This posting is provided "AS IS" with no warranties, and confers no rights.
Scenario description: Recently I was working with a client who wanted to ensure that only authorized machines can connect to the corporate network. In other words, we needed to setup an environment where corporate workstations were authenticated prior to attaching to internal switched network. Luckily, the client had 802.1x capable Ethernet switches (CISCO Catalyst 3550), which made this task possible. The blog will take you through the steps on setting up a proof of concept environment. The purpose of this blog is not to outline the most optimal or secure configuration with respect to 802.1x but rather to provide assistance in setting-up the initial proof of concept environment where the security parameters appropriate for you organization may be tested and verified.
I assume in this blog that Certificate Server is already installed, if you need instructions on how to setup Microsoft Certificate Server, see the link below
Set Up a Certification Authority
For the purposes of our scenario we will need to start issuing two additional certificate types:
RAS and IAS Server
Workstation Authentication
For detailed instructions on how to manage certificate templates see link below:
Certificate Templates How To...
The general recommendation is to create version 2 certificate templates, which would supersede the above mentioned templates. Version 2 templates provide a higher degree of customization and are easier to configure for autoenrollment. For instructions on how to duplicate version 1 templates with version 2 templates see this link below:
Create new Certificate Templates
The instructions in this blog assume the default V1 template were replaced with the corresponding V2 templates (I appended V2 to the new names of the template to indicate their version). If you chose to use V1 templates the instructions below still apply, you will only need to substitute the names used in this blog with the default V1 template names.
1. Open Certificate Authority Snap-in
2. Right-Click on
3. Select RAS and IAS Server and Workstation Authentication Templates from the list
4. Since we would like to take advantage of certificate auto-enrollment capabilities of Active Directory we need to modify security settings on the Workstation Authentication Template to allow Domain Computers to auto-enroll for this type of certificate. This would eliminate the need for manual certificate distribution to desktops. In order to do this, while still in the Certificate Authority Snap-in right-click on Certificate Templates node and select Manage. This should open Certificate Template Snap-in.
5. Once in Certificate Templates Snap-in select Workstation Authentication Template, and open its properties and switch to Security Tab. Setup security so that Domain Computers can Read, Enroll and Autoenroll for this template
1. First we need to install RAS and IAS Certificate on the IAS server. While logged-in as a Domain Admin on the IAS server, run mmc from command line
2. Ensure to select Computer account when adding the snap-in.
3. Expand Personal folder then right-click on Certificates and select to Request a New Certificate
4. Ensure to select RAS and IAS Server template
5. Provide a friendly name to the certificate and finish the wizard
6. I assume that the IAS is already installed, if you need instructions on installing IAS follow the link below:
7. Open IAS Snap-in, right-click on Internet Authentication Service and click on Register Server with Active Directory
8. Next we need to create a Radius Client that will represent our 802.1x capable switch. Right-click on Radius Clients and specify the IP address of the management interface of the Catalyst Switch and a friendly name.
9. Leave Radius Standard as the Client-Vendor and provide a shared secret. This secret key will be used to encrypt the traffic between the IAS and Catalyst.
Make sure to match this shared secret when configuring Radius Server settings on the Catalyst Switch.
Click on Finish
10.Switch to Remote Access Policies. You can delete the default policies, unless they are being used.
11. Right-click on Remote Access Policies and select New Access Policy. Provide a name for the policy and choose custom policy type.
12. Next we need to add conditions that need to be met in order for the client to gain access. As you can see multiple conditions can be provided. For the purposes of this blog I only add one conditions, which specifies that the request need to come from the IP address of the Catalyst Switch. Depending on the security requirements of your organization you may specify additional conditions. Of course, the validity of client's certificate will always be checked by the IAS server (see step 15).
13. Allow access if the conditions specified on the previous step are met. Click on next
14. Click on Edit Profile and switch to authentication tab
15. Uncheck all authentication methods and click on EAP Methods (EAP allows for certificate based authentication)
16. Click on Add new EAP authentication type and select Smart Card or other certificates. Click Ok
17. Finish the wizard
The whole idea of this exercise is to prevent workstations without a valid certificate from connect to the corporate network. Of course, this implies that we need to distribute the appropriate certificates to the legitimate users/workstations. We can do this in a number of ways, but the most efficient one is through autoenrollment process. See the link below on configuration of autoenrollment:
Checklist: Configuring certificate autoenrollment
If you created V2 certificates and followed instructions on setting up security on the templates, then you are almost ready for auto-enrollment. All you need to do is to enable auto-enrollment in Active Directory Group Policy:
1. Open Active Directory Users and Computers Snap-in
2. Select the OU where you want to modify the computer policy in order to allow for auto-enrollment. In this blog we assume that top level domain policy will be modified. Select the properties of the OU and open the associated group policy.
3. Navigate to Computer Configuration->Windows Settings->Security Settings->Public Key Policy and double-click on Autoenrollment Settings.
Enable autoenrollment.
1. If you did not use certificate autoenrollment process you have to manually request the Workstation Authentication certificate. The process of requesting this certificate is identical to the process we used to request RAS and IAS certificate earlier in this blog. The only exception is that we need to request a Workstation Authentication certificate, see picture below.
2. Under the Network Connections ensure that the IEEE 802.1x authentication is enabled (this is default on Windows XP).
Note: At this time of writing steps 3-4 can not be automated through the default Active Directory Policy, and therefore need to be performed manually or scripted.
3. Click on Properties and select the root certificate of your internal Microsoft Certificate Server.
4. Controlling Computer and User Authentication with the AuthMode Retistry Setting:
The following registry setting controls the computer and user authentication behavior on Windows XP and Windows 2003 Server:
AuthMode
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global
Value Type: REG_DWORD
Valid Range: 0-2
Default Value: 0
Present by default: No
0 - Computer authentication mode
If computer authentication is successful, no user user authentication is attempted. If user logon is successful before computer authentication, user authentication is performed. This is the default setting for Windows XP (prior to SP1).
1 - Computer authentication with re-authentication
If computer authentication completes successfully, a subsequent user logon results in a re-authentication with user credentials. This is the default setting for Windows XP SP and later and Windows 2003.
2 - Computer authentication only
When user logs on, it has no effect on the connection. Only computer authentication is performed. This is the setting that was used during the configuration of this proof of concept environment.
You will have to reference the documentation provided by your switch vendor, In my case I followed instructions from this link below:
Configuring IEEE 802.1x Port-Based Authentication
Important: If you follow the CISCO documentation, then you will set the RADIUS port to 1612, but Microsoft IAS server by default listens on 1812. Make sure to either change the port to 1612 on IAS or when configuring the switch set the port to 1812.
One thing that may be worth noting as well is that you don't have to enable the whole switch for 802.1x authentication, but rather you can enable authentication on a port by port basis, which allows for ease of pilot implementation and migration.
1. Enable at least one port on a switch for 802.1x authentication
2. Ensure that the client which you are going to test has the valid Workstation Authentication certificate.
3. Validate that the test client can access network resource through the 802.1x protected port.
4. For troubleshooting check IAS log, located by default at C:\WINDOWS\system32\LogFiles
5. You can also enable debugging on the Catalyst switch by issuing debug radius command.