- Configure a wired connection profile for PEAP-MS-CHAP v2
- Configure a wired connection profile for PEAP-TLS
- Configure a wired connection profile for EAP-TLS
- General – settings
- Security - settings
- Advanced security settings for Wired and Wireless Network Policies
Configuring Wired Network (IEEE 802.3) Policies
This section provides step-by-step details to configure Wired Network (IEEE 802.3) Policies extension of Group Policy for 802.1X authenticated wired network access.
- Configure a wired connection profile for PEAP-MS-CHAP v2
- Configure a wired connection profile for PEAP-TLS
- Configure a wired connection profile for EAP-TLS
Configure a wired connection profile for PEAP-MS-CHAP v2
This procedure provides the steps that are required to configure a wired access connection profile for Protected Extensible Authentication Protocol–Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) for authentication by using secure passwords.
Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.
For more information about individual controls on any active dialog box in Wired Network (IEEE 802.3) Policies, press F1 while viewing that dialog box.
To configure a wired connection profile for PEAP-MS-CHAP v2
- If you have not already done so, open the New Wired Network (IEEE 802.3) Policies Properties dialog.
- In New Wired Network (IEEE 802.3) Policies Properties, on the General tab, in Policy Name, type a name for your network policy, or leave the default name New Wired Network Policy.
- In Description, type a description for your network policy.
- Select Use Windows Wired Auto Config service for clients to specify that Wired AutoConfig is used to configure wired network adapter settings.
- To prevent the use of shared user credentials for authentication for computers running Windows 8 and Windows 7, select don’t allow shared user credentials for network authentication.
- To specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt, select Enable block period (minutes).
- Click the Security tab, click Advanced, and then configure the following:
- To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings. When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, and Eapol-Start Message are sufficient for common wired access deployments.
- To enable Single Sign On, select Enable Single Sign On for this network.
- To specify whether Single Sign On is performed before or after user logon, select either Perform immediately before User Logon or Perform immediately after User Logon.
- To specify a maximum connectivity delay, select Max delay for connectivity (seconds), and then specify a value, or leave the default value of 10.
Note This setting limits which root CAs that clients trust to the selected CAs. If no trusted root CAs are selected, clients will trust all root CAs listed in their trusted root certification authority store.
Configure a wired connection profile for PEAP-TLS
This procedure provides the steps that are required to configure a wired access connection profile for Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS) for authentication by using smart cards or user and computer digital certificates.
Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.
For more information about individual controls on any active dialog box in Wired Network (IEEE 802.3) Policies, press F1 while viewing that dialog box.
To configure a wired connection profile for PEAP-TLS
- If you have not already done so, open the New Wired Network (IEEE 802.3) Policies Properties dialog.
- In New Wired Network (IEEE 802.3) Policies Properties, on the General tab, in Policy Name, type a name for your network policy, or leave the default name New Wired Network Policy.
- In Description, type a description for your network policy.
- Select Use Windows Wired Auto Config service for clients to specify that Wired AutoConfig is used to configure wired network adapter settings.
- To prevent the use of shared user credentials for authentication for computers running Windows 8 and Windows 7, select don’t allow shared user credentials for network authentication.
- To specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt, select Enable block period (minutes).
- Click the Security tab, click Advanced, and then configure the following:
- To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings. When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, and Eapol-Start Message are sufficient for common wired access deployments.
- To enable Single Sign On, select Enable Single Sign On for this network.
- To specify whether Single Sign On is performed before or after user logon, select either Perform immediately before User Logon or Perform immediately after User Logon.
- To specify a maximum connectivity delay, select Max delay for connectivity (seconds), and then specify a value, or leave the default value of 10.
Note This setting limits which root CAs that clients trust to the selected CAs. If no trusted root CAs are selected, clients will trust all root CAs listed in their trusted root certification authority store.
Configure a wired connection profile for EAP-TLS
This procedure provides the steps that are required to configure a wired access connection profile for Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS) for authentication by using smart cards or user and computer digital certificates.
Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.
For more information about individual controls on any active dialog box in Wired Network (IEEE 802.3) Policies, press F1 while viewing that dialog box.
To configure a wired connection profile for EAP-TLS
- If you have not already done so, open the New Wired Network (IEEE 802.3) Policies Properties dialog.
- In New Wired Network (IEEE 802.3) Policies Properties, on the General tab, in Policy Name, type a name for your network policy, or leave the default name New Wired Network Policy.
- In Description, type a description for your network policy.
- Select Use Windows Wired Auto Config service for clients to specify that Wired AutoConfig is used to configure wired network adapter settings.
- To prevent the use of shared user credentials for authentication for computers running Windows 8 and Windows 7, select don’t allow shared user credentials for network authentication.
- To specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt, select Enable block period (minutes).
- Click the Security tab, click Advanced, and then configure the following:
- To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings. When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, and Eapol-Start Message are sufficient for common wired access deployments.
- To enable Single Sign On, select Enable Single Sign On for this network.
- To specify whether Single Sign On is performed before or after user logon, select either Perform immediately before User Logon or Perform immediately after User Logon.
- To specify a maximum connectivity delay, select Max delay for connectivity (seconds), and then specify a value, or leave the default value of 10.
Per-setting details
This section provides details about settings in the Wired Network (IEEE 802.3) Policies extension of Group Policy:
- General - settings
- Security - settings
Information about the Advanced security settings is provided in the topic, Advanced Security Settings for Wired and Wireless Network Policies. Clicking this link will open a new Web page. A link is provided in the Additional Resources section of that topic to return you to this page.
General - settings
Use the Wired Network (IEEE 802.3) Policies General tab to specify whether the Wired AutoConfig Service is used to configure local area network (LAN) adapters to connect to the wired network. You can also specify the policy name and description.
Item
Details
Policy Name
Provides a location for you to type a name for the Network Policy that is applied to your wired clients running Windows Vista.
When you name the Wired Network (IEEE 802.3) Policy, the name is displayed as the title of its property pages, and under Name in the details pane in the Group Policy Management Console (GPMC) for that policy.
Description
Provides a location for you to type a description for your Wired Network (IEEE 802.3) Policy.
The description you type is displayed under Description in the details pane of the Group Policy Management Console (GPMC) for that policy.
Use Windows wired network service for clients
Specifies that Wired AutoConfig Service is used to configure and connect clients running Windows Vista to the 802.3 wired Ethernet network.
Don’t allow shared user credentials for network authentication
Specifies that users with computers running Windows 7 are not allowed to store their user credentials (such as user name and password), which the computer can then use to log on to the network (even though the user is not actively logged on to the computer).
Default = not selected. Users are allowed to enter and store their user credentials in profiles that they configure.
The following statements summarize the behavior of this setting:
- This setting is provided in both the Wired Network (IEEE 802.3) Policies and the version of the Wireless Network (IEEE 802.11) Policies that you can configure for client computers running Windows Vista and subsequent releases of Windows.
- This setting is per-Group Policy object (GPO), and within each GPO it is specific to the Wired Network (IEEE 802.3) Policies and Wireless Network (IEEE 802.11) Policies.
- For as long as the default setting remains unchanged, the local administrator can use the netsh LAN set allowexplicitcreds command on client computers running Windows 7 to allow or disallow users to store their user credentials.
- After the first time that the default is changed the administrator can use this setting to enable or disable the capability for users to configure non-Group Policy based user profiles to store their user credentials. User credentials cannot be stored with Group Policy profiles.
Enable block period (minutes)
Specifies whether to prohibit computers running Windows 7 from making auto connection attempts to the network for a specified amount of time, following a failed authentication attempt. The blocked state is reset upon a manual connection attempt, a session change, or a media connect.
Default = not enabled. If enabled, the default is 20 minutes. The valid range of minutes is 1-60.
Security - settings
Security configuration items include all of the settings on the Security tab. These settings specify whether to perform 802.1X authentication for connecting clients and which network authentication method to use.
Item
Details
Enable use of IEEE 802.1X authentication for network access
Specifies that 802.1X authentication is performed for access requests to the wired network.
Select a network authentication
- Specifies the network authentication method that connecting clients use:
- Smart Card or other certificate (EAP-TLS)
- Protected EAP (PEAP)
Default = Protected EAP (PEAP)
Properties
Opens the properties page of the selected network authentication method.
For setting information specific to network authentication methods, see: Extensible Authentication Protocol (EAP) Settings for Network Access
Authentication Mode
Specifies how network authentication is performed:
- User re-authentication. An 802.1X-compliant device always uses security credentials based on the computer's current state. Authentication is performed by using the computer credentials when no users are logged on to the computer. When a user logs on to the computer, authentication is always performed using the user credentials. This is the recommended setting.
- Computer only. Authentication is always performed using only the computer credentials.
- User authentication. Specifies that when users are not logged on to the computer, authentication is performed by using the computer credentials. After a user logs on to the computer, authentication is still based on the computer credentials. Authentication is performed by using the user credentials if the user travels to a new wireless access point.
- Guest authentication. Allows connections to the network that are regulated by the restrictions and permissions set for the Guest user account.
Default = User re-authentication
Max Authentication Failures
Specifies the maximum number of failed authentication attempts that can occur with a specific set of credentials before notification is displayed to indicate that authentication has failed.
Advanced
Opens the Advances security dialog.
