802.1X provides security for wired and Wi-Fi networks
Understanding all the 802.1X client settings in Windows can certainly help
during deployment and support of an 802.1X network. This is especially true when
manual configuration of the settings is required, such as in a domain
environment or when fine-tuning wireless roaming for latency-sensitive clients
and applications, like VoIP and video.
An understanding of the client settings can certainly be beneficial for simple
environments as well, where no manual configuration is required before users can
login. You still may want to enable additive security measures and fine-tune
other settings.
Though the exact network and 802.1X settings and interfaces vary across the
different versions of Windows, most are quite similar between Windows Vista and
Windows 8.1. In this article, we show and discuss those in Windows 7.
+ ALSO ON NETWORK WORLD: WHAT IS 802.1X +
Protected EAP (PEAP) Properties
Let’s start with the basic settings for Protected EAP (PEAP), the most popular
802.1X authentication method.
111714 network connection dialog
On a Network Connection’s Properties dialog window you can access the basic PEAP
settings by clicking the Settings button.
Next, you move through the settings on this PEAP Properties dialog window.
Validate server certificate: When enabled, Windows will try to ensure the
authentication server that the client uses is legitimate before passing on its
login credentials. This server certificate validation tries to prevent
man-in-the-middle attacks, where someone sets up a fake network and
authentication server so they can capture your login credentials.
By default, server certificate validation is turned on and we certainly
recommend keeping it enabled, but temporarily disabling it can help troubleshoot
client connectivity issues.
Connect to these servers: When server certificate validation is used, here you
can optionally define the server name that should match the one identified on
the server’s certificate. If matching, the authentication process proceeds,
otherwise it doesn’t.
Typically, Windows will automatically populate this field based upon the server
certificate used and trusted the first time a user connects.
Trusted Root Certification Authorities: This is the list of certification
authority (CA) certificates installed on the machine. You select which CA the
server’s certificate was issued by, and authentication proceeds if it matches.
Typically, Windows will also automatically choose the CA used by the server
certificate the first time a user connects.
Do not prompt user to authorize new servers or trusted certification
authorities: This optional feature will automatically deny authentication to
servers that don’t match the defined server name and chosen CA certificate. When
this is disabled, users would be asked if they’d like to trust the new server
certificate instead, which they likely won’t understand.
We recommend this additive security as well. It can help users from unknowingly
connecting to a fake network and authentication server, falling victim to a
man-in-the-middle attack. Unlike the two previous settings, you must manually
enable this one.
The next setting is where you choose the tunneled authentication method used by
PEAP. Since Secured password (EAP-MSCHAP v2) is the most popular, we’ll go
through it. Clicking the Configure button shows one setting for EAP-MSCHAP v2:
Automatically use my Windows logon name and password (and domain if any).
111714 geier eap mschap
This is the dialog box you see after clicking the Configure button for the
EAP-MSCHAP v2 authentication method.
This should only be enabled if your Windows login credentials match those in the
authentication server, for instance if the server is connected to Active
Directory. After connecting to an 802.1X network for the first time, Windows
should automatically set this appropriately.
Back on the PEAP Properties dialog window, under the authentication method, are
four more settings:
Enable Fast Reconnect: Fast Reconnect, also referred to as EAP Session
Resumption, caches the TLS session from the initial connection and uses it to
simplify and shorten the TLS handshake process for re-authentication attempts.
Since it helps prevent clients roaming between access points from having to do
full authentication, it reduces overhead on the network and improves roaming of
sensitive applications.
Fast Reconnect is usually enabled by default when a client connects to an 802.1X
network that supports it, but if you push network settings to clients you may
want to ensure Fast Reconnect is enabled.
Enforce Network Access Protection: When enabled, this forces the client to
comply with the Network Access Protection (NAP) policies of a NAP server setup
on the network. For instance, NAP can restrict connections of clients that don’t
have antivirus, a firewall, the latest updates, or other health related
vulnerabilities.
Disconnect if server does not present cryptobinding TLV: When manually enabled,
this requires the server use cryptobinding Type-Length-Value (TLV), otherwise
the client won’t proceed with authentication. For RADIUS servers that support
cryptobinding TLV, it increases the security of the TLS tunnel in PEAP by
combining the inner method and the outer method authentications so that
attackers cannot perform man-in-the-middle attacks.
Enable Identify Privacy: When using tunneled EAP authentication (like PEAP), the
username (identity) of the client is sent twice to the authentication server.
First, it’s sent unencrypted, called the outer identity, and then inside an
encrypted tunnel, called the inner identity. In most cases, you don’t have to
use the real username on the outer identity, which prevents any eavesdroppers
from discovering it. However, depending upon your authentication server you may
have to include the correct domain or realm.
This setting is disabled by default and I recommend manually enabling it. After
enabling identify privacy, you can type whatever you want as the username, such
as “anonymous”. Alternatively, if the domain or realm is required: “anonymous@domain.com”.
Advanced 802.1X Settings
On a Network Connection’s Properties dialog window you can access advanced
settings by clicking the Advanced Settings button.
111714 geier advanced 8021x
The first tab is the advanced 802.1X settings.
On the 802.1X Settings tab, you can specify the authentication mode: User,
Computer, User or Computer, or Guest authentication.
User authentication will use only the credentials provided by the user, while
Computer authentication uses only the computer’s credentials. Guest
authentication allows connections to the network that are regulated by the
restrictions and permissions set for the Guest user account.
Using the combined User or Computer authentication option allows the computer to
log into the network before a user logs into Windows and then also enables the
user to login with their own credentials afterward. This enables, for instance,
the ability to use 802.1X within a domain environment, as the computer can
connect to the network and domain controller before a user actually logs into
Windows.
When User only authentication is used, you can click the Save Credentials button
to input the username and password. Additionally, you can remove saved
credentials by marking the Delete credentials for all users checkbox.
The second section of the 802.1X Settings tab is where you can enable and
configure Single Sign On functionality. If the system and network are set up
properly, using this feature eliminates the need to provide separate login
credentials for Windows and 802.1X. Instead of having to input a username and
password during the 802.1X authentication, it uses the Windows account
credentials. Single sign-on (SSO) features save time for both users and
administrators and help to create an overall more secure network.
Advanced 802.11 Settings
On the Advanced Settings dialog box you’ll see an 802.11 settings tab if WPA2
security is used. First are the Fast Roaming settings:
111714 geier advanced 80211
The second tab on the Advanced Settings window is the advanced 802.1X
settings.
Enable Pairwise Master Key (PMK) Caching: This allows clients to perform a
partial authentication process when roaming back to the access point the client
had originally performed the full authentication on. This is typically enabled
by default in Windows, with a default expiration time of 720 minutes (12 hours).
This network uses pre-authentication: When both the client and access points
supports pre-authentication, you can manually enable this setting so the client
doesn’t have to perform a full 802.1X authentication process when connecting or
roaming to new access points on the network. This can help make the roaming
process even more seamless, useful for sensitive clients and traffic, such as
voice and video. Once a client authenticates via one access point, the
authentication details are conveyed to the other access points. Basically it's
like doing PMK caching with all access points on the network after connecting to
just one.
Enable Federal Information Processing Standard (FIPS) compliance for this
network: When manually enabled, the AES encryption will be performed in a FIPS
140-2 certified mode, which is a government computer security standard. It would
make Windows 7 perform the AES encryption in software, rather than relying on
the wireless network adapter.
