802.1X provides security for wired and Wi-Fi networks
Understanding all the 802.1X client settings in Windows can certainly help during deployment and support of an 802.1X network. This is especially true when manual configuration of the settings is required, such as in a domain environment or when fine-tuning wireless roaming for latency-sensitive clients and applications, like VoIP and video.
An understanding of the client settings can certainly be beneficial for simple environments as well, where no manual configuration is required before users can login. You still may want to enable additive security measures and fine-tune other settings.
Though the exact network and 802.1X settings and interfaces vary across the different versions of Windows, most are quite similar between Windows Vista and Windows 8.1. In this article, we show and discuss those in Windows 7.
+ ALSO ON NETWORK WORLD: WHAT IS 802.1X +
Protected EAP (PEAP) Properties
Let’s start with the basic settings for Protected EAP (PEAP), the most popular 802.1X authentication method.
111714 network connection dialog
On a Network Connection’s Properties dialog window you can access the basic PEAP settings by clicking the Settings button.
Next, you move through the settings on this PEAP Properties dialog window.
Validate server certificate: When enabled, Windows will try to ensure the authentication server that the client uses is legitimate before passing on its login credentials. This server certificate validation tries to prevent man-in-the-middle attacks, where someone sets up a fake network and authentication server so they can capture your login credentials.
By default, server certificate validation is turned on and we certainly recommend keeping it enabled, but temporarily disabling it can help troubleshoot client connectivity issues.
Connect to these servers: When server certificate validation is used, here you can optionally define the server name that should match the one identified on the server’s certificate. If matching, the authentication process proceeds, otherwise it doesn’t.
Typically, Windows will automatically populate this field based upon the server certificate used and trusted the first time a user connects.
Trusted Root Certification Authorities: This is the list of certification authority (CA) certificates installed on the machine. You select which CA the server’s certificate was issued by, and authentication proceeds if it matches.
Typically, Windows will also automatically choose the CA used by the server certificate the first time a user connects.
Do not prompt user to authorize new servers or trusted certification authorities: This optional feature will automatically deny authentication to servers that don’t match the defined server name and chosen CA certificate. When this is disabled, users would be asked if they’d like to trust the new server certificate instead, which they likely won’t understand.
We recommend this additive security as well. It can help users from unknowingly connecting to a fake network and authentication server, falling victim to a man-in-the-middle attack. Unlike the two previous settings, you must manually enable this one.
The next setting is where you choose the tunneled authentication method used by PEAP. Since Secured password (EAP-MSCHAP v2) is the most popular, we’ll go through it. Clicking the Configure button shows one setting for EAP-MSCHAP v2: Automatically use my Windows logon name and password (and domain if any).
111714 geier eap mschap
This is the dialog box you see after clicking the Configure button for the EAP-MSCHAP v2 authentication method.
This should only be enabled if your Windows login credentials match those in the authentication server, for instance if the server is connected to Active Directory. After connecting to an 802.1X network for the first time, Windows should automatically set this appropriately.
Back on the PEAP Properties dialog window, under the authentication method, are four more settings:
Enable Fast Reconnect: Fast Reconnect, also referred to as EAP Session Resumption, caches the TLS session from the initial connection and uses it to simplify and shorten the TLS handshake process for re-authentication attempts. Since it helps prevent clients roaming between access points from having to do full authentication, it reduces overhead on the network and improves roaming of sensitive applications.
Fast Reconnect is usually enabled by default when a client connects to an 802.1X network that supports it, but if you push network settings to clients you may want to ensure Fast Reconnect is enabled.
Enforce Network Access Protection: When enabled, this forces the client to comply with the Network Access Protection (NAP) policies of a NAP server setup on the network. For instance, NAP can restrict connections of clients that don’t have antivirus, a firewall, the latest updates, or other health related vulnerabilities.
Disconnect if server does not present cryptobinding TLV: When manually enabled, this requires the server use cryptobinding Type-Length-Value (TLV), otherwise the client won’t proceed with authentication. For RADIUS servers that support cryptobinding TLV, it increases the security of the TLS tunnel in PEAP by combining the inner method and the outer method authentications so that attackers cannot perform man-in-the-middle attacks.
Enable Identify Privacy: When using tunneled EAP authentication (like PEAP), the username (identity) of the client is sent twice to the authentication server. First, it’s sent unencrypted, called the outer identity, and then inside an encrypted tunnel, called the inner identity. In most cases, you don’t have to use the real username on the outer identity, which prevents any eavesdroppers from discovering it. However, depending upon your authentication server you may have to include the correct domain or realm.
This setting is disabled by default and I recommend manually enabling it. After enabling identify privacy, you can type whatever you want as the username, such as “anonymous”. Alternatively, if the domain or realm is required: “anonymous@domain.com”.
Advanced 802.1X Settings
On a Network Connection’s Properties dialog window you can access advanced settings by clicking the Advanced Settings button.
111714 geier advanced 8021x
The first tab is the advanced 802.1X settings.
On the 802.1X Settings tab, you can specify the authentication mode: User, Computer, User or Computer, or Guest authentication.
User authentication will use only the credentials provided by the user, while Computer authentication uses only the computer’s credentials. Guest authentication allows connections to the network that are regulated by the restrictions and permissions set for the Guest user account.
Using the combined User or Computer authentication option allows the computer to log into the network before a user logs into Windows and then also enables the user to login with their own credentials afterward. This enables, for instance, the ability to use 802.1X within a domain environment, as the computer can connect to the network and domain controller before a user actually logs into Windows.
When User only authentication is used, you can click the Save Credentials button to input the username and password. Additionally, you can remove saved credentials by marking the Delete credentials for all users checkbox.
The second section of the 802.1X Settings tab is where you can enable and configure Single Sign On functionality. If the system and network are set up properly, using this feature eliminates the need to provide separate login credentials for Windows and 802.1X. Instead of having to input a username and password during the 802.1X authentication, it uses the Windows account credentials. Single sign-on (SSO) features save time for both users and administrators and help to create an overall more secure network.
Advanced 802.11 Settings
On the Advanced Settings dialog box you’ll see an 802.11 settings tab if WPA2 security is used. First are the Fast Roaming settings:
111714 geier advanced 80211
The second tab on the Advanced Settings window is the advanced 802.1X settings.
Enable Pairwise Master Key (PMK) Caching: This allows clients to perform a partial authentication process when roaming back to the access point the client had originally performed the full authentication on. This is typically enabled by default in Windows, with a default expiration time of 720 minutes (12 hours).
This network uses pre-authentication: When both the client and access points supports pre-authentication, you can manually enable this setting so the client doesn’t have to perform a full 802.1X authentication process when connecting or roaming to new access points on the network. This can help make the roaming process even more seamless, useful for sensitive clients and traffic, such as voice and video. Once a client authenticates via one access point, the authentication details are conveyed to the other access points. Basically it's like doing PMK caching with all access points on the network after connecting to just one.
Enable Federal Information Processing Standard (FIPS) compliance for this network: When manually enabled, the AES encryption will be performed in a FIPS 140-2 certified mode, which is a government computer security standard. It would make Windows 7 perform the AES encryption in software, rather than relying on the wireless network adapter.
Understanding all the 802.1X client settings in Windows can certainly help during deployment and support of an 802.1X network. This is especially true when manual configuration of the settings is required, such as in a domain environment or when fine-tuning wireless roaming for latency-sensitive clients and applications, like VoIP and video.
An understanding of the client settings can certainly be beneficial for simple environments as well, where no manual configuration is required before users can login. You still may want to enable additive security measures and fine-tune other settings.
Though the exact network and 802.1X settings and interfaces vary across the different versions of Windows, most are quite similar between Windows Vista and Windows 8.1. In this article, we show and discuss those in Windows 7.
+ ALSO ON NETWORK WORLD: WHAT IS 802.1X +
Protected EAP (PEAP) Properties
Let’s start with the basic settings for Protected EAP (PEAP), the most popular 802.1X authentication method.
111714 network connection dialog
On a Network Connection’s Properties dialog window you can access the basic PEAP settings by clicking the Settings button.
Next, you move through the settings on this PEAP Properties dialog window.
Validate server certificate: When enabled, Windows will try to ensure the authentication server that the client uses is legitimate before passing on its login credentials. This server certificate validation tries to prevent man-in-the-middle attacks, where someone sets up a fake network and authentication server so they can capture your login credentials.
By default, server certificate validation is turned on and we certainly recommend keeping it enabled, but temporarily disabling it can help troubleshoot client connectivity issues.
Connect to these servers: When server certificate validation is used, here you can optionally define the server name that should match the one identified on the server’s certificate. If matching, the authentication process proceeds, otherwise it doesn’t.
Typically, Windows will automatically populate this field based upon the server certificate used and trusted the first time a user connects.
Trusted Root Certification Authorities: This is the list of certification authority (CA) certificates installed on the machine. You select which CA the server’s certificate was issued by, and authentication proceeds if it matches.
Typically, Windows will also automatically choose the CA used by the server certificate the first time a user connects.
Do not prompt user to authorize new servers or trusted certification authorities: This optional feature will automatically deny authentication to servers that don’t match the defined server name and chosen CA certificate. When this is disabled, users would be asked if they’d like to trust the new server certificate instead, which they likely won’t understand.
We recommend this additive security as well. It can help users from unknowingly connecting to a fake network and authentication server, falling victim to a man-in-the-middle attack. Unlike the two previous settings, you must manually enable this one.
The next setting is where you choose the tunneled authentication method used by PEAP. Since Secured password (EAP-MSCHAP v2) is the most popular, we’ll go through it. Clicking the Configure button shows one setting for EAP-MSCHAP v2: Automatically use my Windows logon name and password (and domain if any).
111714 geier eap mschap
This is the dialog box you see after clicking the Configure button for the EAP-MSCHAP v2 authentication method.
This should only be enabled if your Windows login credentials match those in the authentication server, for instance if the server is connected to Active Directory. After connecting to an 802.1X network for the first time, Windows should automatically set this appropriately.
Back on the PEAP Properties dialog window, under the authentication method, are four more settings:
Enable Fast Reconnect: Fast Reconnect, also referred to as EAP Session Resumption, caches the TLS session from the initial connection and uses it to simplify and shorten the TLS handshake process for re-authentication attempts. Since it helps prevent clients roaming between access points from having to do full authentication, it reduces overhead on the network and improves roaming of sensitive applications.
Fast Reconnect is usually enabled by default when a client connects to an 802.1X network that supports it, but if you push network settings to clients you may want to ensure Fast Reconnect is enabled.
Enforce Network Access Protection: When enabled, this forces the client to comply with the Network Access Protection (NAP) policies of a NAP server setup on the network. For instance, NAP can restrict connections of clients that don’t have antivirus, a firewall, the latest updates, or other health related vulnerabilities.
Disconnect if server does not present cryptobinding TLV: When manually enabled, this requires the server use cryptobinding Type-Length-Value (TLV), otherwise the client won’t proceed with authentication. For RADIUS servers that support cryptobinding TLV, it increases the security of the TLS tunnel in PEAP by combining the inner method and the outer method authentications so that attackers cannot perform man-in-the-middle attacks.
Enable Identify Privacy: When using tunneled EAP authentication (like PEAP), the username (identity) of the client is sent twice to the authentication server. First, it’s sent unencrypted, called the outer identity, and then inside an encrypted tunnel, called the inner identity. In most cases, you don’t have to use the real username on the outer identity, which prevents any eavesdroppers from discovering it. However, depending upon your authentication server you may have to include the correct domain or realm.
This setting is disabled by default and I recommend manually enabling it. After enabling identify privacy, you can type whatever you want as the username, such as “anonymous”. Alternatively, if the domain or realm is required: “anonymous@domain.com”.
Advanced 802.1X Settings
On a Network Connection’s Properties dialog window you can access advanced settings by clicking the Advanced Settings button.
111714 geier advanced 8021x
The first tab is the advanced 802.1X settings.
On the 802.1X Settings tab, you can specify the authentication mode: User, Computer, User or Computer, or Guest authentication.
User authentication will use only the credentials provided by the user, while Computer authentication uses only the computer’s credentials. Guest authentication allows connections to the network that are regulated by the restrictions and permissions set for the Guest user account.
Using the combined User or Computer authentication option allows the computer to log into the network before a user logs into Windows and then also enables the user to login with their own credentials afterward. This enables, for instance, the ability to use 802.1X within a domain environment, as the computer can connect to the network and domain controller before a user actually logs into Windows.
When User only authentication is used, you can click the Save Credentials button to input the username and password. Additionally, you can remove saved credentials by marking the Delete credentials for all users checkbox.
The second section of the 802.1X Settings tab is where you can enable and configure Single Sign On functionality. If the system and network are set up properly, using this feature eliminates the need to provide separate login credentials for Windows and 802.1X. Instead of having to input a username and password during the 802.1X authentication, it uses the Windows account credentials. Single sign-on (SSO) features save time for both users and administrators and help to create an overall more secure network.
Advanced 802.11 Settings
On the Advanced Settings dialog box you’ll see an 802.11 settings tab if WPA2 security is used. First are the Fast Roaming settings:
111714 geier advanced 80211
The second tab on the Advanced Settings window is the advanced 802.1X settings.
Enable Pairwise Master Key (PMK) Caching: This allows clients to perform a partial authentication process when roaming back to the access point the client had originally performed the full authentication on. This is typically enabled by default in Windows, with a default expiration time of 720 minutes (12 hours).
This network uses pre-authentication: When both the client and access points supports pre-authentication, you can manually enable this setting so the client doesn’t have to perform a full 802.1X authentication process when connecting or roaming to new access points on the network. This can help make the roaming process even more seamless, useful for sensitive clients and traffic, such as voice and video. Once a client authenticates via one access point, the authentication details are conveyed to the other access points. Basically it's like doing PMK caching with all access points on the network after connecting to just one.
Enable Federal Information Processing Standard (FIPS) compliance for this network: When manually enabled, the AES encryption will be performed in a FIPS 140-2 certified mode, which is a government computer security standard. It would make Windows 7 perform the AES encryption in software, rather than relying on the wireless network adapter.