, or a security group. A security group is a collection of user or computer accounts that administrators can manage as a single unit. User and computer accounts that belong to a particular group are referred to as group members.
Group Policy Management
Group Policy Management is a Windows Server 2008 feature that enables directory-based change and configuration management of user and computer settings, including security and user information. You use Group Policy to define configurations for groups of users and computers. With Group Policy, you can specify settings for registry entries, security, software installation, scripts, folder redirection, remote installation services, and Internet Explorer maintenance. The Group Policy settings that you create are contained in a Group Policy object (GPO). By associating a GPO with selected Active Directory system containers—sites, domains, and OUs—you can apply the GPO's settings to the users and computers in those Active Directory containers. To manage Group Policy objects across an enterprise, you can use the Group Policy Management Editor Microsoft Management Console (MMC).
This guide provides detailed instructions about how to specify settings in the Wireless Network (IEEE 802.11) Policies Group Policy Management extension, which in turn configures the necessary settings on wireless client computers for 802.1X authenticated wireless access.
Server certificates
This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication.
A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service.
A certification authority (CA) is an entity responsible for establishing and vouching for the authenticity of public keys belonging to subjects (usually users or computers) or other CAs. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and revoking certificates.
Active Directory Certificate Services (AD CS) is a Windows Server 2008 server role that issues certificates as a network CA. An AD CS certificate infrastructure, also known as a public key infrastructure (PKI), provides customizable services for issuing and managing certificates for the enterprise.
EAP, PEAP, and PEAP-MS-CHAP v2
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. Windows Server 2008 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPS servers. By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2008 are:
* Transport Layer Security (TLS)
* Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
security Note
Strong EAP types (such as those that are based on certificates) offer better security against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP version 1).
Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS server or other RADIUS servers. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MS-CHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers (NASs):
* 802.1X-capable wireless access points
* 802.1X-capable authenticating switches
* Computers running Windows Server 2008 and the Routing and Remote Access service (RRAS) that are configured as virtual private network (VPN) servers
* Computers running Windows Server 2008 and Terminal Services Gateway
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.
This guide provides instructions to configure your wireless clients and your NPS server(s) to use PEAP-MS-CHAP v2 for 802.1X authenticated access.
Network Policy Server
Network Policy Server (NPS) allows you to centrally configure and manage network policies by using the following three components: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server. NPS is an optional service of a foundation network, but it is required to deploy 802.1X wireless access.
When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection. This is explained in more detail as follows:
Authentication
Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
1. The client authenticates the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. To successfully authenticate the NPS server, the client computer must trust the CA that issued the NPS server certificate. The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.
If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client computer. If you decide to deploy server certificates from a public CA, ensure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.
2. The NPS server authenticates the user. After the client successfully authenticates the NPS server, the client sends user’s password-based credentials to the NPS server, which verifies the user’s credentials against the user accounts database in Active Directory Doman Services (AD DS).
If the credentials are valid, the server running NPS proceeds to the authorization phase of processing the connection request. Otherwise, NPS sends an Access Reject message and the connection request is terminated.
Authorization
The server running NPS performs authorization as follows:
* NPS checks for restrictions in the user or computer account dial-in properties in AD DS.
* NPS then processes its network policies to find a policy that matches the connection request. If a matching policy is found, NPS either grants or denies the connection based on that policy’s configuration.
If both authentication and authorization are successful, NPS grants access to the network, and the user and computer can connect to network resources for which they have permissions.
To deploy wireless access, you must configure NPS network policies. This guide provides instructions to use the Configure 802.1X wizard in NPS to create NPS policies for 802.1X authenticated wireless access.
Bootstrap profiles
For deployments in which the user or IT administrator cannot physically connect a computer to the wired Ethernet network to join the computer to the domain, and the computer does not have the necessary issuing root CA certificate installed in its Trusted Root Certification Authorities certificate store, this guide describes how to configure wireless clients running Windows Vista with a temporary wireless connection profile, called a bootstrap profile, to connect to the wireless network. A bootstrap profile removes the requirement to validate the RADIUS server's computer certificate. This temporary configuration enables the wireless user to join the computer to the domain, at which time the Wireless Network (IEEE 802.11) Policies are applied. The appropriate root CA certificate is then installed on the computer, and one or more wireless connection profiles that enforce the requirement for mutual authentication is installed on the computer. After joining the computer to the domain and restarting the computer, the user can use a wireless connection to log on to the domain.
Deploying Server Certificates
Windows Server® 2008 Foundation Network
This provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® domain in a new forest.This guide explains how to build on the foundation network by providing instructions for deploying server certificates for computers that are running Network Policy Server (NPS), Routing and Remote Access Service (RRAS), or both.
Server certificates are required when you deploy certificate-based authentication methods with Extensible Authentication Protocol (EAP) and Protected EAP (PEAP) for network access authentication.
Deploying server certificates with Active Directory Certificate Services (AD CS) for EAP and PEAP certificate-based authentication methods provides the following benefits:
* Binding the identity of the server running NPS or the RRAS server to a private key
* A cost-effective and secure method for automatically enrolling certificates to domain member NPS and RRAS servers
* An efficient method for managing certificates and certification authorities (CAs)
* Security provided by certificate-based authentication
* The ability to expand the use of certificates for additional purposes
instructions for deploying server certificates to servers running NPS, RRAS servers, or both, by using AD CS.
This is designed for network and system administrators who have followed the instructions in the Windows Server 2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies included in the foundation network, including Active Directory Domain Services (AD DS), Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS) (optional).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Requirements
Following are the requirements for using certificates:
* To deploy server certificates by using autoenrollment, AD CS requires the Windows Server 2008 Enterprise or Datacenter operating systems. AD DS must be installed before AD CS is installed. Although AD CS can be deployed on a single server, many deployments involve multiple servers configured as CAs.
* To deploy PEAP or EAP for virtual private networks (VPNs), you must deploy RRAS configured as a VPN server. The use of NPS is optional; however, if you have multiple VPN servers, using NPS is recommended for ease of administration and for the RADIUS accounting services that NPS provides.
* To deploy PEAP or EAP for Terminal Services Gateway (TS Gateway), you must deploy TS Gateway and NPS.
* To deploy PEAP or EAP for 802.1X secure wired or wireless, you must deploy NPS and additional hardware, such as 802.1X authenticating switches or wireless access points.
* To deploy certificate-based authentication methods that require certificates for user and computer authentication in addition to requiring certificates for server authentication, such as EAP with Transport Layer Security (EAP-TLS) or PEAP-TLS, you must also deploy user and computer certificates through autoenrollment or by using smart cards.
not provide
This guide does not provide comprehensive instructions for designing and deploying a public key infrastructure (PKI) by using AD CS. It is recommended that you review AD CS documentation and PKI design documentation before deploying the technologies in this guide. For more information, see the Additional Resources section later in this document.
This guide also does not provide detailed instructions for deploying the network access technologies for which server certificates can be used. In some cases, additional Foundation Network companion guides might be available that provide instructions on deploying these network access solutions.
Technology overviews
Following are technology overviews for EAP, PEAP, and AD CS.
EAP
EAP
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to an increasing demand for authentication methods that use security devices such as smart cards, token cards, and crypto calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.
With EAP, an arbitrary authentication mechanism is used to verify the identities of the client and server that are establishing a network access connection. The exact authentication scheme to be used is negotiated by the access client and the authenticator (the network access server or the RADIUS server).
With EAP authentication, both the network access client and the authenticator (such as the server running NPS) must support the same EAP type for successful authentication to occur.
ImportantImportant
Strong EAP types, such as those that are based on certificates, offer better security against brute-force attacks, dictionary attacks, and password-guessing attacks than password-based authentication protocols, such as CHAP or MS-CHAP, version 1.
EAP in Windows Server 2008
Windows Server 2008 includes an EAP infrastructure, two EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS) such as NPS.
By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2008 are:
* Transport Layer Security (TLS)
* Microsoft Challenge-Handshake Authentication Protocol, version 2 (MS-CHAP v2)
In addition, you can plug other EAP modules into the server running RRAS to provide other EAP methods.
PEAP
PEAP uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running NPS or other Remote Authentication Dial-In User Service (RADIUS) server.
PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MSCHAP v2) that can operate through the TLS-encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers:
* 802.1X wireless access points
* 802.1X authenticating switches
* Computers running Windows Server 2008 and RRAS that are configured as VPN servers
* Computers running Windows Server 2008 and TS Gateway
Features of PEAP
To enhance the EAP protocols and network security, PEAP provides:
* A TLS channel that provides protection for the EAP method negotiation that occurs between the client and server. This TLS channel helps prevent an attacker from injecting packets between the client and the network access server to cause the negotiation of a less secure EAP type. The encrypted TLS channel also helps prevent denial of service attacks against the server running NPS.
* Support for the fragmentation and reassembly of messages, which allows the use of EAP types that do not provide this functionality.
* Clients with the ability to authenticate the NPS or other RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
* Protection against the deployment of an unauthorized wireless access point at the moment when the EAP client authenticates the certificate provided by the server running NPS. In addition, the TLS master secret that is created by the PEAP authenticator and the client is not shared with the access point. Because of this, the access point cannot decrypt the messages that are protected by PEAP.
* PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the NPS or other RADIUS server. Fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for the client and the server, and it minimizes the number of times that users are prompted for credentials.
Active Directory Certificate Services
AD CS in Windows Server 2008 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Shop BuyDig.com for Electronics & Save Big!
Deploying Computer and User Certificates
This explains how to build on the foundation network by providing instructions for deploying client computer and user certificates with Active Directory Certificate Services (AD CS).
Certificates are used for network access authentication because they provide strong security for authenticating users and computers and they eliminate the need for less secure password-based authentication methods.
When you deploy Extensible Authentication Protocol with Transport Layer Security (EAP-TLS) or Protected EAP with TLS (PEAP-TLS), certificates are required for the authentication of servers, clients, and users during network connection attempts through network access servers such as 802.1X authenticating switches and wireless access points, virtual private network (VPN) servers, and computers running Windows Server® 2008 and Terminal Services Gateway (TS Gateway).
noteNote
All of these network access servers are also called Remote Authentication Dial-In User Service (RADIUS) clients, because they use the RADIUS protocol to send connection requests to RADIUS servers. RADIUS servers process the connection requests and perform authentication and authorization. The RADIUS server and proxy in Windows Server® 2008 is Network Policy Server (NPS). In Windows Server 2008, NPS replaces Internet Authentication Service (IAS).
Deploying certificates with AD CS for EAP and PEAP certificate-based authentication methods provides the following benefits:
* Security provided with certificate-based authentication, which binds the identity of the server running NPS, RRAS server, user, or client computer to a private key
* A cost-effective and secure method for managing certificates, allowing you to automatically enroll, renew, and revoke certificates to domain member computers and domain users
* An efficient method for managing certification authorities (CAs)
* The ability to deploy other types of certificates that are used for purposes other than computer, user, or server authentication. For example, you can deploy certificates that provide users with the ability to digitally sign e-mail, or you can issue certificates used for software code signing.
get products from link above
Deploying client computer and user certificates to domain member computers and domain users by using AD CS.
This is for network and system administrators who have followed the instructions in the Windows Server 2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies included in the foundation network, including Active Directory Domain Services (AD DS), Domain Name Service (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS) (optional).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization network.
Requirements
Following are the requirements for deploying client computer and user certificates using autoenrollment:
* AD DS is installed, as are other network technologies, according to the instructions in the Windows Server 2008 Foundation Network Guide, which is available for download at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).
* To perform autoenrollment of client computer and user certificates, your CA must be running the Windows Server 2008 Enterprise operating system or the Windows Server 2008 Datacenter operating system and must be an issuing CA. Although AD CS can be deployed on a single server, many deployments use multiple servers configured as CAs.
* To deploy EAP-TLS or PEAP-TLS, you must enroll server certificates to NPS servers and to computers running Windows Server 2008 and Routing and Remote Access service (RRAS), if you are using RRAS servers as virtual private network (VPN) servers. This guide assumes that you have autoenrolled server certificates in accordance with the Windows Server 2008 Foundation Network Companion Guide: Deploying Server Certificates, which is available at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258).
Note
If you deploy one or more RRAS servers as VPN servers and you do not have NPS installed, network policies and the authentication methods included in these policies are configured individually per RRAS server, which can be time-consuming and can create opportunities for configuration errors. When you install NPS, you can configure RRAS servers as RADIUS clients in NPS, and then use NPS to centrally manage all policies and authentication methods used per policy.
* To deploy PEAP or EAP for VPN, you must deploy Routing and Remote Access configured as a VPN server. The use of NPS is optional; however, if you have multiple VPN servers, using NPS is recommended for ease of administration and for the RADIUS accounting services that NPS provides.
* To deploy PEAP or EAP for TS Gateway, you must deploy TS Gateway and NPS.
* To deploy PEAP or EAP for 802.1X secure wired or wireless, you must deploy NPS and additional hardware, such as 802.1X authenticating switches or wireless access points.
What this guide does not provide
This guide does not provide information about the following:
* How to deploy client computer and user certificates with smart cards.
* How to deploy server certificates with autoenrollment.
* How to design and deploy a public key infrastructure (PKI) by using AD CS. It is recommended that you review AD CS design and deployment documentation before deploying the technologies in this guide. For more information, see Additional Resources.
* How to deploy the network access technologies for which server certificates can be used. There might be other companion guides available that provide instructions for deploying these network access solutions. You might also want to review the NPS documentation for this information.
Technology overviews
Following are technology overviews for client computer and user certificates, EAP, PEAP, and AD CS.
AD CS
AD CS in Windows Server 2008 provides customizable services for creating and managing the X.509 certificates that are used in software security systems that employ public key technologies. Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding public key. AD CS also includes features that allow you to manage certificate enrollment and revocation in a variety of scalable environments.
Client computer and user certificates
When you deploy EAP-TLS or PEAP-TLS, you can deploy computer certificates for client computer authentication, user certificates for user authentication, or both.
noteNote
EAP does not provide mechanisms that perform dual authentication — that is, the authentication of both the computer being used to access the network and the user who is attempting to connect. For this reason, you are not required to issue both computer and user certificates when you deploy EAP and PEAP with certificate-based authentication types.
There are two methods for deploying client computer and user certificates:
* Using smart cards. When you deploy certificates using smart cards, you must purchase additional hardware to imprint certificates on user identification or other cards that your employees use to log on to the network. In addition, users must be supplied with smart card readers, which are used to read the certificate that is imprinted on the smart card when they log on. This guide does not provide information about how to deploy client computer and user certificates with smart cards.
* Using autoenrollment. When you deploy certificates using autoenrollment, you configure the CA to automatically enroll certificates to computers that are members of the Domain Computers group and to users who are members of the Domain Users group. No additional hardware is required to autoenroll certificates, because the certificates are stored on the computer that is connecting to the network. When a computer receives a computer or user certificate from the CA, the certificate is stored locally in a data store named the certificate store.
Important
You should enroll certificates only to the computers and users to whom you want to grant network access through RADIUS clients. You do not have to autoenroll certificates to all members of the Domain Users and Domain Computers groups. Instead, you can issue certificates to subsets of the Domain Users and Domain Computers groups, such as to the Sales team or the Accounting department. To enroll certificates to other groups, create the groups and then add members to the groups in Active Directory Users and Computers. In the Certificate Templates snap-in, remove the Domain Users or Domain Computers groups from the access control list (ACL) on the certificate templates (the User template and the Workstation Authentication template, respectively), and then add the groups that you created to the template.
Certificate store
Computers running the Windows operating system have a certificate store where certificates that are installed on the computer are kept. This store contains multiple folders, where certificates of different types are stored. For example, the certificate store contains a Trusted Root Certification Authorities store where the certificates from all trusted root CAs are kept.
When your organization deploys a PKI and installs a private trusted root CA using AD CS, the CA automatically sends its certificate to all domain member computers in the organization. The domain member client and server computers store the CA certificate in the Trusted Root Certification Authorities folder in the Current User and the Local Computer certificate stores. After this occurs, the domain member computers trust certificates that are issued by the trusted root CA.
Similarly, when you autoenroll computer certificates to domain member client computers, the certificate is kept in the Personal certificate store for the Local Computer; and when you autoenroll certificates to users, the user certificate is kept in the Personal certificate store for the Current User.
EAP
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing arbitrary authentication methods that use credential and information exchanges of arbitrary lengths. EAP was developed in response to the demand for authentication methods that use security devices such as smart cards, token cards, and crypto calculators. EAP provides an industry-standard architecture for supporting additional authentication methods within PPP.
With EAP, an arbitrary authentication mechanism is used to verify the identities of the client and server that are establishing a network access connection. The authentication scheme to be used is negotiated by the access client and the authenticator (the network access server or the RADIUS server).
For successful authentication to occur, both the network access client and the authenticator (such as the server running NPS) must support the same EAP type.
ImportantImportant
Strong EAP types (such as those that are based on certificates) offer better protection against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP, version 1).
EAP in Windows Server 2008
Windows Server 2008 includes an EAP infrastructure, two EAP types, and the ability to pass EAP messages to a RADIUS server (EAP-RADIUS) such as NPS.
By using EAP, you can support additional authentication schemes, known as EAP types. The following EAP types are included in Windows Server 2008:
* Transport Layer Security (TLS). EAP-TLS requires the use of computer certificates, user certificates, or both, in addition to server certificates that are enrolled to computers running NPS. If you deploy Routing and Remote Access as a VPN server, VPN servers must also enroll server certificates.
* Microsoft Challenge-Handshake Authentication Protocol, version 2 (MS-CHAP v2).
In addition, you can install other non-Microsoft EAP modules on the server running NPS or Routing and Remote Access to provide other EAP authentication types. In most cases, if you install additional EAP types on servers, you must also install matching EAP client authentication components on client computers so that the client and server can successfully negotiate an authentication method to use for connection requests.
EAP-TLS deployment overview
The following are the general steps for deploying EAP-TLS:
* Deploy network access servers (RADIUS clients) that are both EAP and RADIUS compliant
* Autoenroll server certificates to servers running NPS and, if applicable, Routing and Remote Access VPN servers
* Autoenroll computer certificates, user certificates, or both, to domain member computers and users, respectively, or to other groups that you have created.
* Configure network access servers as RADIUS clients in NPS.
* Configure EAP authentication in NPS or RRAS network policy.
* Ensure that client computers support EAP. By default, Windows Vista® and Windows XP support EAP.
Group Policy
Group Policy in Windows Server 2008 is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions (CSEs) responsible for reading policy settings on target client computers. Group Policy is used in this scenario to enroll and distribute certificates to users, computers, or both.
PEAP
PEAP uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running NPS or another Remote Authentication Dial-In User Service (RADIUS) server.
PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MSCHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization's network through the following types of network access servers:
* 802.1X wireless access points
* 802.1X authenticating switches
* Computers running Windows Server 2008 and Routing and Remote Access that are configured as VPN servers
* Computers running Windows Server 2008 and TS Gateway
noteNote
If you plan to deploy Network Access Protection (NAP), you must use PEAP as the authentication method for your deployment with NPS.
Features of PEAP
To enhance the EAP protocols and network security, PEAP provides:
* A TLS channel that provides protection for the EAP method negotiation that occurs between the client and server. This TLS channel helps prevent an attacker from injecting packets between the client and the network access server to cause the negotiation of a less secure EAP type. The encrypted TLS channel also helps prevent denial of service attacks against the server running NPS.
* Support for the fragmentation and reassembly of messages, which allows the use of EAP types that do not provide this functionality.
* Clients with the ability to authenticate the server running NPS or another RADIUS server. Because the server also authenticates the client, mutual authentication occurs.
* Protection against the deployment of an unauthorized wireless access point at the moment when the EAP client authenticates the certificate provided by the server running NPS. In addition, the TLS master secret that is created by the PEAP authenticator and the client is not shared with the access point. Because of this, the access point cannot decrypt the messages that are protected by PEAP.
* PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the server running NPS or another RADIUS server. Fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for the client and the server, and it minimizes the number of times that users are prompted for credentials.
ImportantImportant
To deploy PEAP-TLS, autoenroll server certificates to servers running NPS and, if applicable, RRAS VPN servers. Also autoenroll computer certificates, user certificates, or both to domain member computers and users, respectively. Configure PEAP authentication in NPS or RRAS network policy.
PEAP-TLS deployment overview
The following are the general steps for deploying PEAP-TLS:
* Deploy network access servers (RADIUS clients) that are both EAP and RADIUS compliant.
* Autoenroll server certificates to servers running NPS and, if applicable, RRAS VPN servers.
* Autoenroll computer certificates, user certificates, or both, to domain member computers and users, respectively, or to other groups that you have created.
* Configure network access servers as RADIUS clients in NPS.
* Configure EAP authentication in NPS or RRAS network policy.
* Ensure that client computers support EAP. By default, Windows Vista® and Windows XP support EAP.
.jpg){kind=small}
No comments:
Post a Comment