802.1x Wired Authentication
The company I work for has an office in shared space in a county building. Previously they have been using VPN client software to connect back to our main office to access our main application. They shared this internet with the rest of the building and was very slow. We were able to convince the IT Dept to allow us to bring in our own internet access and our own equipment.
The goal was to provide a secure connection back to our main site instead of have several VPN connections. We purchased a Sonicwall TZ210, a Dell Switch, and a server for the location.
Since it is a shared office space, we needed to be sure that only our equipment would have access the network we set up. I found several documents on 802.1x configuration for wired networks and decided that this would be our best bet.
I configured the Windows XP SP3 clients with Wired Authentication. These clients, when connected to the switch, ask to be authenticated. The switch takes the requests, using RADIUS, and passes them to the server. If the machine or user part of our AD domain, they will be granted access on our network.
I installed Windows Server 2008 R2 Standard to act as the RADIUS server. I had to install Certificate Services, Active Directory Services, and Network Policy and Access Services in order for this to work.
I created a Connection Request Policy to accept RADIUS requests from the switch. The server was also configured to accept PEAP and EAP-MSCHAPv2 requests for network access. The Network Access Policy I created allowed any Domain User or Domain Computer to be granted access.
For PEAP to work, there needs to be a RAS Certificate issued by a Certificate Authority. This was throwing me for a loop for awhile until I got this to work. Since we didnt have a Certificate Authority, I installed the Role as a stand-alone server.
The switch was very easy to configure. Under management I had to specify our RADIUS server and under Port Based Authentication I specified to use RADIUS to authenticate. I then set the node ports to Auto, which sets the state of either Authorized or Denied based on the RADIUS response from the server.
On the switch I also had to set the ports to be Multi-Host. We had a few weird issues on a couple PCs and that fixed the problem.
The nodes were even easier to configure. The Wired Autoconfig service needed to be started and set to automatic. Then in the network properties for the LAN adapter, had set PEAP to not validate the server certificate. This was because we used self-signed certificates.
After this all was done everything worked quite well. The staff were also very pleased with the improvements we had made!
