Tips and Tricks for Using 802.1X in Windows
Securely set 802.1X settings to prevent man-in-the-middle attacks; get a review of the new advanced settings for 802.1X in Windows 7; and learn tips for enabling 802.1X for wired networks and for removing cached login credentials.
Does your network use the 802.1X port-based access method for authentication on the wired and/or wireless side? If so, you know it takes a bit more than just plugging into an Ethernet port or entering an encryption key to connect to the network. On each client, you must configure the smart card, certificate, or PEAP settings, usually in addition to settings for IPsec or WPA/WP2 encryption.
In this tutorial, we’ll first see how to securely set the 802.1X settings to prevent man-in-the-middle attacks. Then we’ll review the new advanced settings for 802.1X in Windows 7. Plus we’ll review two other tips: enabling 802.1X for wired networks and removing cached login credentials.
Securing your 802.1X settings
One potential way for a hacker to capture a client’s network credentials and/or access to the client is to pose as an authentication server. If the client’s 802.1X settings for the server-side of the authentication are lenient, the client could potentially “trust” the bogus authentication server. However, there are a few features that you can take advantage of to help prevent this type of attack.
The settings we’re going to talk about are the main Smart Card, Certificate, or PEAP settings. To bring these up for a wireless network, open its profile or properties dialog, select the Security tab (see Figure 1, above), and click the Settings button for the desired authentication method. For a wired network, go to the network connection properties, select the Authentication tab (see Figure 2, below), and click the Settings button for the desired authentication method.
Figure 3 (below) shows an example of the PEAP settings.
First, make sure the client authenticates the server before letting the server authenticate it. To do this, mark the first checkbox, Validate server certificate. Then select the Certificate Authority (CA) that the server’s certificate uses from the list box. If you purchased an SSL certificate, Windows should have the CA loaded already. However, if you created your own self-signed certificate for the authentication server, you have to import the CA certificate into the Trusted Root Certification Authorities store of Windows.
Second, specify the addresses for the network’s authentication server(s), so the client will only communicate with those listed. Mark the second checkbox, Connect to these servers, and enter the domain(s) separating each server name with a semicolon. For example, auth1.yourdomain.com; auth2.yourdomain.com.
Third, prevent users from accepting new or untrusted servers. Normally, users are prompted to accept or reject authentication servers that aren’t using a CA you specify or aren’t from an address you’ve inputted. This might be fine for administrators, but regular users might be confused and unknowingly accept a connection to a phony server and network. Therefore, you should mark the Do not prompt user to authorize new servers or trusted certification authorities option to automatically reject these “unknown” servers.