On computers that are running the versions of Windows 2000 that are listed earlier in this article, you cannot enable IEEE 802.1x authentication. If you connect to an IEEE 802.11 wireless local area network without 802.1x authentication enabled, the data that you send is more vulnerable to attacks such as offline traffic analysis, bit flipping, and malicious packet injection.

802.1x is an IEEE standard that greatly reduces the security vulnerabilities that are associated with 802.11 by using standard security protocols, centralized user identification, authentication, dynamic key management, and accounting. For additional information about making IEEE 802.11 networks Enterprise-ready, see the following Microsoft Web site:

Back to the top

You cannot enable 802.1x authentication on computers running Windows 2000 because support for 802.1x is not provided by default in Windows 2000. Therefore, the associated user interface (the Authentication tab) does not appear in the Network Connection Properties dialog box.

Back to the top

This patch requires Windows 2000 Service Pack 3 (SP3). For more information, click the following article number to view the article in the Microsoft Knowledge Base: A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that this article describes. Apply it only to systems that specifically require it. This feature may receive additional testing. Therefore, if the system is not severely affected by the lack of this feature, we recommend that you wait for the next Windows 2000 service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
The following files are available for download from the Microsoft Download Center:
Release Date: November 5, 2002

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Time   Version        Size     File name
   --------------------------------------------------------
   09-Oct-2002  22:49  5.0.2195.5874   55,568  Clusapi.dll      
   27-Aug-2002  21:07  5.0.2195.6034  678,672  Clussvc.exe      
   09-Oct-2002  22:49  5.0.2195.6059  146,704  Kdcsvc.dll       
   05-Sep-2002  23:18  5.0.2195.6048  200,976  Kerberos.dll     
   21-Aug-2002  14:27  5.0.2195.6023   71,248  Ksecdd.sys
   09-Oct-2002  22:49  5.0.2195.6034  964,368  Mprsnap.dll      
   27-Aug-2002  20:53  5.0.2195.6034  108,816  Msv1_0.dll       
   27-Aug-2002  20:54                   1,967  Ndisuio.inf
   27-Aug-2002  20:54  5.0.2195.6034   11,984  Ndisuio.sys
   09-Oct-2002  22:49  5.0.2195.6075  360,720  Netlogon.dll     
   09-Oct-2002  22:49  5.0.2195.6073   99,600  Netman.dll       
   09-Oct-2002  22:49  5.0.2195.6034  474,896  Netshell.dll     
   27-Aug-2002  20:57                   3,795  Netwzc.inf
   09-Oct-2002  22:49  5.0.2195.6066   60,176  Raschap.dll      
   09-Oct-2002  22:49  5.0.2195.6034  528,144  Rasdlg.dll       
   09-Oct-2002  22:49  5.0.2195.6034   58,128  Rasman.dll       
   09-Oct-2002  22:49  5.0.2195.6050  152,848  Rasmans.dll      
   09-Oct-2002  22:49  5.0.2195.6034   54,032  Rastapi.dll      
   09-Oct-2002  22:49  5.0.2195.6082  100,112  Rastls.dll       
   09-Oct-2002  22:49  5.0.2195.6034  144,656  Rasuser.dll      
   09-Oct-2002  22:49  5.0.2195.6025  389,392  Samsrv.dll       
   09-Oct-2002  22:49  5.0.2195.6034  975,632  Sfcfiles.dll     
   07-Oct-2002  20:55  5.0.2195.6082  123,392  Sp3res.dll       
   27-Aug-2002  20:56  5.0.2195.6034   52,496  Wzcdlg.dll       
   27-Aug-2002  20:56  5.0.2195.6034   29,968  Wzcsapi.dll      
   27-Aug-2002  20:56  5.0.2195.6034   33,552  Wzcsetup.exe     
   27-Aug-2002  20:56  5.0.2195.6034  195,856  Wzcsvc.dll        

After you apply this update, follow these steps to enable 802.1x authentication:

1.	Installing the hotfix installs the 802.1x service in the disabled state. To change the Wireless Configuration service startup to Automatic: Right-click My Computer, and then click Manage. Click Services and Applications, and then click Services. Set the Startup value for the service to Automatic, and then start the service.
2.	Open Network Connections by clicking Start, pointing to Settings, clicking Control Panel, and then double-clicking Network Connections.
3.	Right-click the wireless connection for which you want to enable or disable 802.1x authentication, and then click Properties.
4.	On the Authentication tab, do one of the following: • To enable 802.1x authentication for this connection, click to select the Enable network access control using IEEE 802.1x check box. By default, this check box is selected. • To disable 802.1x authentication for this connection, click to clear the Enable network access control using IEEE 802.1x check box.
5.	In the EAP type box, click the Extensible Authentication Protocol type that is to be used with this connection.
6.	If you click Smart Card or other Certificate in the EAP type box, you can configure additional properties if you click Properties and then follow these steps in Smart Card or other Certificate properties: • To use the certificate that is located in the certificate store on your computer for authentication, click Use a certificate on this computer. • To verify that the server certificate that is presented to your computer is still valid, click to select the Validate server certificate check box, specify whether to connect only if the server is located in a particular domain, and then specify the trusted root certification authority. • To use a different user name when the user name in the certificate is different from the user name in the domain to which you are logging on, click to select the Use a different user name for the connection check box.
7.	If you click Protected EAP (PEAP) in the EAP type box, your Windows user name and password are used for authentication.
8.	To specify whether the computer should try authentication on the network if a user is not logged on, if the computer or user information is not available, or both, follow these steps: • To specify that the computer try authentication on the network if a user is not logged on, click to select the Authenticate as computer when computer information is available check box. By default, this check box is selected. • To specify that the computer try authentication on the network if user information or computer information is not available, click to select the Authenticate as guest when user or computer information is unavailable check box.

Back to the top

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

Back to the top

Without appropriate security mechanisms in place, wireless networks are vulnerable to attacks such as eavesdropping and remote sniffing. To reduce the threat of such attacks, the 802.11 standard defines authentication services; for encryption, it defines the Wired Equivalent Privacy (WEP) algorithm. Although these mechanisms provide a measure of protection, 802.1x provides additional protection by mitigating a number of vulnerabilities.

Back to the top

802.11 Authentication

For authentication, 802.11 defines the open system and shared key authentication subtypes.

•	Open system authentication does not actually provide authentication; it only performs identity verification through the exchange of two messages between the initiator (wireless client) and the receiver (wireless access point).
•	Shared key authentication does provide authentication by verifying that an initiator has knowledge of a shared secret. Under the 802.11 standard, it is assumed that the shared secret is sent to the wireless access point over a secure channel that is independent of 802.11. In practice, the shared key authentication secret is manually distributed and typed.

Back to the top

802.11 Confidentiality (Encryption) and Integrity

WEP provides data confidentiality equivalent to that of a wired network by encrypting the data sent between wireless clients and wireless access points. For encryption, WEP defines the use of the RC4 stream cipher with a standard 40-bit encryption key or, in some implementations, a 104-bit encryption key. Data integrity is provided through an integrity check value (ICV) in the encrypted portion of the wireless frame. Although 802.1x can be used without 802.11 encryption, it is a good idea to use the two together. If 802.1x is enabled, but WEP encryption is not enabled, data that is sent to a wireless access point port is sent in the clear although user authentication is enforced. To prevent this implementation that is not secure, enable WEP in conjunction with 802.1x.

Note Some manufacturers advertise 128-bit encryption keys. However, such keys include a 24-bit initialization vector, so they are still actually 104 bit-encryption keys. An initialization vector is a random number that is used as a starting point to encrypt a set of data.

Back to the top

Using 802.1x for Wireless Authentication

802.1x is a standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. For wireless 802.11 networks, 802.1x enhances security and addresses WEP vulnerabilities by:

•	Permitting a computer and a network to authenticate each other.
•	Generating a per-user and per-session key to encrypt data over wireless connections.
•	Providing the ability to dynamically change keys at frequent intervals.

To enhance deployment, 802.1x permits user identification and authentication, centralized authentication, authorization, and accounting support.

802.1x uses the Extensible Authentication Protocol (EAP) for message exchange during the authentication process. The support that 802.1x provides for EAP security types permits authentication methods such as certificates to be used.

Back to the top

How 802.1x Authentication Works

802.1x implements port-based network access control. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port when the authentication process does not succeed.

During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it permits user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.

The authenticator's port-based network access control defines two logical data paths to the LAN, through one physical LAN port. The first data path, the uncontrolled port, permits data exchange between the authenticator (the port that forces authentication before permitting access to services on that port) and a computing device on the LAN, regardless of the authentication state of that device. This is the path that EAPOL (EAP over LAN) messages take. The second logical data path, the controlled port, permits data exchange between an authenticated LAN user and the authenticator. This is the path that all other network traffic takes, after the computing device is authenticated.

Back to the top

802.1x and IAS RADIUS

For wireless networking, you can use 802.1x in conjunction with Windows 2000 or the Microsoft Windows Server 2003 family Internet Authentication Service (IAS) servers for RADIUS authentication. Under the RADIUS implementation, the wireless access point prevents data traffic from being forwarded to a wired network or to another wireless client without a valid authentication key. The process of obtaining a valid authentication key is as follows:

1.	When a wireless client comes in range of a wireless access point, the wireless access point challenges the client.
2.	The wireless client sends its identity to the wireless access point, which forwards this information to a RADIUS server.
3.	The RADIUS server requests the wireless client's credentials to verify the client's identity. As part of this request, the RADIUS server specifies the type of credentials that are required.
4.	The wireless client sends its credentials to the RADIUS server.
5.	The RADIUS server verifies the wireless client's credentials. If the credentials are valid, the RADIUS server sends an encrypted authentication key to the wireless access point.
6.	The wireless access point uses this authentication key to securely transmit per-station unicast session and multicast or global authentication keys to the wireless client.

For Windows 2000, deployment of RADIUS requires the following additional components:

•	Windows 2000 Service Pack 2. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 260910 (http://support.microsoft.com/kb/260910/) How to obtain the latest Windows 2000 service pack
•	A patch for the Windows 2000 Internet Authentication Service (IAS), which is a RADIUS server feature that is included with Windows 2000 Server. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 304697 (http://support.microsoft.com/kb/304697/) Some wireless values for the RADIUS attributes are not available
•	A patch for Active Directory to permit computer accounts to have dial-in properties. . For more information, click the following article number to view the article in the Microsoft Knowledge Base: 306260 (http://support.microsoft.com/kb/306260/) Cannot modify dial-in permissions for computers that use wireless networking
•	A patch for a computer running Windows 2000 Server, to permit computer authentication on the network if a user is not logged on. This patch must be installed on the Active Directory server. For more information, click the following article number to view the article in the Microsoft Knowledge Base: 304347 (http://support.microsoft.com/kb/304347/) Server does not make EAP-OE connection to LAN if a user is not logged on

For more information, see the "Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service" topic. To view this topic, visit the following Microsoft Web site:

Back to the top

Differences in the Windows 2000 802.1x Client

To add 802.1X functionality to the Windows 2000 platform, a subset of features were taken from the Microsoft Windows XP platform. The 802.1X engine itself is largely the same; the main difference in the clients comes from how you interact with the clients through the user interface. This is a list of the differences on the Windows 2000 client:

•	Service state - The Windows 2000 802.1X service is installed in a disabled state. You must set the service state to Automatic and start the service to use its functionality.
•	Zero Configuration functionality - The Windows 2000 client does not contain Zero Configuration functionality. This means that you must have a vendor-provided utility to configure your 802.11 settings.
•	Third-party tools - As stated earlier, the Windows 2000 client requires a third-party vendor configuration utility for 802.11 settings. Unlike Windows XP, which saves 802.11 settings on a per-user basis, many utilities do not. This may permit multiple users to log on to the same computer and to configure a common profile instead of a user-specific profile.
•	Group Policy - Configuring wireless network settings by using Group Policy is not supported.
•	Authorization Status notification - You can view authorization status by holding the mouse pointer over the Network Connection icon in the notification area at the far right of the taskbar
•	The Windows 2000 client supports only one wireless network adapter at a time. Although it is technically possible to have a laptop computer with more than one wireless network adapter, the Windows 2000 802.1X client works with only one at a time.
•	Upgrade from Beta - If you installed any of the Windows 2000 Beta clients, you must remove them first and then install the released client. There is no supported upgrade path from a Beta client to the released client.
•	Context-Sensitive Help - There is no context-sensitive Help in the client.

For more information about wireless security, visit either of the following Microsoft Web sites:

Back to the top

Common Issues

•	No Authentication tab - When the hotfix is installed, the 802.1X service is installed in a disabled state. To solve this, you must enable the Wireless Configuration service in the list of services: 1. Right-click My Computer, and then click Manage. 2. Click Services and Applications, and then click Services. 3. Set the Startup value for the service to Automatic, and then start the service.
•	Unavailable Authentication tab - If the Authentication tab is present but is unavailable, this indicates that the network adapter driver does not support 802.1x correctly. Use the following list or the hardware manufacturer's Web site to identify the correct network adapter driver version.

Back to the top

Tested Drivers and Utilities

The following list contains information from hardware manufacturers about which components they tested with the Windows 2000 802.1x client. This list is not comprehensive; it is intended only to help establish a baseline at the time of release (04-Nov-2002). For future updates, visit the manufacturer's Web site.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Back to the top