| |
Using 802.1x
Port Authentication To Control Who Can Connect To Your Network
Author:
Colin Weaver Company: ITdojo, Inc. Last Revision: 1/31/05
|
|
| |
First:
802.1x supplicant (the user PC)
Follow all of
these steps to make sure your client is configured correctly:
- You’ll
need to have some rights to set up the PC. Administrator rights
will do nicely.
- Make sure
you have at least SP1 installed (XP Pro).
- Make sure
your PC is a member of the domain.
- Open Network
Connections and access the properties of your network
card.
- Select
the Authentication tab from the NIC Properties
- Verify
that the Enable IEEE 802.1x authentication for this
network check box is selected.
- From
the EAP type: drop-down, select Protected
EAP (PEAP).
- Verify
that the Authenticate as computer when computer information
is available is selected.
- Leave
the Authenticate as guest when user or computer information
is unavailable unselected.
|
|
|
| |
 |
| |
|
|
| |
Complete
the following tasks while still on the Authentication tab of the
Network Card properties:
- Underneath
the EAP type: drop-down, click on the Properties
button.
- In the Protected
EAP Properties dialog window choose the following:
- Validate
server certificate – Selected
- Connect
to these servers: – Not Selected
- Trusted
Root Certification Authorities – Scroll down
the list and look for the name of the Certificate Authority
that supports your domain name space. This assumes that you
have a root CA in your domain or that you have made arrangements
with a third-part CA. For many environments this is provided
via Certificate Services on the Windows Server operating system.
- From
the Select Authentication Method drop-down
choose Secured Password (EAP-MSCHAP-v2).
This is the simplest method for the client as it does not
require each client to have a certificate installed. We could
get into a big long discussion about this… but we won’t.
- Leave
the Enable Fast Reconnect check box cleared.
- The
Fast Reconnect options applies to roaming wireless users
and their ability to not have to re-authenticate when
they roam from one AP to another (as long as both AP’s
use the same RADIUS or TACACS+ server for authentication).
We’ll talk about it another day.
- Click
the Configure… button right next to
the Select Authentication Method: drop-down. In the window
that opens verify that the Automatically use my Windows
logon name and password (and domain if any) check
box is selected.
- Click
OK.
- Keep
clicking OK until all the windows go away.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
That
should do it. The client (supplicant) is configured. Are there other
ways? Yup! But not today… |
|
|
|
|
|
|
|
|
|
|
|
|
