Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2
Microsoft Corporation
Published: October 2008
Author: Brit Weston
Editor: Scott Somohano
Abstract
The WindowsServer®2008 Foundation Network Guide provides instructions on how to plan for and deploy the core components that are required for a fully functioning network. It also explains how to set up a new Active Directory® Domain Services (ADDS) domain in a new forest.
This companion guide to the Foundation Network Guide provides instructions about how to deploy 802.1X authenticated wireless access by using Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.
Your right to copy this documentation is limited by copyright law and the terms of the software license agreement. As the software licensee, you may make a reasonable number of copies or printouts for your own use. Making unauthorized copies, adaptations, compilations, or derivative works for commercial distribution is prohibited and constitutes a punishable violation of the law.
© 2008 Microsoft Corporation. All rights reserved.
Microsoft, ActiveDirectory, Windows, WindowsNT, and WindowsServer are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2 7
About this guide 7
Requirements 8
What this guide does not provide 8
Technology overviews 10
IEEE 802.1X 10
802.1X-capable wireless access points (APs) 10
Wireless clients 10
Active DirectoryDoman Services (ADDS) 11
Active Directory Users and Computers 11
Group Policy Management 11
Server certificates 11
EAP, PEAP, and PEAP-MS-CHAP v2 12
Network Policy Server 13
Bootstrap profiles 14
Wireless Access Deployment Overview 14
Wireless access deployment components 15
802.1X-capable Wireless access points 16
Active Directory Domain Services 16
NPS 16
Wireless client computers 17
Wireless access deployment process 17
Wireless Access Deployment Planning 18
Planning wireless AP installations 18
Verify wireless AP support for standards 19
Identify areas of coverage for wireless users 19
Determine where to install wireless APs 19
Wireless AP configuration 20
Planning wireless client configuration and access 21
Planning support for multiple standards 22
Planning restricted access to the wireless network 22
Planning methods for adding new wireless computers 23
Wireless Access Deployment 25
Deploying and Configuring Wireless APs 25
Specify Wireless AP Channel Frequencies 25
Procedures 25
Configure Wireless APs 26
Procedures 26
Creating Security Groups for Wireless Users 27
Create a Wireless Users Security Group 27
Procedures 27
Add Users to the Wireless Users Security Group 28
Procedures 28
Configuring Wireless Network (IEEE 802.11) Policies 29
Open or Add and Open a Group Policy Object 29
Procedures 30
Activate Default Wireless Network (IEEE 802.11) Policies 30
Procedures 31
Open Wireless Network (IEEE 802.11) Policies for Editing 31
Procedures 32
Configure Windows Vista Wireless Network (IEEE 802.11) Policies 32
Configure a Windows Vista Wireless Connection Profile for PEAP-MS-CHAP v2 33
Procedures 33
Set the Preference Order for Wireless Connection Profiles 35
Procedures 35
Define Network Permissions 36
Procedures 36
Configure Windows XP Wireless Network (IEEE 802.11) Policies 37
Configure a Windows XP Wireless Connection Profile for PEAP-MS-CHAP v2 37
Procedures 37
Configuring your NPS Server 39
Register NPS in Active Directory Domain Services 39
Procedures 39
Configure a Wireless AP as an NPS RADIUS Client 40
Procedures 40
Create NPS Policies for 802.1X Wireless Using a Wizard 41
Procedures 42
Joining New Wireless Computers to the Domain 44
Join the Domain and Log On by using Wireless Method 1 45
Procedures 45
Join the Domain and Log On by using Wireless Method 2 46
Procedures 46
Join the Domain and Log On by using Wireless Method 3 48
Procedures 49
Additional Resources 52
Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2
This is a companion guide to the WindowsServer®2008 Foundation Network Guide, which is available for download in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in HTML format in the WindowsServer2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).
The Windows Server2008 Foundation Network Guide provides instructions for planning and deploying the core components required for a fully functioning network and a new Active Directory® Domain Services (ADDS) domain in a new forest.
This guide explains how to build upon a foundation network by providing instructions about how to deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X-authenticated IEEE 802.11 wireless access using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2).
Because PEAP-MS-CHAP v2 requires that users provide password-based credentials rather than a certificate during the authentication process, it is easier and less expensive to deploy than EAP-TLS or PEAP-TLS.
Note
In this guide, IEEE 802.1X Authenticated Wireless Access with PEAP-MS-CHAP v2 is abbreviated to “wireless access.”
About this guide
This guide provides instructions on how to deploy a WiFi access infrastructure using PEAP-MS-CHAP v2 and the following components:
· One or more 802.1X-capable 802.11 wireless access points (APs).
· ActiveDirectory Users and Computers.
· Group Policy Management.
· One or more Network Policy Server (NPS) servers.
· Server certificates for computers running NPS.
· Wireless client computers running WindowsVista or WindowsXP with ServicePack2.
This guide is designed for network and system administrators who have:
· Followed the instructions in the Windows Server2008 Foundation Network Guide to deploy a foundation network, or for those who have previously deployed the core technologies included in the foundation network, including ADDS, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), TCP/IP, NPS, and Windows Internet Name Service (WINS).
· Either followed the instructions in the Windows Server2008 Foundation Network Companion Guide: Deploying Server Certificates to deploy and use Active Directory Certificate Services (ADCS) to autoenroll server certificates to computers running NPS, or who have purchased a server certificate from a public CA, such as VeriSign, that client computers already trust. A client computer trusts a CA if that CA cert is already in the Trusted Root Certification Authorities certificate store on Windows-based computers. By default, computers running Windows have multiple public CA certificates installed in their Trusted Root Certification Authorities certificate store.
The Foundation Network Companion Guide: Deploying Server Certificates is available for download in Word format at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in HTML format in the WindowsServer2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258).
It is recommended that you review the design and deployment guides for each of the technologies that are used in this deployment scenario. These guides can help you determine whether this deployment scenario provides the services and configuration that you need for your organization's network.
Requirements
Following are the requirements for deploying a wireless access infrastructure by using the scenario documented in this guide:
· Before deploying this scenario, you must first purchase and install 802.1X-capable wireless access points to provide wireless coverage in the desired locations at your site.
· Active Directory Domain Services (ADDS) is installed, as are the other network technologies, according to the instructions in the Windows Server2008 Foundation Network Guide.
· Server certificates are required when you deploy the PEAP-MS-CHAP v2 certificate-based authentication method.
· You or someone else in your organization is familiar with the IEEE 802.11 standards that are supported by your wireless APs and the wireless network adapters installed in the client computers on your network; for example, radio frequency types, 802.11 wireless authentication (WPA2 or WPA), and ciphers (AES or TKIP). For information about determining which wireless standards are supported on wireless client computers running WindowsVista and Windows Server2008.
What this guide does not provide
Following are some items this guide does not provide:
Comprehensive guidance for selecting 802.1X-capable wireless access points
Because many differences exist between brands and models of 802.1X-capable wireless APs, this guide does not provide detailed information about:
· Determining which brand or model of wireless AP is best suited to your needs.
· The physical deployment of wireless APs on your network.
· Advanced wireless AP configuration, such as for wireless VLAN.
· Instructions on how to configure wireless AP vendor-specific attributes in NPS.
Additionally, terminology and names for settings vary between wireless AP brands and models, and might not match the generic setting names referenced in this guide. For wireless AP configuration details, you must review the product documentation provided by the manufacturer of your wireless APs.
Instructions for deploying NPS server certificates
There are two alternatives for deploying NPS server certificates. This guide does not provide comprehensive guidance to help you determine which alternative will best meet your needs. In general, however, the choices you face are:
Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.
Advantages:
· Installing purchased certificates does not require as much specialized knowledge as deploying a private CA on your network, and can be easier to deploy in networks that have only a few NPS servers.
· Using purchased certificates can prevent specific security vulnerabilities that can exist if the proper precautions are not taken when deploying a private CA on your network.
Disadvantages:
· This solution does not scale as well as deploying a private CA on your network. Because you must purchase a certificate for each NPS server, your deployment costs increase with each NPS server you deploy.
· Purchased certificates have recurring costs, because you must renew certificates prior to their expiration date.
Deploying a private CA on your network by using ADCS.
Advantages:
· AD CS is included with Windows Server2008.
· This solution scales very well. After you have deployed a private CA on your network, ADCS automatically issues certificates to all NPS servers in your domain with no incremental increases in cost, even if you later add NPS servers to your network.
· ADCS automatically issues a server certificate to new NPS servers that you add to your network.
· If you later decide to change your authentication infrastructure from secure password authentication using PEAP to one that requires client certificates and uses either EAP-TLS or PEAP-TLS, you can do so by using your AD CS-based private CA.
Disadvantages:
· Deploying a private CA on your network requires more specialized knowledge than purchased certificates, and can be more difficult to deploy.
· It is possible to expose your network to specific security vulnerabilities if the proper precautions are not taken when deploying a private CA on your network.
NPS network policies and other NPS settings
Except for the configuration settings made when you run the Configure 802.1X wizard, as documented in this guide, this guide does not provide detailed information for manually configuring NPS conditions, constraints or other NPS settings.
For more information about NPS, see Additional Resources in this guide.
DHCP
This deployment guide does not provide information about designing or deploying DHCP subnets for wireless LANs.
For more information about DHCP, see the Additional Resources in this guide.
Technology overviews
Following are technology overviews for deploying wireless access:
IEEE 802.1X
The IEEE 802.1X standard defines the port-based network access control that is used to provide authenticated network access to Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails. Although this standard was designed for wired Ethernet networks, it has been adapted for use on 802.11 wireless LANs.
802.1X-capable wireless access points (APs)
This scenario requires the deployment of one or more 802.1X-capable wireless APs that are compatible with both the Remote Authentication Dial-In User Service (RADIUS) protocol.
802.1X and RADIUS-compliant APs, when deployed in a RADIUS infrastructure with a RADIUS server such as an NPS server, are called RADIUS clients.
Wireless clients
This guide provides comprehensive configuration details to supply 802.1X authenticated access for domain-member users who connect to the network with wireless client computers running either WindowsVista or WindowsXP with ServicePack2 or later. Computers must be joined to the domain in order to successfully establish authenticated access.
If you are using computers running Windows Server2008 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of WindowsVista Wireless Network (IEEE 802.1) Policies as for computers running WindowsVista. If you are using computers running WindowsServer2003 as client computers, you can provision 802.1X security and connectivity settings on those computers by using the same Group Policy extension of WindowsXP Wireless Network (IEEE 802.1) Policies as for computers running WindowsXP.
Active DirectoryDoman Services (ADDS)
AD DS provides a distributed database that stores and manages information about network resources and application-specific data from directory-enabled applications. Administrators can use AD DS to organize elements of a network, such as users, computers, and other devices, into a hierarchical containment structure. The hierarchical containment structure includes the Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. A server that is running AD DS is called a domain controller.