Discovering the Advanced Client Settings of 802.1X
Connecting to networks utilizing 802.1X authentication is pretty straightforward, especially when using it with PEAP. You just enter a username and password. However, there are many advanced settings you can manually configure, many dealing with wireless security and performance. Here I’ll show and discuss those settings found within the Windows GUI.
Although there have been many changes to network-related features and the GUI over the past couple of Windows releases, those discussed here remain nearly identical from Windows XP all the way to Windows 10. Exactly how to navigate to them via the GUI, however, does vary.
In Windows XP, Vista, and 7, you can open the properties of a wireless connection by simply right-clicking the network from the list of available wireless networks. In Windows 8, 8.1, and 10, you can open the Network and Sharing Center by right-clicking the network icon in the system tray. Next you click the network connection link, which brings up the connection properties, click the Wireless Properties button, and then select the Security tab. If you’re using 802.1X authentication on a wired network, you’d select the Authentication tab.
The Security tab of a Wireless Network’s Properties.
Or if you’re a command enthusiast, run ncpa.cpl to open the Network Connections window, where you can double-click on the desired wireless connection and then click the Wireless Properties button.
The PEAP Properties, accessible by clicking the Settings button on the Wireless Network’s Properties.
First we’ll look at the PEAP settings. With Microsoft Protected EAP (PEAP) selected as the authentication method, click the Settings button. Here’s the settings you’ll see on the next dialog box:
- Validate server certificate: When enabled, the client authenticates the RADIUS server before the client continues with it’s authentication by the server. This is to help ensure you’re connected to the correct server and not a fake, like from a man in the middle attack. The server is authenticated based upon the next two settings.
- Connect to these servers: This is where you’d specify the RADIUS server’s IP or domain address(es), so the client only communicates with those. Connecting to any other RADIUS servers would cause the server validation to fail and user authentication to not be performed. If multiple servers are available, separate each server address with a semicolon. For example, auth1.yourdomain.com; auth2.yourdomain.com.
- Trusted Root Certificate Authorities: This is where you’d select the Certificate Authority (CA) that’s utilized by the RADIUS server’s certificate. If you purchased an SSL certificate from a major CA (like Verisign or GoDaddy), Windows should have the CA loaded installed and listed. However, if you created your own self signed certificate for the RADIUS server, you first have to import the CA certificate into the Trusted Root Certification Authorities store of Windows.
- Do not prompt user to authorize new servers or trusted certification authorities: When enabled, this prevents users from accepting new or untrusted RADIUS servers, or those that don’t match the criteria you specify above. When disabled, users are prompted to accept or reject RADIUS servers during the server validation that aren’t using a CA you specify or aren’t from an address you’ve inputted. Administrators might understand the prompt, but typical users might just accept the RADIUS server, possibly connecting themselves to a phony server and network that could be trying to intercept and crack their 802.1X login credentials via a man in the middle attack. Once a new or changed RADIUS server certificate is accepted via the prompt or alert, the specified RADIUS server address(es) and the chosen CA certificate are overwritten with the new or changed details. Therefore, you should enable this option to automatically reject these unknown servers to be on the safe side.
- Enable Fast Reconnect: This enables Fast Reconnect (also called EAP Session Resumption), which caches the TLS session from the initial connection and uses it to simplify and shorten TLS handshake process for re-authentication attempts. The end result means clients can reconnect to the network quicker, making roaming more seamless, especially useful for sensitive applications. This is usually enabled by default when a client connects to an 802.1X network the first time, but if you manually push network settings to domain clients you should consider enabling Fast Reconnect.
- Enforce Network Access Policy Protection (or Enable Quarantine checks): If Network Access Policy Protection (NAP) is configured on the network, this would require the client to meet the specified requirements.
- Disconnect if server does not present cryptobinding TLV: When enabled, it would ensure cryptobinding TLV is utilized, which helps increases the security of the TLS tunnel in PEAP. It combines the inner method and the outer method authentications together so that attackers cannot perform man in the middle attacks.
- Enable Identity Privacy: During the 802.1X authentication, the identity of the client (which is the username for PEAP) is first sent to the RADIUS server in clear-text for any routing purposes utilized by the server. However, typically it is not needed and can be set to any value, which helps protect the identity of the client from any ill-willed eavesdroppers. Thus if you enable this, whatever is in the field to the right will be sent during the first identity exchange. If any domain is utilized during the authentication it will still be used here as well. So if you enter anonymous, the first identity passed will be [email protected]. Keep in mind, the real identity will always be sent the second time during the authentication, which then is via an encrypted tunnel.
In Windows 7 and later, there’s more advanced 802.1X settings on another dialog box as well. From the network connection properties window, you’d click the Advanced Settings button near the bottom.
The Advanced 802.1X settings, accessible by clicking the Advanced Settings button near the bottom of the Wireless Network’s Properties.
On the 802.1X Settings tab, you find where you can choose which type of authentication to perform (user, computer, or guest) and can remove the saved password. You can also enable and configure single sign-on for the network. If the PC and network are set up properly, using this feature eliminates the need for the user to input separate login credentials for Windows and the 802.1X network. The Windows username and password would be used during the 802.1X authentication, saving time and effort for the user and simplifying credential manage for the admins.
802.11 Settings tab on the Advanced Settings dialog, present only if WPA2 is utilized.
When the WPA2 security method is enabled for the wireless network (versus just WPA), there’s also a 802.11 Settings tab where you find the Fast Roaming settings. Pairwise Master Key (PMK) Caching is usually enabled by default and allows clients to perform a partial authentication process when roaming back to the AP where the client had originally performed the full authentication. When the pre-authentication feature is enabled (which it is not by default), the PMK Caching technique can be utilized for all APs and not just the original AP if the network supports it. This makes the roaming process even more seamless.