Complete Guide to Windows 802.1x - Security Boulevard

SBN Complete Guide to Windows 802.1x

What Is 802.1X and How Does it Work?

802.1X is the de facto gold standard that organizations should strive for when it comes to authentication; it’s safe, secure, and efficient. It is a network authentication protocol that opens ports for network access when an organization authenticates a user’s identity and authorizes them for access to the network.

FinConDX 2021

The user’s identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The RADIUS server is able to do this by communicating with the organization’s directory, typically over the LDAP or SAML protocol.

 

What is 802.1X EAP Security?

The standard authentication protocol used on encrypted networks is Extensible Authentication Protocol (EAP), which provides a secure method to send identifying information over-the-air for network authentication. 802.1X is the standard that is used for passing EAP over wired and wireless Local Area Networks (LAN). It provides an encrypted EAP tunnel that prevents outside users from intercepting information.

The EAP protocol can be configured for credential (EAP-TTLS/PAP and PEAP-MSCHAPv2) and digital certificate (EAP-TLS) authentication. EAP  is a highly secure method for protecting the authentication process.

 

What 802.1X Protocol Should I Use For Windows?

Because PEAP-MSCHAPv2 and EAP-TTLS require that users provide password-based credentials rather than a certificate during the authentication process,  they are typically easier and less expensive to deploy than EAP-TLS or PEAP-TLS.  However,  they are much less secure due to their reliance on credentials, as credentials can be easily compromised. Therefore,  PEAP-MSCHAPv2 and EAP-TTLS are not recommended protocols for Windows organizations that want to prioritize security.

 

Do you need a RADIUS server for 802.1 X on Windows?

A RADIUS server is imperative for 802.1X on Windows. This is because 802.1X support requires an authentication server that is configured for Remote Authentication Dial-In User Service (RADIUS).

802.1X authentication does not work unless the network access switch can route packets to the configured authentication RADIUS server. To verify that the switch can route packets, you must ping the server from the switch.

 

Requirements for 802.1X  Authentication on Windows

The following are the requirements for deploying a successful 802.1X network on Windows :

  1. An 802.1X-capable wireless access point to provide wireless coverage in the desired locations at your site.
  2. Active Directory Domain Services (AD DS) is installed.
  3. AD CS is deployed, and server certificates are enrolled to NPSs.
  4. You or another individual in your organization is familiar with 802.1X that can troubleshoot through the setup process.

 

How to Configure Certificate Authorities on Windows Server

A domain needs a CA to let clients request certificates  To install a CA on Windows, perform the following steps :

 

  1. Start the Control Panel Add/Remove Programs applet.
  2. Click Add/Remove Windows Components to start the Windows Components wizard.
  3. Click Next when the welcome screen appears.
  4. When the list of components displays, select the Certificate Services checkbox and click Next.
  5. Then, you need to select your CA type.
  6. Enter a CA name and other information about the organization, as the Screen shows. Click Next.
  7. Accept the default location for the certificate database, click next.​​
  8. If Microsoft IIS is running, the service will stop and a dialog box will display. Click OK.
  9. A list of files to copy will generate, and the files will install. Service and system configurations will also be installed.
  10. When the wizard completes, click Finish.

How to Configure 802.1X Manually On A Windows Device

The process is as follows:

  1. Setting Up a New Network
    • Go to the control panel, then under setup network go to manual configuration.
    • Make sure the security type is set to WPA2-Enterprise and the encryption type is set to AES.
  2. Modify the Wi-Fi Connection
    • Go to change connection settings.
  3. Configuring Certificate Authentication
    • Under security, go to Choose Authentication method.
    • Pick the setting in regards to certificates.
      • Choose the setting ‘Microsoft: smart cards or other certificates
  4. Authentication with EAP-TLS
    • Install a certificate authority so the certificates will be able to verify which server to connect with.
    • Make sure it is a trusted root CA.
    • EAP-TLS is the authentication method used to authenticate certificates.
  5. Enable certificate enrollment
    • Be sure to enable both the certificate and simple certificate selection
    • Select the option that allows the device to use the certificate. After clicking OK, the process is complete.

Manually configuring a Windows device requires the user to set up a new wireless network, enter a network name, set the security type, adjust network settings, set the 802.1X authentication method, and more.

While it’s certainly possible to complete this process accurately, it is highly complex and much more difficult than an onboarding software designed for efficiency.

 

How to find the Wi-Fi Certificate on Windows

To view certificates for a local Windows device:

  1. Select Run from the Start menu, and then enter certlm.msc.

The Certificate Manager tool for the local device appears.

  1. To view your certificates, under Certificates – Local Computer in the left pane, expand the directory for the type of certificate you want to view.

How Do I Disable 802.1X on Windows?

  1. Right-click on the network icon on the Windows taskbar, and select “Open Network and Sharing Center”.
  2. Click “Change adapter settings”.
  3. Right-click on the “Local Area Connection”, select “Properties”.
  4. Click “Authentication,” uncheck “Enable IEEE802.1X authentication”, and then press “OK”.

There is no doubt that an 802.1X network is much more secure than its alternatives, but it doesn’t have to be this complicated.

 

802.1X Simplified with SecureW2

The process for configuring Windows OS with SecureW2 requires the user to simply connect to the onboarding SSID and open an internet browser. The user is then sent to SecureW2’s JoinNow onboarding software. After clicking JoinNow, a graphic will indicate the progress of the configuration. The user will then be prompted to enter their credentials and the device will be authenticated and equipped with a certificate.

It’s just that simple.

SecureW2 is trusted by some of the biggest companies in the world to provide the highest level of security and peace of mind. Our software solutions can be integrated seamlessly into your current network infrastructure or stand on their own as a fully managed network security service.

We have affordable options for organizations of any size. Check out our pricing to learn more.

 

The post Complete Guide to Windows 802.1x appeared first on SecureW2.

*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Eytan Raphaely. Read the original post at: https://www.securew2.com/blog/complete-guide-to-windows-802-1x