MORE INFORMATION

Without appropriate security mechanisms in place, wireless networks are vulnerable to attacks such as eavesdropping and remote sniffing. To reduce the threat of such attacks, the 802.11 standard defines authentication services; for encryption, it defines the Wired Equivalent Privacy (WEP) algorithm. Although these mechanisms provide a measure of protection, 802.1x provides additional protection by mitigating a number of vulnerabilities.

802.11 Authentication

For authentication, 802.11 defines the open system and shared key authentication subtypes.

• Open system authentication does not actually provide authentication; it only performs identity verification through the exchange of two messages between the initiator (wireless client) and the receiver (wireless access point).
• Shared key authentication does provide authentication by verifying that an initiator has knowledge of a shared secret. Under the 802.11 standard, it is assumed that the shared secret is sent to the wireless access point over a secure channel that is independent of 802.11. In practice, the shared key authentication secret is manually distributed and typed.

802.11 Confidentiality (Encryption) and Integrity

WEP provides data confidentiality equivalent to that of a wired network by encrypting the data sent between wireless clients and wireless access points. For encryption, WEP defines the use of the RC4 stream cipher with a standard 40-bit encryption key or, in some implementations, a 104-bit encryption key. Data integrity is provided through an integrity check value (ICV) in the encrypted portion of the wireless frame. Although 802.1x can be used without 802.11 encryption, it is a good idea to use the two together. If 802.1x is enabled, but WEP encryption is not enabled, data that is sent to a wireless access point port is sent in the clear although user authentication is enforced. To prevent this implementation that is not secure, enable WEP in conjunction with 802.1x.

Note Some manufacturers advertise 128-bit encryption keys. However, such keys include a 24-bit initialization vector, so they are still actually 104 bit-encryption keys. An initialization vector is a random number that is used as a starting point to encrypt a set of data.

Using 802.1x for Wireless Authentication

802.1x is a standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. For wireless 802.11 networks, 802.1x enhances security and addresses WEP vulnerabilities by:

• Permitting a computer and a network to authenticate each other.
• Generating a per-user and per-session key to encrypt data over wireless connections.
• Providing the ability to dynamically change keys at frequent intervals.

To enhance deployment, 802.1x permits user identification and authentication, centralized authentication, authorization, and accounting support.

802.1x uses the Extensible Authentication Protocol (EAP) for message exchange during the authentication process. The support that 802.1x provides for EAP security types permits authentication methods such as certificates to be used.

How 802.1x Authentication Works

802.1x implements port-based network access control. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port when the authentication process does not succeed.

During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it permits user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.

The authenticator's port-based network access control defines two logical data paths to the LAN, through one physical LAN port. The first data path, the uncontrolled port, permits data exchange between the authenticator (the port that forces authentication before permitting access to services on that port) and a computing device on the LAN, regardless of the authentication state of that device. This is the path that EAPOL (EAP over LAN) messages take. The second logical data path, the controlled port, permits data exchange between an authenticated LAN user and the authenticator. This is the path that all other network traffic takes, after the computing device is authenticated.

802.1x and IAS RADIUS

For wireless networking, you can use 802.1x in conjunction with Windows 2000 or the Microsoft Windows Server 2003 family Internet Authentication Service (IAS) servers for RADIUS authentication. Under the RADIUS implementation, the wireless access point prevents data traffic from being forwarded to a wired network or to another wireless client without a valid authentication key. The process of obtaining a valid authentication key is as follows:

1. When a wireless client comes in range of a wireless access point, the wireless access point challenges the client.
2. The wireless client sends its identity to the wireless access point, which forwards this information to a RADIUS server.
3. The RADIUS server requests the wireless client's credentials to verify the client's identity. As part of this request, the RADIUS server specifies the type of credentials that are required.
4. The wireless client sends its credentials to the RADIUS server.
5. The RADIUS server verifies the wireless client's credentials. If the credentials are valid, the RADIUS server sends an encrypted authentication key to the wireless access point.
6. The wireless access point uses this authentication key to securely transmit per-station unicast session and multicast or global authentication keys to the wireless client.

For Windows 2000, deployment of RADIUS requires the following additional components:

• Windows 2000 Service Pack 2. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  260910 How to obtain the latest Windows 2000 service pack

• A patch for the Windows 2000 Internet Authentication Service (IAS), which is a RADIUS server feature that is included with Windows 2000 Server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  304697 Some wireless values for the RADIUS attributes are not available

• A patch for Active Directory to permit computer accounts to have dial-in properties. . For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  306260 Cannot modify dial-in permissions for computers that use wireless networking

• A patch for a computer running Windows 2000 Server, to permit computer authentication on the network if a user is not logged on. This patch must be installed on the Active Directory server. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

  304347 Server does not make EAP-OE connection to LAN if a user is not logged on

For more information, see the "Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service" topic. To view this topic, visit the following Microsoft Web site:

Differences in the Windows 2000 802.1x Client

To add 802.1X functionality to the Windows 2000 platform, a subset of features were taken from the Microsoft Windows XP platform. The 802.1X engine itself is largely the same; the main difference in the clients comes from how you interact with the clients through the user interface. This is a list of the differences on the Windows 2000 client:

• Service state - The Windows 2000 802.1X service is installed in a disabled state. You must set the service state to Automatic and start the service to use its functionality.
• Zero Configuration functionality - The Windows 2000 client does not contain Zero Configuration functionality. This means that you must have a vendor-provided utility to configure your 802.11 settings.
• Third-party tools - As stated earlier, the Windows 2000 client requires a third-party vendor configuration utility for 802.11 settings. Unlike Windows XP, which saves 802.11 settings on a per-user basis, many utilities do not. This may permit multiple users to log on to the same computer and to configure a common profile instead of a user-specific profile.
• Group Policy - Configuring wireless network settings by using Group Policy is not supported.
• Authorization Status notification - You can view authorization status by holding the mouse pointer over the Network Connection icon in the notification area at the far right of the taskbar
• The Windows 2000 client supports only one wireless network adapter at a time. Although it is technically possible to have a laptop computer with more than one wireless network adapter, the Windows 2000 802.1X client works with only one at a time.
• Upgrade from Beta - If you installed any of the Windows 2000 Beta clients, you must remove them first and then install the released client. There is no supported upgrade path from a Beta client to the released client.
• Context-Sensitive Help - There is no context-sensitive Help in the client.

For more information about wireless security, visit either of the following Microsoft Web sites:

Common Issues

• No Authentication tab - When the hotfix is installed, the 802.1X service is installed in a disabled state. To solve this, you must enable the Wireless Configuration service in the list of services:
  1. Right-click My Computer, and then click Manage.
  2. Click Services and Applications, and then click Services.
  3. Set the Startup value for the service to Automatic, and then start the service.
• Unavailable Authentication tab - If the Authentication tab is present but is unavailable, this indicates that the network adapter driver does not support 802.1x correctly. Use the following list or the hardware manufacturer's Web site to identify the correct network adapter driver version.

Tested Drivers and Utilities

The following list contains information from hardware manufacturers about which components they tested with the Windows 2000 802.1x client. This list is not comprehensive; it is intended only to help establish a baseline at the time of release (04-Nov-2002). For future updates, visit the manufacturer's Web site.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.