Microsoft KB Archive/313664

= Using 802.1x authentication on client computers that are running Windows 2000 =

Article ID: 313664

Article Last Modified on 10/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q313664





SYMPTOMS
On computers that are running the versions of Windows 2000 that are listed earlier in this article, you cannot enable IEEE 802.1x authentication. If you connect to an IEEE 802.11 wireless local area network without 802.1x authentication enabled, the data that you send is more vulnerable to attacks such as offline traffic analysis, bit flipping, and malicious packet injection.

802.1x is an IEEE standard that greatly reduces the security vulnerabilities that are associated with 802.11 by using standard security protocols, centralized user identification, authentication, dynamic key management, and accounting. For additional information about making IEEE 802.11 networks Enterprise-ready, see the following Microsoft Web site:

http://www.microsoft.com/windows2000/docs/wirelessec.doc



CAUSE
You cannot enable 802.1x authentication on computers running Windows 2000 because support for 802.1x is not provided by default in Windows 2000. Therefore, the associated user interface (the Authentication tab) does not appear in the Network Connection Properties dialog box.



RESOLUTION
This patch requires Windows 2000 Service Pack 3 (SP3). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Windows 2000 service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

The following files are available for download from the Microsoft Download Center:

English Language Version

Arabic Language Version

Chinese (Simplified) Language Version

Chinese (Traditional) Language Version

Czech Language Version

Danish Language Version

Dutch Language Version

Finnish Language Version

French Language Version

German Language Version

Greek Language Version

Hebrew Language Version

Hungarian Language Version

Italian Language Version

Japanese Language Version

Japanese NEC Language Version

Korean Language Version

Norwegian Language Version

Polish Language Version

Portuguese (Brazilian) Language Version

Portuguese Language Version

Russian Language Version

Spanish Language Version

Swedish Language Version

Turkish Language Version

Release Date: November 5, 2002

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version        Size     File name 09-Oct-2002 22:49  5.0.2195.5874   55,568  Clusapi.dll 27-Aug-2002 21:07  5.0.2195.6034  678,672  Clussvc.exe 09-Oct-2002 22:49  5.0.2195.6059  146,704  Kdcsvc.dll 05-Sep-2002 23:18  5.0.2195.6048  200,976  Kerberos.dll 21-Aug-2002 14:27  5.0.2195.6023   71,248  Ksecdd.sys 09-Oct-2002 22:49  5.0.2195.6034  964,368  Mprsnap.dll 27-Aug-2002 20:53  5.0.2195.6034  108,816  Msv1_0.dll 27-Aug-2002 20:54                   1,967  Ndisuio.inf 27-Aug-2002 20:54  5.0.2195.6034   11,984  Ndisuio.sys 09-Oct-2002 22:49  5.0.2195.6075  360,720  Netlogon.dll 09-Oct-2002 22:49  5.0.2195.6073   99,600  Netman.dll 09-Oct-2002 22:49  5.0.2195.6034  474,896  Netshell.dll 27-Aug-2002 20:57                   3,795  Netwzc.inf 09-Oct-2002 22:49  5.0.2195.6066   60,176  Raschap.dll 09-Oct-2002 22:49  5.0.2195.6034  528,144  Rasdlg.dll 09-Oct-2002 22:49  5.0.2195.6034   58,128  Rasman.dll 09-Oct-2002 22:49  5.0.2195.6050  152,848  Rasmans.dll 09-Oct-2002 22:49  5.0.2195.6034   54,032  Rastapi.dll 09-Oct-2002 22:49  5.0.2195.6082  100,112  Rastls.dll 09-Oct-2002 22:49  5.0.2195.6034  144,656  Rasuser.dll 09-Oct-2002 22:49  5.0.2195.6025  389,392  Samsrv.dll 09-Oct-2002 22:49  5.0.2195.6034  975,632  Sfcfiles.dll 07-Oct-2002 20:55  5.0.2195.6082  123,392  Sp3res.dll 27-Aug-2002 20:56  5.0.2195.6034   52,496  Wzcdlg.dll 27-Aug-2002 20:56  5.0.2195.6034   29,968  Wzcsapi.dll 27-Aug-2002 20:56  5.0.2195.6034   33,552  Wzcsetup.exe 27-Aug-2002 20:56  5.0.2195.6034  195,856  Wzcsvc.dll After you apply this update, follow these steps to enable 802.1x authentication:
 * 1) Installing the hotfix installs the 802.1x service in the disabled state. To change the Wireless Configuration service startup to Automatic: Right-click My Computer, and then click Manage. Click Services and Applications, and then click Services. Set the Startup value for the service to Automatic, and then start the service.
 * 2) Open Network Connections by clicking Start, pointing to Settings, clicking Control Panel, and then double-clicking Network Connections.
 * 3) Right-click the wireless connection for which you want to enable or disable 802.1x authentication, and then click Properties.
 * 4) On the Authentication tab, do one of the following:
 * 5) * To enable 802.1x authentication for this connection, click to select the Enable network access control using IEEE 802.1x check box. By default, this check box is selected.
 * 6) * To disable 802.1x authentication for this connection, click to clear the Enable network access control using IEEE 802.1x check box.
 * 7) In the EAP type box, click the Extensible Authentication Protocol type that is to be used with this connection.
 * 8) If you click Smart Card or other Certificate in the EAP type box, you can configure additional properties if you click Properties and then follow these steps in Smart Card or other Certificate properties:
 * 9) * To use the certificate that is located in the certificate store on your computer for authentication, click Use a certificate on this computer.
 * 10) * To verify that the server certificate that is presented to your computer is still valid, click to select the Validate server certificate check box, specify whether to connect only if the server is located in a particular domain, and then specify the trusted root certification authority.
 * 11) * To use a different user name when the user name in the certificate is different from the user name in the domain to which you are logging on, click to select the Use a different user name for the connection check box.
 * 12) If you click Protected EAP (PEAP) in the EAP type box, your Windows user name and password are used for authentication.
 * 13) To specify whether the computer should try authentication on the network if a user is not logged on, if the computer or user information is not available, or both, follow these steps:
 * 14) * To specify that the computer try authentication on the network if a user is not logged on, click to select the Authenticate as computer when computer information is available check box. By default, this check box is selected.
 * 15) * To specify that the computer try authentication on the network if user information or computer information is not available, click to select the Authenticate as guest when user or computer information is unavailable check box.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
Without appropriate security mechanisms in place, wireless networks are vulnerable to attacks such as eavesdropping and remote sniffing. To reduce the threat of such attacks, the 802.11 standard defines authentication services; for encryption, it defines the Wired Equivalent Privacy (WEP) algorithm. Although these mechanisms provide a measure of protection, 802.1x provides additional protection by mitigating a number of vulnerabilities.

802.11 Authentication
For authentication, 802.11 defines the open system and shared key authentication subtypes.
 * Open system authentication does not actually provide authentication; it only performs identity verification through the exchange of two messages between the initiator (wireless client) and the receiver (wireless access point).
 * Shared key authentication does provide authentication by verifying that an initiator has knowledge of a shared secret. Under the 802.11 standard, it is assumed that the shared secret is sent to the wireless access point over a secure channel that is independent of 802.11. In practice, the shared key authentication secret is manually distributed and typed.

802.11 Confidentiality (Encryption) and Integrity
WEP provides data confidentiality equivalent to that of a wired network by encrypting the data sent between wireless clients and wireless access points. For encryption, WEP defines the use of the RC4 stream cipher with a standard 40-bit encryption key or, in some implementations, a 104-bit encryption key. Data integrity is provided through an integrity check value (ICV) in the encrypted portion of the wireless frame. Although 802.1x can be used without 802.11 encryption, it is a good idea to use the two together. If 802.1x is enabled, but WEP encryption is not enabled, data that is sent to a wireless access point port is sent in the clear although user authentication is enforced. To prevent this implementation that is not secure, enable WEP in conjunction with 802.1x.

Note Some manufacturers advertise 128-bit encryption keys. However, such keys include a 24-bit initialization vector, so they are still actually 104 bit-encryption keys. An initialization vector is a random number that is used as a starting point to encrypt a set of data.

Using 802.1x for Wireless Authentication
802.1x is a standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. For wireless 802.11 networks, 802.1x enhances security and addresses WEP vulnerabilities by:
 * Permitting a computer and a network to authenticate each other.
 * Generating a per-user and per-session key to encrypt data over wireless connections.
 * Providing the ability to dynamically change keys at frequent intervals.

To enhance deployment, 802.1x permits user identification and authentication, centralized authentication, authorization, and accounting support.

802.1x uses the Extensible Authentication Protocol (EAP) for message exchange during the authentication process. The support that 802.1x provides for EAP security types permits authentication methods such as certificates to be used.

How 802.1x Authentication Works
802.1x implements port-based network access control. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port when the authentication process does not succeed.

During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it permits user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.

The authenticator's port-based network access control defines two logical data paths to the LAN, through one physical LAN port. The first data path, the uncontrolled port, permits data exchange between the authenticator (the port that forces authentication before permitting access to services on that port) and a computing device on the LAN, regardless of the authentication state of that device. This is the path that EAPOL (EAP over LAN) messages take. The second logical data path, the controlled port, permits data exchange between an authenticated LAN user and the authenticator. This is the path that all other network traffic takes, after the computing device is authenticated.

802.1x and IAS RADIUS
For wireless networking, you can use 802.1x in conjunction with Windows 2000 or the Microsoft Windows Server 2003 family Internet Authentication Service (IAS) servers for RADIUS authentication. Under the RADIUS implementation, the wireless access point prevents data traffic from being forwarded to a wired network or to another wireless client without a valid authentication key. The process of obtaining a valid authentication key is as follows:
 * 1) When a wireless client comes in range of a wireless access point, the wireless access point challenges the client.
 * 2) The wireless client sends its identity to the wireless access point, which forwards this information to a RADIUS server.
 * 3) The RADIUS server requests the wireless client's credentials to verify the client's identity. As part of this request, the RADIUS server specifies the type of credentials that are required.
 * 4) The wireless client sends its credentials to the RADIUS server.
 * 5) The RADIUS server verifies the wireless client's credentials. If the credentials are valid, the RADIUS server sends an encrypted authentication key to the wireless access point.
 * 6) The wireless access point uses this authentication key to securely transmit per-station unicast session and multicast or global authentication keys to the wireless client.

For Windows 2000, deployment of RADIUS requires the following additional components:  Windows 2000 Service Pack 2. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

 A patch for the Windows 2000 Internet Authentication Service (IAS), which is a RADIUS server feature that is included with Windows 2000 Server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

304697 Some wireless values for the RADIUS attributes are not available

 A patch for Active Directory to permit computer accounts to have dial-in properties. . For more information, click the following article number to view the article in the Microsoft Knowledge Base:

306260 Cannot modify dial-in permissions for computers that use wireless networking

 A patch for a computer running Windows 2000 Server, to permit computer authentication on the network if a user is not logged on. This patch must be installed on the Active Directory server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

304347 Server does not make EAP-OE connection to LAN if a user is not logged on

</li></ul>

For more information, see the &quot;Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service&quot; topic. To view this topic, visit the following Microsoft Web site:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/default.mspx

Differences in the Windows 2000 802.1x Client
To add 802.1X functionality to the Windows 2000 platform, a subset of features were taken from the Microsoft Windows XP platform. The 802.1X engine itself is largely the same; the main difference in the clients comes from how you interact with the clients through the user interface. This is a list of the differences on the Windows 2000 client:
 * Service state - The Windows 2000 802.1X service is installed in a disabled state. You must set the service state to Automatic and start the service to use its functionality.
 * Zero Configuration functionality - The Windows 2000 client does not contain Zero Configuration functionality. This means that you must have a vendor-provided utility to configure your 802.11 settings.
 * Third-party tools - As stated earlier, the Windows 2000 client requires a third-party vendor configuration utility for 802.11 settings. Unlike Windows XP, which saves 802.11 settings on a per-user basis, many utilities do not. This may permit multiple users to log on to the same computer and to configure a common profile instead of a user-specific profile.
 * Group Policy - Configuring wireless network settings by using Group Policy is not supported.
 * Authorization Status notification - You can view authorization status by holding the mouse pointer over the Network Connection icon in the notification area at the far right of the taskbar
 * The Windows 2000 client supports only one wireless network adapter at a time. Although it is technically possible to have a laptop computer with more than one wireless network adapter, the Windows 2000 802.1X client works with only one at a time.
 * Upgrade from Beta - If you installed any of the Windows 2000 Beta clients, you must remove them first and then install the released client. There is no supported upgrade path from a Beta client to the released client.
 * Context-Sensitive Help - There is no context-sensitive Help in the client.

For more information about wireless security, visit either of the following Microsoft Web sites:

http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx for the latest news about WiFi solutions from Microsoft

http://www.microsoft.com/security for the latest news about security solutions

Common Issues

 * No Authentication tab - When the hotfix is installed, the 802.1X service is installed in a disabled state. To solve this, you must enable the Wireless Configuration service in the list of services:
 * Right-click My Computer, and then click Manage.
 * Click Services and Applications, and then click Services.
 * Set the Startup value for the service to Automatic, and then start the service.
 * Unavailable Authentication tab - If the Authentication tab is present but is unavailable, this indicates that the network adapter driver does not support 802.1x correctly. Use the following list or the hardware manufacturer's Web site to identify the correct network adapter driver version.

Tested Drivers and Utilities
The following list contains information from hardware manufacturers about which components they tested with the Windows 2000 802.1x client. This list is not comprehensive; it is intended only to help establish a baseline at the time of release (04-Nov-2002). For future updates, visit the manufacturer's Web site.

Device manufacturer: 3COM Corporation

Device name: 3Com 3CRWE62092B Wireless LAN PC Card

Client utility version: 3Com Wireless LAN Manager Version 2.1 Wireless

driver version: 3Com 3CRWE62092B Wireless LAN PC Card (For Windows 98 Second Edition, Windows Millennium Edition [Me], Windows 2000 [Wlp92be.sys version 2.1.0.9]), for WindowsXP (Wlp92bf.sys [2.1.0.9]).

Firmware in all operating systems is version 5.2.0.0.

For current information about drivers and utilities, visit the following third-party Web site: http://www.3com.com

Device manufacturer: Cisco

Device name/type: Cisco 350 Series PCMCIA Wireless Adapter

Client Utility/Version: Cisco ACU 5.05.001

driver version: 8.2.3

Firmware in all operating systems is version 4.25.30.

For current information about drivers and utilities, visit the following third-party Web site: http://www.cisco.com

Device manufacturer: Proxim

Device name: Harmony 802.11a CardBus/PCI Card Software for Windows 98 Second Edition/Windows Me/Windows 2000/Windows XP/Windows NT 4.0

Client utility version: 1.4-B11

Driver Version: 1.4-B11

Device manufacturer: Proxim Corporation

Device name: - Harmony 802.11a Access Point

Client utility version: 2.0-B11

Firmware version: 2.0-B11

Device manufacturer: Proxim Corporation

Device name: Proxim Harmony 802.11a

Client utility version: Proxim 1.4-B11

driver version: Proxim Wireless 802.11a card 1.4-B11 (1.4.1.1)

Firmware version: Loaded by driver

For current information about drivers and utilities, visit the following third-party Web site: http://www.proxim.com

Device manufacturer: Intel

Device name: Intel PRO/Wireless 2011B

Driver version: 3.1.1.27

Firmware version: Firmware is loaded by driver

To obtain drivers, utilities, and more current information, visit the following third-party Web site:

http://www.intel.com

Device manufacturer: Intel

Device name: Intel PRO/Wireless 5000 CardBus (802.11a)

Driver Version 1.0.1.30

Firmware version: Firmware is loaded by driver

To obtain drivers, utilities, and more current information, visit the following third-party Web site:

http://www.intel.com

Device manufacturer: Enterasys Networks, Inc.

Device name/type: Enterasys RoamAbout R2 Access Point

Firmware version: v2.00.16

For current information about drivers and utilities, visit the following third-party Web site:

http://www.enterasys.com/wireless

Device manufacturer: Enterasys Networks, Inc.

Device name/type: Enterasys RoamAbout AP2000 Access Point

Firmware version: v6.04

For current information about drivers and utilities, visit the following third-party Web site:

http://www.enterasys.com/wireless

Device manufacturer: Enterasys Networks, Inc.

Device name/type: RoamAbout 802.11 DS CSIBD-AA-128

Client utility version: v8.01

Wireless network adapter driver version: Enterasys Networks Wireless Driver 7.44.18.403

Firmware version: Loaded by driver

For current information about drivers and utilities, visit the following third-party Web site:

http://www.enterasys.com/wireless

Device manufacturer: Symbol

Device name: AP-4131-1000 WW

Client utility version: 3.50-26

Wireless network adapter firmware version: 3.50-26

For current information about drivers and utilities, visit the following third-party Web site:

http://www.symbol.com

Device manufacturer: Symbol

Device name: LA-4121-1000 WW

Client utility version: 3.0.19.20a

Wireless network adapter driver version: 2.51-08

Firmware version: Firmware is loaded by driver.

For current information about drivers and utilities, visit the following third-party Web site:

http://www.symbol.com

Device manufacturer: Symbol

Device name: LA-4131-1000 WW

Client utility version: 3.18

Wireless network adapter driver version: 3.18

Firmware version: Firmware is loaded by driver.

For current information about drivers and utilities, visit the following third-party Web site:

http://www.symbol.com

Device manufacturer: Broadcom Corporation

Device name: Broadcom AirForce cards: BCM94301MP, BCM94301CB, BCM94301PC5

Client utility version: Broadcom AirForce OneDriver 3.08.27 (and later)

driver version: Broadcom AirForce OneDriver 3.08.27+ (No firmware needed)

For current information about drivers and utilities, visit the following third-party Web site:

http://www.broadcom.com

Device manufacturer: HP-Compaq

Device name/type: Compaq WL100 11Mbps Wireless LAN PC Card Adapter

Client utility version: 4.06.3.0

Wireless network adapter driver version: 0.29.4

Firmware version: Loaded by driver

For current information about drivers and utilities, visit the following third-party Web site:

http://www.hewlettpackard.com/

Device manufacturer: HP-Compaq

Device name/type: Compaq WL 110 PC Card Adapter

Client utility version: 2.58

Wireless network adapter driver version: 7.44.19.445

Firmware version: Loaded by driver

For current information about drivers and utilities, visit the following third-party Web site:

http://www.hewlettpackard.com/

Device manufacturer: HP-Compaq

Device name/type: Compaq WL 215 Wireless USB Adapter

Client utility version: 2.58

Wireless network adapter driver version: 7.64.19.329

Firmware version: Loaded by driver

For current information about drivers and utilities, visit the following third-party Web site:

http://www.hewlettpackard.com/

Device manufacturer: HP-Compaq

Device name/type: HP Enterprise Access Point WL520

Firmware version: 2.0 (build 267)

For current information about drivers and utilities, visit the following third-party Web site:

http://www.hewlettpackard.com/

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Keywords: kbproductlink kbfix kbprb kbqfe kbwin2000presp4fix KB313664

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.