locked
Wired 802.1x authentication RRS feed

  • Question

  • two questions regarding 802.1x NAP - now I have it working I want to understand it!:

    1. Why does the authentication method have to be specified in the Connection request policy rather than in the network policy? The screen says "connection request policies allow you to designate whether connection requests are processed locally or forwarded to remote RADIUS servers".

    2. Using the default settings for 802.1x, exactly what is being used for the authentication?

    Default (in NPS) appears to be Microsoft PEAP with EAP-MSCHAP v2.

    Group policy for wired networks has PEAP User or computer authentication.

    I'm gathering its the user or computer password? (with client also verifying NPS server certificate if that box is ticked)

     

    thanks

    Wednesday, September 22, 2010 4:41 AM

Answers

  • Hi oztasdevil,

    Thanks for update.

    How about this :

    • Connection request policies: These are rules that are used to authenticate (prove identity) client computers on the network.
    • Network policies: These are rules that are used to authorize (assign access permissions) to client computers that have already authenticated.

    Hope that would help you.

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by oztasdevil Thursday, November 10, 2011 5:38 AM
    Tuesday, September 28, 2010 5:52 AM

All replies

  • Hi oztasdevil,

     

    Thanks for posting here.

     

    > Why does the authentication method have to be specified in the Connection request policy rather than in the network policy? The screen says "connection request policies allow you to designate whether connection requests are processed locally or forwarded to remote RADIUS servers".

     

    According the authentication and authorization process of wired 802.1x connection, a 802.1X-capable switches would send connection request information to a RADIUS server first , and NPS server in your case is acts as the RADIUS server and connection request policy on NPS server is used to implement this authentication.

     

    > Using the default settings for 802.1x, exactly what is being used for the authentication?

     

    We recommended to use EAP-TLS,PEAP-TLS or PEAP-MS-CHAP v2 authentication methods for 802.1X Authenticated Wired Access.

    You might like to check the link below to get better understanding of those authentication methods above:

     

    Certificate Requirements for PEAP and EAP

    http://technet.microsoft.com/en-us/library/cc731363.aspx

     

    For more information about 802.1X Authenticated Wired Access, please take time to read the articles below:

     

    IEEE 802.1X Wired Authentication

    http://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx

     

    802.1X Authenticated Wired Access

    http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx

     

    Blog of  Network Access Protection (NAP) team at Microsoft.

    http://blogs.technet.com/b/nap/

     

    Hope that’s helpful

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, September 23, 2010 4:14 AM
  • Hi Tiger - thanks, I checked out the NPS logs, computer authentication is the default method.

    I realise 802.1x requires radius and that in my case NPS is the radius server. It just is for everything other than NAP (including standard 802.1x wired authentication), the authentication is done in the network policy.

    I was wanting to know what is different about NAP that authentication needs to be in connection policy rather than the network policy. So part of this question then becomes what is the difference between the network and connection policies.

    Saturday, September 25, 2010 12:17 AM
  • Hi oztasdevil,

     

    Thanks for update.

     

    Have you taken a look at the introduction of Connection Request Policies and Network Policies in the article below ? I thought it might answer your question:

     

    Policies

    http://technet.microsoft.com/en-us/library/dd197532(WS.10).aspx

     

    Meanwhile , I’d like suggest you to take look the “802.1x” category in Network Access Protection (NAP) blog on TechNet , there are many great articles which help you to plan , deploy and maintain 802.1X system with NPS in your network.

     

    http://blogs.technet.com/b/nap/archive/tags/802-1x/

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 27, 2010 1:59 AM
  • Hi Tiger,

    I read the documents you mentioned; just like everything else. They say only it needs to be done in connection request policy but not why.

    Perhaps I just need to accept and not question..... ;)

    Tuesday, September 28, 2010 4:57 AM
  • Hi oztasdevil,

    Thanks for update.

    How about this :

    • Connection request policies: These are rules that are used to authenticate (prove identity) client computers on the network.
    • Network policies: These are rules that are used to authorize (assign access permissions) to client computers that have already authenticated.

    Hope that would help you.

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by oztasdevil Thursday, November 10, 2011 5:38 AM
    Tuesday, September 28, 2010 5:52 AM