Ethernet Switch Ethernet Routing Switch Engineering > Wired PEAP Machine Authentication for ERS and ES Technical Configuration Guide Enterprise Solutions Engineering Document Date: January 31, 2008 Document Number: NN48500-547 Document Version: 1.0 Wired PEAP Machine Authentication for ERS and ES TCG v1.0 NN48500-546 Nortel is a recognized leader in delivering communications capabilities that enhance the human experience, ignite and power global commerce, and secure and protect the world’s most critical information. Serving both service provider and enterprise customers, Nortel delivers innovative technology solutions encompassing end-to-end broadband, Voice over IP, multimedia services and applications, and wireless broadband designed to help people solve the world’s greatest challenges. Nortel does business in more than 150 countries. For more information, visit Nortel on the Web at www.nortel.com. Copyright © 2008 Nortel Networks. All Rights Reserved. While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice. Nortel Networks, the Nortel Networks logo and the Globemark are trademarks of Nortel Networks. ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved. EXTERNAL DISTRIBUTION 1 Wired PEAP Machine Authentication for ERS and ES TCG v1.0 NN48500-546 Abstract: The document provides an overview on how to configure Wired PEAP computer and user authentication on Nortel Ethernet Switches in a Microsoft environment. This document demonstrates configuring the Microsoft Internet Authentication Service on a Windows 2003 server, the Microsoft Windows XP 802.1X supplicant and the Nortel Ethernet Switch. This document does not address Certificate Services or Active Directory as this is well documented on Microsoft’s web site. Revision Control: No Date Version Revised by Remarks 1 Apr 30th 2007 1.0 Brad Black Final Version for Release 2 Nov 14th 2007 2.0 Kevin Marshall Revised and reformatted. Acknowledgements: ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved. EXTERNAL DISTRIBUTION 2 Wired PEAP Machine Authentication for ERS and ES TCG v1.0 NN48500-546 Table of Contents: DOCUMENT UPDATES:................................................................................................................. 4 CONVENTIONS: ............................................................................................................................. 4 1. OVERVIEW:............................................................................................................................. 5 1.1 WHAT IS COMPUTER AUTHENTICATION:............................................................................... 5 1.2 WINDOWS XP BOOT PROCESS: .......................................................................................... 6 1.3 PRE-REQUISITES:............................................................................................................... 7 1.4 TOPOLOGY:........................................................................................................................ 7 2. INTERNET AUTHENTICATION SERVICE:............................................................................ 8 2.1 ADD RADIUS CLIENTS:........................................................................................................ 8 2.2 CREATE A REMOTE ACCESS POLICY: ................................................................................ 11 3. NORTEL ETHERNET SWITCH: ........................................................................................... 16 3.1 DEFINE A RADIUS SERVER:............................................................................................. 16 3.2 SET THE EAPOL ADMIN STATE: ....................................................................................... 17 3.3 GLOBALLY ENABLE EAPOL: ............................................................................................. 17 4. WINDOWS XP WORKSTATION:.......................................................................................... 18 4.1 CERTIFICATES:................................................................................................................. 18 4.2 MODIFY LOCAL AREA CONNECTION PROPERTIES:.............................................................. 21 4.3 MODIFY REGISTRY SETTINGS: .......................................................................................... 23 5. VERIFICATION:..................................................................................................................... 25 5.1 WINDOWS SYSTEM EVENT LOGS:...................................................................................... 25 5.1 ETHERNET SWITCH EAPOL PORT STATUS:....................................................................... 26 6. APPENDIX:............................................................................................................................ 27 6.1 EAPOL USERS ACTIVE DIRECTORY GROUP...................................................................... 27 6.2 ACTIVE DIRECTORY REMOTE ACCESS PERMISSIONS.......................................................... 28 6.3 WINDOWS XP REGISTRY SETTINGS .................................................................................. 29 6.4 WIRELESS ZERO CONFIGURATION SERVICE ....................................................................... 30 7. REFERENCE DOCUMENTATION:....................................................................................... 32 ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved. EXTERNAL DISTRIBUTION 3 Wired PEAP Machine Authentication for ERS and ES TCG v1.0 NN48500-546 Document Updates: None. Conventions: This section describes the text, image, and command conventions used in this document. Symbols: & Tip – Highlights a configuration or technical tip. L Note – Highlights important information to the reader. Caution – Highlights important information about an action that may result in equipment Ì damage, configuration or data loss. Text: Bold text indicates emphasis. Italic text in a Courier New font indicates text the user must enter or select in a menu item, button or command: ERS5520-48T# show running-config Output examples from Nortel devices are displayed in a Lucida Console font: ERS5520-48T# show running-config ! Embedded ASCII Configuration Generator Script ! Model = Ethernet Routing Switch 5520-24T-PWR ! Software version = v5.0.0.011 enable configure terminal ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved. EXTERNAL DISTRIBUTION 4 Wired PEAP Machine Authentication for ERS and ES TCG v1.0 NN48500-546 1. Overview: The document provides an overview on how to configure Wired PEAP computer and user authentication on Nortel Ethernet Switches in a Microsoft environment. This document demonstrates configuring the Microsoft Internet Authentication Service on a Windows 2003 server, the Microsoft Windows XP 802.1X supplicant and the Nortel Ethernet Switch. This document does not address Certificate Services or Active Directory as this is well documented on Microsoft’s web site. 1.1 What is Computer Authentication: User authentication is a natural choice when considering identification to Wired or Wireless infrastructure. However, in most cases Enterprises will also want to also implement computer (or machine) authentication to ensure a complete solution. There are a number of features in Windows that will only work correctly with an active network connection. Leveraging 802.1X computer authentication ensures that this network connection is established during the Windows boot sequence and prior to end users seeing the initial Windows logon screen. The following table provides a list of some of the common Windows features that require such a connection: Feature Scenario Requiring Computer Authentication Active Directory computer Group Policies Computer–based Group Policy is applied during computer start up and at timed intervals — even when no one is logged in to Windows. Network logon scripts Network logon scripts are run during initial user logon. Systems management agents Systems management application agents such as those that come with Microsoft Systems Management Server (SMS) frequently need network access without user intervention. Remote Desktop Connection Computers are accessible from Windows Remote Desktop Connection when no one is logged on to Windows. Shared folders Files and folders shared from a computer are still available, even when no user is logged on to Windows. Table 1.1 – Scenarios Requiring Machine Authentication ___________________________________________________________________________________________________________________________ Nortel Confidential Information Copyright © 2008 Nortel