802.1x Authentication Overview

Small business owners and homeowners interested in establishing a high-level and reliable security infrastructure for use with the USR2249 22 Mbps Wireless Access Point or the USR8022 22 Mbps Wireless Cable/DSL Router in conjunction with Windows XP or 2000 and Windows 2000 Internet Authentication Service, should strongly consider the deployment of 802.1x. 802.1x is a type of data protection and user authentication technology using the Extensible Authentication Protocol – Tunneled Transport Layer Security (EAP-TTLS) protocol, which requires a password from the end user for authentication. This password authentication practice is checked against a database for the purposes of logging in securely. Standard user passwords are checked against an authentication database. Once successfully logged in, the password information is maintained and privately held in an encrypted format. This security design affords the IT guru at the office or home the ability to realize safe, secure protection from would be hackers (internally or otherwise) for each client/computer/laptop. In addition, 802.1x is a useful tool for controlling user traffic to a protected network.

In a nutshell, how does 802.1x work?

Essentially, when an initial 802.1x communication begins with an unauthenticated supplicant on the client side (“client” meaning an employee’s computer/laptop, for example), the client device attempts to connect with an 802.11 authenticator (i.e., 802.1x USR2249 22 Mbps Wireless Access Point). The USR2249 22 Mbps Wireless Access Point responds by enabling a port for passing only Extensible Authentication Protocol (EAP) packets from the client to an authentication server located on the wired side of the USR2249 22 Mbps Wireless Access Point. The USR2249 22 Mbps Wireless Access Point blocks all other traffic, such as HTTP, DHCP, and POP3 packets, until the USR2249 22 Mbps Wireless Access Point can verify the client's identity using a Radius server. Once authenticated, the USR2249 22 Mbps Wireless Access Point opens the client's port for other types of traffic.

While this may sound tricky or marginally complicated, in fact, 802.1x is easy to implement and manage. Essentially a three-stage process – Scanning for Windows Update, Setting up the Server, and Configuring the Certificate Infrastructure – 802.1x delivers peak, seamless performance without sacrificing time and resources. Simply put, if you’re looking for the latest built-in security technology that doesn’t compromise your company’s growth or your family’s evolving computer needs, the solution is clear: 802.1x Authentication. The balance of this FAQ will cover the steps necessary to install 802.1x.

Note: These instructions are intended to serve as an overview and as such, assume a certain degree of IT acumen.

Note: In order to configure 802.1x for your USR2249 or your USR8022, you must have the latest firmware upgrade. Visit your corresponding product support page for the latest firmware.

Note: Windows XP Home users will need to upgrade to Windows XP in order to successfully

802.1x Authentication: Scanning for Updates

This first stage, Scanning for Updates, is necessary. In order to successfully run and execute 802.1x, you must update each client computer to Windows 2000 Service Pack 4 (SP4). Follow the instructions below to scan your system for necessary updates:

Note: Depending on the number of updates needed, this may take a while. In addition, you should consider performing an Update Scan as a regular exercise on a weekly or monthly basis. This will better ensure you’ve the latest service pack attributes and thus, allow your 802.1x authentication to perform as smoothly as possible.

1. Open a Web browser and type http://windowsupdate.microsoft.com
2. Follow the on-screen instructions to complete the update scan. A list of all necessary updates will appear. Update accordingly.
3. Once you’ve successfully installed all necessary updates, run another update to verify you – in fact – have all service components installed. Failure to update all required service pack attributes will result in failed 802.1x certificate authentication.

802.1x Authentication: Setting up the Server

Installing the Windows 2000 Domain Controller

1. Run dcpromo.exe from the command prompt.

2. Follow all of the default prompts, making certain to ensure that DNS is installed and enabled during installation.

Installing the required services

1. Go to the Control Panel and select the Add/Remove Programs Applet

.

2. Select Add/Remove Windows Components.

3. Ensure that the following options are selected:

• Certificate Services (This will warn you that the computer cannot be renamed and join or leave a domain after installing the certificate services.  Select Yes.

• From the Internet Information Services (IIS) category, select World Wide Web Server.

• From the Networking Services category, select Dynamic Host Configuration Protocol (DHCP), and Internet Authentication Service (DNS should already be selected and installed).



4. Select Next.

5. Select the default Enterprise root CA option and select Next.



6. Enter the appropriate information to identify your Certificate Authority and select Next.



7. Select Next.

8. Select Ok and click Finish.

Configuring the DHCP server.

1. Click Start, select Programs, Administrative Tools, and DHCP.

2. Right-click your server and select New Scope.



3. Click Nextwhen the New Scope Wizard Begins

.

4. Enter a practical name of the scope and its description, and select Next.

5. Define the IP address range that you prefer DHCP to administer to your clients.  Change the subnet mask as necessary for your IP subnet. Select Next.



6. To add exclusions (optional) from the address range you've specified, you may handle that at this time. Otherwise, select Next.

7. Set the DHCP lease (the default is 8 days) to whatever works for your particular situation. When ready, select Next.

8. Because it is much easier to set the DHCP options here, select Yes, I want to configure these options now and select Next.

9. Enter the router for your subnet, or if this is for a local network only, leave it blank.  Select Next.

10. For the Parent Domain, enter the domain you entered for the Domain Controller Setup, and enter that server address in the IP address field. Click Next.



11. Click Next.

12. Select Yes, I want to activate this scope now, click Next, then Finish.

13. Right-click once again on the server and select Authorize. 

Setting up the Certificate Authority

1. Click Start, select Programs, Administrative Tools, and Certification Authority

.

2. Right-click Policy Settings. Select New and Certificate to Issue.



3. Select Authenticated Session and Smartcard Logon (select more than one by holding down the Ctrl key), and Select OK.



4. Click Start, select Programs, Administrative Tools, and Active Directory Users and Computers.

5. Right-click the active directory domain and select Properties.



6. Select the Group Policy tab, making sure the Default Domain Policy is highlighted and click Edit.



7. Under Computer Configuration, select Windows Settings, Security Settings, and Public Key Policies. Right-click Automatic Certificate Request Settings, select New, and Automatic Certificate Request.



When the Certificate Request Wizard appears, select Next. Select the Computer Certificate Template and click Next.



8. Ensure that your certificate authority is checked and click Next.  Review the policy change information and click Finish.

9. Open up a command prompt (Select Start, Run, type cmd and click Enter). Type secedit/refreshpolicy machine_policy . This may take a few minutes.

Setting up the Radius Internet Authentication Service