In an earlier article, I covered Remote Authentication Dial-In User Service (RADIUS) servers: why we should have them, and the various options that we have to set one up, for both Windows infrastructure and Linux.
With a centralized identity management in place (Active Directory), let's take a look at how to implement wired authentication using IEEE 802.1X.
Your company wants to ensure that only managed devices can connect to its physical network:
- Only network devices managed by IT can be connected to the network
- IT security policy is met
- Viruses/worms are not spreadable by non-managed network devices
In the above scenario, we will need to setup a RADIUS service. Instead of adding wireless access points as RADIUS clients, we are going to add IEEE 802.1X switches as RADIUS clients.
Here are the high-level steps for this scenario:
- Deploy Active Directory
- Deploy public key infrastructure (PKI) and push the Trusted Root Certificate to Windows clients
- Acquire and deploy IEEE 802.1X managed switches
- Configure Active Directory (Group Policy to be exact) and managed switches
Please refer to my earlier article on how a RADIUS server works, which provides an outline and diagram of how elements in a RADIUS infrastructure communicate with one another using Microsoft's technologies.
Step-by-step RADIUS authentication for wired
If you want to take advantage of the benefits of having a wired RADIUS authentication, but you have nowhere to go, you're in the right place. Let me guide you on how to set up a RADIUS authentication. We'll start by assuming you already have Active Directory configured.
Deploy public-key infrastructure (PKI)
First, install an Enterprise Root Certificate Authority (CA) as part of Active Domain Certificate Services (Windows Server 2008 R2) or Certificate Authority (Windows Server 2003 and below).
Next, you will need to push the Trusted Root Certificate to Windows clients. To do this, you will need to export the Trusted Root Certificate from the certificate authority and import it into the Trusted Root Certification Authorities in group policy. Read up more about this from Microsoft Technet.
Acquire and deploy IEEE 802.1X managed switches
To do RADIUS authentication, we have to use managed switches. Managed switches allow us to configure the switch as a RADIUS client, and to enable IEEE 802.1X authentication. If not configured, managed switches will act like any other switch, where the connected LAN ports auto-negotiate the speed and connectivity.
Configure Network Policy Server (Windows Server 2008 and above)
For our RADIUS server to recognize each individual managed switch, these switches must be configured as RADIUS clients on the server side (network policy server or NPS) and client side (managed switches Web configuration).
On the server side, here are the steps:
First, in NPS, create a RADIUS client.
Next, go to the NPS (Local) node, and click on Configure 802.1X. The beauty of NPS is that everything is wizard-driven. Once we complete the wizard, 802.1X is configured with a new network policy and the appropriate Ethernet port and settings.
Configure Active Directory Group Policy and managed switches
The next step is to create a group policy object with the wired policy to be downloaded by the clients. For this to work, the client needs to be running Windows XP SP3, Windows Vista or Windows 7.
To configure group policy for wired authentication, here are the steps:
- Create a new GPO in Group Policy Management Console.
- Under Computer Configuration Policies/Windows Settings/Security Settings/Wired Network (IEEE 802.3) Policies, create a new policy.
- Specify the name of the new policy, and click on Security. Configure the authentication method and mode for this policy. Note that this authentication method and mode needs to match with the authentication method and mode configured on the managed switch.
- Click on Properties and configure the server names to which you are allowing the Windows clients to connect. We will also need to select the Trusted Root Certification for the certificate that we are using.
- Last, we will have to configure the managed switch to act as a RADIUS client. Depending on the make and brand of the managed switch, the configuration instructions vary. But for most managed switches, the process requires you to log on to the switch's console through telnet and run commands to update the RADIUS settings. You will need to refer to your user manual for the instructions.
With IEEE 802.1X authentication enabled for wired (Ethernet) connections, users will not be able to log on to the corporate network from any non-domain-joined computers. If securing the physical network is what you are looking for, you definitely want to deploy 802.1X authentication for wired connections.