Introduction

802.1X is a network access control (NAC) standard that provides an authentication framework for controlling access to network resources. It is a part of the IEEE 802.1 group of protocols, which defines how devices in a Local Area Network (LAN) communicate with each other.

The main purpose of 802.1X is to ensure that only authorized devices or users are allowed to connect to a network, thereby enhancing network security. It operates at the link layer of the OSI model and is primarily used for wired and wireless Ethernet networks.

Here’s how 802.1X works:

Supplicant:

The device (such as a computer or wireless device) that wants to connect to the network is called the supplicant. It requests access to the network and is responsible for providing authentication credentials.

Authenticator:

The network access device (such as a switch or wireless access point) that controls the physical connection to the network is called the authenticator. It acts as a gatekeeper and forwards the authentication request from the supplicant to the authentication server.

Authentication Server:

This server performs the actual authentication of the supplicant’s credentials. It could be a Remote Authentication Dial-In User Service (RADIUS) server or a similar backend system. The authentication server checks the supplicant’s credentials and returns a response to the authenticator.

EAP (Extensible Authentication Protocol):

802.1X uses EAP to encapsulate various authentication methods and provide flexibility in the authentication process. EAP allows different authentication methods to be used, such as EAP-TLS (Transport Layer Security), EAP-PEAP (Protected Extensible Authentication Protocol), EAP-TTLS (Tunneled Transport Layer Security), and more.

The authentication process typically involves a series of exchanges between the supplicant, the authenticator, and the authentication server. If the credentials provided by the supplicant are valid, the authenticator grants access to the network. If not, access is denied, and the supplicant remains isolated from the network.

Implementing 802.1x on Windows Environment

Implementing 802.1X on Windows involves configuring the following:

  1. Router or switch with 802.1x cability.
  2. Access Point with WPA2-Enterprise cability.
  3. ADDS (Active Directory Domain Serices.)
  4. ADCS (Active Directory Certiticate Services).

Configuring the Access Point with WPA2-Enterprise cability.

  1. Login to access point with WPA2-Enterprise cability.
  2. Go to Wireless setting, and configure the radius server and its shared secret.
  3. On this example I used 10.10.103.3 IP as the Radius server, Image alt
  4. Click Ok and Finish.

Creating a new Certificate template for the Radius server.

  1. Login to the Windows CA (ADCS) server.
  2. Open the CA management console.
  3. Go to Certificate Templates right click and select Manage.
  4. Find RAS and IAS server certificate template, right click and select Duplicate Template.
  5. On the duplicated template, go to General and change the name, i.e: RadiusNPS.
  6. Change the Validity Period to 2 years or more, and adjust any other setting if necessary.
  7. Go to Security, and add Radius server with permission Read, Enroll, and AutoEnroll as well as adding the RAS and IAS Servers security group with Enroll only permission.
  8. Once done, press finish and OK button.
  9. You will see the RadiusNPS template now.
  10. Close the Management console and go back to Certifiate template, right click New -> Certificate template to Issue, and select the RadiusNPS template.
  11. As we also need to import the root CA Certificate to all the client later, we need to export the root CA certificate first.
    • Access the Root CA server via browser: http://<ca_ip_address>/certsrv
    • Select Download a CA certificate, certificate chain, or CRL.
    • Select Download CA certificate.
    • Save the file “certnew.cer” in local disk, and rename it as RootCA.cer. (we will import this certificate to the GPO policy later). Image alt Image alt

Installing and configuring the windows radius server.

Installing NPS role.

Login to NPS/Radius server. If you haven’t installed the NPS / Radius roles yet, go ahead install it and reboot the server if necessary.

Install-WindowsFeature NPAS -IncludeManagementTools -Verbose

Enrolling the NPS certificate

  1. Open Run and type MMC, open File -> Add/Remove Snap-in -> Certificates -> Add -> Computer Account -> Next -> Finish.
  2. Go to Personal -> Certificates, right click and choose All Tasks -> Request New Certificates -> Next -> Next -> RadiusNPS -> Enroll Image alt
  3. You will see a new enrolled certificate from the RadiusNPS template, with format: server.domain.com.

Configuring Secure Wireless Connections on NPS.

  1. Open the NPS Dashboard.
  2. On the Standard Configuration, switch to Radius Server for 802.1X for Wireless and Wired Connection.
  3. Select Configure 802.1X, and choose Secure Wireless Connections.
  4. Add the Radius Client, and the type Shared secret.

The Shared Secret must be matched between radius server and radius client.

  1. On authentication method, choose: Microsoft: Protected EAP (PEAP).
  2. Click the Configure, and choose the certificate issued to to the enrolled certificate. Image alt
  3. Specify the group you want to allow or denied access.
  4. Double check the Policy on the Network Policies and Connection Requrest Policies especially for NAS Port Type must be Wireless - IEEE 802.11

Configuring Secure Wired Connections on NPS.

  1. Open the NPS Dashboard.
  2. On the Standard Configuration, switch to Radius Server for 802.1X for Wireless and Wired Connection.
  3. Select Configure 802.1X, choose Wired (Ethernet) Connections.
  4. Add the Radius Client, and the type Shared secret.

The Shared Secret must be matched between client and server.

  1. On authentication method, choose: Microsoft: Protected EAP (PEAP).
  2. Click the Configure, and choose the certificate issued to to the enrolled certificate.
  3. Specify the group you want to allow or denied access.
  4. Double check the Policy on the Network Policies and Connection Requrest Policies especially for NAS Port Type must be Wireless - IEEE 802.11

Deploying Wired and Wireless Profile AD Group Policy to Clients.

  1. Login to AD server, and open the GPO Management

  2. Go to Group Policy Object and create the following GPOs.

  3. Create a new GPO named: COM-Cert-AutoEnroll -> This GPO wil be used to deploy the root CA certificate, and deploy the Auto enrollment certificate setting.

    • Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies, and modify Certificate Services Client - Auto-Enrollment Settings as the following: Image alt
    • Apply and OK.
    • Go to Computer Configuration-> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities and import the RootCA certificate that we have exported before. Image alt
    • Apply and OK.
    • Close the GPO editor to save the policy.

  4. Create a new GPO named: COM-Wired-Policy -> This GPO will be used to deploy the Wired Profile Policy.

    • Go to Computer Configuration -> Policies -> Windows Settings -> Security Setting -> Wired Network (IEEE 802.3 Policies) -> Wired Network Policy
    • Modify the policy Name enable Use Windows Wired Auto Config Service for client
    • Go to Security check the Enable User of IEExx setting, change authentication mode computer only.
    • Click Properties, tick Verify the server's identity by validating the certificate and connect to these servers, fill the radius server with FQDN format. i.e: radius.domain.com Image alt
    • The 802.1x wired policy requires a services called: Wired Autoconfig to be running on the client. Set this service to Automatic through this policy.
    • Go to Computer Configuraton -> Policies -> Windows Setting -> Security Settings -> System Services -> Wired Autoconfig
    • Change the Startup mode to Automatic
    • Once done, click ok, and exit the editor to save the policy.

  5. Create a new GPO named: COM-Wireless-Policy -> This GPO will be used to deploy the Wifi computer-based authentication profile to client.

    • Go to Computer Configuraton -> Policies -> Windows Setting -> Security Settings -> Wireless Network (IEE 802.11)
    • Right click, and Create a New Wireless Network Policy for Windows Vista and Later Releases
    • On the SSD setting, add new SSID -> Infrastructure and give the match SSID name you have created on the Wireless devices/access point.
    • Go to Security Tab. Configure the Authentication and simmiliar with the Wired policy, configure it as the following
    • Authentication: WPA2-Enterprise, Encryption: AES-CCMP, Network Authentication Method: Protected EAP (PEAP), Authentication Mode: Computer Authentication.
    • On the Network Authentication Method, click Properties. Add the RADIUS server with FQDN format, and add the Trusted Root certificate from the CA server.
    • OK, and finish. Close the editor to save the policy.

Conclusion

802.1X is particularly valuable in environments where network security is critical, such as corporate networks, educational institutions, and government organizations. It ensures that only trusted devices or users can gain access to sensitive resources and data, preventing unauthorized access and potential security breaches.

To be continued..