Tips and Tricks for Using 802.1X in Windows: Page 2
Securely set 802.1X settings to prevent man-in-the-middle attacks; get a review of the new advanced settings for 802.1X in Windows 7; and learn tips for enabling 802.1X for wired networks and for removing cached login credentials.
Utilizing the new 802.1X settings in Windows 7
Microsoft introduced advanced settings for 802.1X in the Group Policy settings of Windows Vista. However, now they’ve moved most of those settings to the GUI in Windows 7. The Security tab on the Wireless Network Properties dialog (see Figure 1) and Authentication tab on the Local Area Connection Properties dialog (see Figure 2) now have an Advanced Settings button. This brings up the 802.1X Advanced Settings dialog, such as Figure 4 shows.
The first section lets you specify the authentication mode and login credentials. You can select User, Computer, or Guest authentication. If you aren’t sure which one to choose or the network supports both, you can select the User or Computer option. If using User authentication, you can click the Save Credentials button to input the username and password. On the flipside, you can remove saved credentials by marking the checkbox.
The second section of the dialog is where you can enable and configure single sign-on for the network. If the system and network are set up properly, using this feature eliminates the need to provide separate login credentials. Instead of having to input a username and password during the 802.1X authentication, it uses the Windows account credentials. Single sign-on (SSO) features save time for both users and administrators and help to create an overall more secure network.
Enabling 802.1X for wired networks
Though 802.1X was primarily developed for Wi-Fi authentication, it can also be useful on the wired side too if your switches and network support it. However, 802.1X isn’t automatically enabled for wired connections in Windows XP SP3, Vista, and 7. You must manually enable the Wired AutoConfig service of Windows in these particular Windows versions. This is the service that manages the port-based authentication on Ethernet interfaces.
Here’s how to enable the Wired AutoConfig service:
1. Type services.msc into the Run prompt of XP or the start menu search field of Windows Vista or 7.
2. Find and double-click the Wired AutoConfig service.
3. Click the Start button.
4. To make it automatically start at boot, choose Automatic for the Start Type option.
Now you’ll find the Authentication tab on the Properties dialog for wired network connections, such as Figure 2 showed.
Removing the cached login credentials
By default, Windows XP saves the username and password you use for 802.1X authentication so you don’t have to enter it every time you connect to the network. However, this isn’t the most secure scenario. Plus it’s a problem when multiple people are using the same computer and each has their own 802.1X credentials.
To remove the cached login credentials in XP, you must (carefully) modify the Windows Registry by deleting the following key:
You can also delete the saved 802.1X login credentials in Windows Vista and 7. Fortunately, it doesn’t take a Registry edit. You just have to deselect a checkbox on the Properties dialog of the Network Connection. In Vista, it’s the Cache user information for subsequent connections option and in Windows 7 it’s the Remember my credentials for this connection each time I’m logged on option, such as you saw in Figures 1 and 2.