Using 802.1x Authentication on Computers Running Windows 2000

View products that this article applies to.

This article was previously published under Q313664

SYMPTOMS

On computers that are running the versions of Windows 2000 that are listed earlier in this article, you cannot enable IEEE 802.1x authentication. If you connect to an IEEE 802.11 wireless local area network without 802.1x authentication enabled, the data that you send is more vulnerable to attacks such as offline traffic analysis, bit flipping, and malicious packet injection.

802.1x is an IEEE standard that greatly reduces the security vulnerabilities that are associated with 802.11 by using standard security protocols, centralized user identification, authentication, dynamic key management, and accounting. For additional information about making IEEE 802.11 networks Enterprise-ready, see the following Microsoft Web site:

http://www.microsoft.com/windows2000/techinfo/administration/security/wirelessec.asp

CAUSE

You cannot enable 802.1x authentication on computers running Windows 2000 because support for 802.1x is not provided by default in Windows 2000. Therefore, the associated user interface (the Authentication tab) does not appear in the Network Connection Properties dialog box.

RESOLUTION

This patch requires Windows 2000 Service Pack 3 (SP3). For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

A supported feature that modifies the product's default behavior is now available from Microsoft, but it is only intended to modify the behavior that is described in this article. Apply it only to systems that specifically need it. This feature may receive additional testing. Therefore, if your system is not severely affected by the lack of this feature, Microsoft recommends that you wait for the next Windows 2000 service pack that contains this feature.

To obtain this feature immediately, contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMS

The following files are available for download from the Microsoft Download Center:

English: Download the 313664 package now

Arabic: Download the 313664 package now

Chinese (Simplified): Download the 313664 package now

Chinese (Traditional): Download the 313664 package now

Czech: Download the 313664 package now

Danish: Download the 313664 package now

Dutch: Download the 313664 package now

Finnish: Download the 313664 package now

French: Download the 313664 package now

German: Download the 313664 package now

Greek: Download the 313664 package now

Hebrew: Download the 313664 package now

Hungarian: Download the 313664 package now

Italian: Download the 313664 package now

Japanese (NEC): Download the 313664 package now

Japanese: Download the 313664 package now

Korean: Download the 313664 package now

Norwegian: Download the 313664 package now

Polish: Download the 313664 package now

Portuguese: Download the 313664 package now

Portuguese (Brazil): Download the 313664 package now

Russian: Download the 313664 package now

Spanish: Download the 313664 package now

Swedish: Download the 313664 package now

Turkish: Download the 313664 package now

Release Date: November 5, 2002

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

   Date         Time   Version        Size     File name
   --------------------------------------------------------
   09-Oct-2002  22:49  5.0.2195.5874   55,568  Clusapi.dll      
   27-Aug-2002  21:07  5.0.2195.6034  678,672  Clussvc.exe      
   09-Oct-2002  22:49  5.0.2195.6059  146,704  Kdcsvc.dll       
   05-Sep-2002  23:18  5.0.2195.6048  200,976  Kerberos.dll     
   21-Aug-2002  14:27  5.0.2195.6023   71,248  Ksecdd.sys
   09-Oct-2002  22:49  5.0.2195.6034  964,368  Mprsnap.dll      
   27-Aug-2002  20:53  5.0.2195.6034  108,816  Msv1_0.dll       
   27-Aug-2002  20:54                   1,967  Ndisuio.inf
   27-Aug-2002  20:54  5.0.2195.6034   11,984  Ndisuio.sys
   09-Oct-2002  22:49  5.0.2195.6075  360,720  Netlogon.dll     
   09-Oct-2002  22:49  5.0.2195.6073   99,600  Netman.dll       
   09-Oct-2002  22:49  5.0.2195.6034  474,896  Netshell.dll     
   27-Aug-2002  20:57                   3,795  Netwzc.inf
   09-Oct-2002  22:49  5.0.2195.6066   60,176  Raschap.dll      
   09-Oct-2002  22:49  5.0.2195.6034  528,144  Rasdlg.dll       
   09-Oct-2002  22:49  5.0.2195.6034   58,128  Rasman.dll       
   09-Oct-2002  22:49  5.0.2195.6050  152,848  Rasmans.dll      
   09-Oct-2002  22:49  5.0.2195.6034   54,032  Rastapi.dll      
   09-Oct-2002  22:49  5.0.2195.6082  100,112  Rastls.dll       
   09-Oct-2002  22:49  5.0.2195.6034  144,656  Rasuser.dll      
   09-Oct-2002  22:49  5.0.2195.6025  389,392  Samsrv.dll       
   09-Oct-2002  22:49  5.0.2195.6034  975,632  Sfcfiles.dll     
   07-Oct-2002  20:55  5.0.2195.6082  123,392  Sp3res.dll       
   27-Aug-2002  20:56  5.0.2195.6034   52,496  Wzcdlg.dll       
   27-Aug-2002  20:56  5.0.2195.6034   29,968  Wzcsapi.dll      
   27-Aug-2002  20:56  5.0.2195.6034   33,552  Wzcsetup.exe     
   27-Aug-2002  20:56  5.0.2195.6034  195,856  Wzcsvc.dll

After you apply this update, follow these steps to enable 802.1x authentication:

Installing the hotfix installs the 802.1x service in the disabled state. To change the Wireless Configuration service startup to Automatic: Right-click My Computer, and then click Manage. Click Services and Applications, and then click Services. Set the Startup value for the service to Automatic, and then start the service.
Open Network Connections by clicking Start, pointing to Settings, clicking Control Panel, and then double-clicking Network Connections.
Right-click the wireless connection for which you want to enable or disable 802.1x authentication, and then click Properties.
On the Authentication tab, do one of the following:
- To enable 802.1x authentication for this connection, click to select the Enable network access control using IEEE 802.1x check box. By default, this check box is selected.
- To disable 802.1x authentication for this connection, click to clear the Enable network access control using IEEE 802.1x check box.
In the EAP type box, click the Extensible Authentication Protocol type that is to be used with this connection.
If you click Smart Card or other Certificate in the EAP type box, you can configure additional properties if you click Properties and then follow these steps in Smart Card or other Certificate properties:
- To use the certificate that is located in the certificate store on your computer for authentication, click Use a certificate on this computer.
- To verify that the server certificate that is presented to your computer is still valid, click to select the Validate server certificate check box, specify whether to connect only if the server is located in a particular domain, and then specify the trusted root certification authority.
- To use a different user name when the user name in the certificate is different from the user name in the domain to which you are logging on, click to select the Use a different user name for the connection check box.
If you click Protected EAP (PEAP) in the EAP type box, your Windows user name and password are used for authentication.
To specify whether the computer should try authentication on the network if a user is not logged on, if the computer or user information is not available, or both, follow these steps:
- To specify that the computer try authentication on the network if a user is not logged on, click to select the Authenticate as computer when computer information is available check box. By default, this check box is selected.
- To specify that the computer try authentication on the network if user information or computer information is not available, click to select the Authenticate as guest when user or computer information is unavailable check box.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Without appropriate security mechanisms in place, wireless networks are vulnerable to attacks such as eavesdropping and remote sniffing. To reduce the threat of such attacks, the 802.11 standard defines authentication services; for encryption, it defines the Wired Equivalent Privacy (WEP) algorithm. Although these mechanisms provide a measure of protection, 802.1x provides additional protection by mitigating a number of vulnerabilities.

802.11 Authentication

For authentication, 802.11 defines the open system and shared key authentication subtypes.

Open system authentication does not actually provide authentication; it only performs identity verification through the exchange of two messages between the initiator (wireless client) and the receiver (wireless access point).
Shared key authentication does provide authentication by verifying that an initiator has knowledge of a shared secret. Under the 802.11 standard, it is assumed that the shared secret is sent to the wireless access point over a secure channel that is independent of 802.11. In practice, the shared key authentication secret is manually distributed and typed.

802.11 Confidentiality (Encryption) and Integrity

WEP provides data confidentiality equivalent to that of a wired network by encrypting the data sent between wireless clients and wireless access points. For encryption, WEP defines the use of the RC4 stream cipher with a standard 40-bit encryption key or, in some implementations, a 104-bit encryption key. Data integrity is provided through an integrity check value (ICV) in the encrypted portion of the wireless frame. Although 802.1x can be used without 802.11 encryption, it is a good idea to use the two together. If 802.1x is enabled, but WEP encryption is not enabled, data that is sent to a wireless access point port is sent in the clear although user authentication is enforced. To prevent this implementation that is not secure, enable WEP in conjunction with 802.1x.

Note Some manufacturers advertise 128-bit encryption keys. However, such keys include a 24-bit initialization vector, so they are still actually 104 bit-encryption keys. An initialization vector is a random number that is used as a starting point to encrypt a set of data.

Using 802.1x for Wireless Authentication

802.1x is a standard for authenticated network access to wired Ethernet networks and wireless 802.11 networks. For wireless 802.11 networks, 802.1x enhances security and addresses WEP vulnerabilities by:

Permitting a computer and a network to authenticate each other.
Generating a per-user and per-session key to encrypt data over wireless connections.
Providing the ability to dynamically change keys at frequent intervals.

To enhance deployment, 802.1x permits user identification and authentication, centralized authentication, authorization, and accounting support.

802.1x uses the Extensible Authentication Protocol (EAP) for message exchange during the authentication process. The support that 802.1x provides for EAP security types permits authentication methods such as certificates to be used.

How 802.1x Authentication Works

802.1x implements port-based network access control. Port-based network access control uses the physical characteristics of a switched local area network (LAN) infrastructure to authenticate devices that are attached to a LAN port and to prevent access to that port when the authentication process does not succeed.

During a port-based network access control interaction, a LAN port adopts one of two roles: authenticator or supplicant. In the role of authenticator, a LAN port enforces authentication before it permits user access to the services that can be accessed through that port. In the role of supplicant, a LAN port requests access to the services that can be accessed through the authenticator's port. An authentication server, which can either be a separate entity or co-located with the authenticator, checks the supplicant's credentials on behalf of the authenticator. The authentication server then responds to the authenticator, indicating whether the supplicant is authorized to access the authenticator's services.

The authenticator's port-based network access control defines two logical data paths to the LAN, through one physical LAN port. The first data path, the uncontrolled port, permits data exchange between the authenticator (the port that forces authentication before permitting access to services on that port) and a computing device on the LAN, regardless of the authentication state of that device. This is the path that EAPOL (EAP over LAN) messages take. The second logical data path, the controlled port, permits data exchange between an authenticated LAN user and the authenticator. This is the path that all other network traffic takes, after the computing device is authenticated.

802.1x and IAS RADIUS

For wireless networking, you can use 802.1x in conjunction with Windows 2000 or the Microsoft Windows Server 2003 family Internet Authentication Service (IAS) servers for RADIUS authentication. Under the RADIUS implementation, the wireless access point prevents data traffic from being forwarded to a wired network or to another wireless client without a valid authentication key. The process of obtaining a valid authentication key is as follows:

When a wireless client comes in range of a wireless access point, the wireless access point challenges the client.
The wireless client sends its identity to the wireless access point, which forwards this information to a RADIUS server.
The RADIUS server requests the wireless client's credentials to verify the client's identity. As part of this request, the RADIUS server specifies the type of credentials that are required.
The wireless client sends its credentials to the RADIUS server.
The RADIUS server verifies the wireless client's credentials. If the credentials are valid, the RADIUS server sends an encrypted authentication key to the wireless access point.
The wireless access point uses this authentication key to securely transmit per-station unicast session and multicast or global authentication keys to the wireless client.

For Windows 2000, deployment of RADIUS requires the following additional components:

Windows 2000 Service Pack 2. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack
A patch for the Windows 2000 Internet Authentication Service (IAS), which is a RADIUS server feature that is included with Windows 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

304697 Some Wireless Values for the RADIUS Attributes Are Not Available
A patch for Active Directory to permit computer accounts to have dial-in properties. . For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

306260 Cannot Modify Dial-In Permissions for Computers That Use Wireless Networking
A patch for a computer running Windows 2000 Server, to permit computer authentication on the network if a user is not logged on. This patch must be installed on the Active Directory server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

304347 Server Does Not Make EAP-OE Connection to LAN If a User Is Not Logged On

For more information, see the "Enterprise Deployment of IEEE 802.11 Using Windows XP and Windows 2000 Internet Authentication Service" topic. To view this topic, visit the following Microsoft Web site:

http://www.microsoft.com/WindowsXP/pro/techinfo/deployment/wireless/default.asp

Differences in the Windows 2000 802.1x Client

To add 802.1X functionality to the Windows 2000 platform, a subset of features were taken from the Microsoft Windows XP platform. The 802.1X engine itself is largely the same; the main difference in the clients comes from how you interact with the clients through the user interface. This is a list of the differences on the Windows 2000 client:

Service state - The Windows 2000 802.1X service is installed in a disabled state. You must set the service state to Automatic and start the service to use its functionality.
Zero Configuration functionality - The Windows 2000 client does not contain Zero Configuration functionality. This means that you must have a vendor-provided utility to configure your 802.11 settings.
Third-party tools - As stated earlier, the Windows 2000 client requires a third-party vendor configuration utility for 802.11 settings. Unlike Windows XP, which saves 802.11 settings on a per-user basis, many utilities do not. This may permit multiple users to log on to the same computer and to configure a common profile instead of a user-specific profile.
Group Policy - Configuring wireless network settings by using Group Policy is not supported.
Authorization Status notification - You can view authorization status by holding the mouse pointer over the Network Connection icon in the notification area at the far right of the taskbar
The Windows 2000 client supports only one wireless network adapter at a time. Although it is technically possible to have a laptop computer with more than one wireless network adapter, the Windows 2000 802.1X client works with only one at a time.
Upgrade from Beta - If you installed any of the Windows 2000 Beta clients, you must remove them first and then install the released client. There is no supported upgrade path from a Beta client to the released client.
Context-Sensitive Help - There is no context-sensitive Help in the client.

For more information about wireless security, visit either of the following Microsoft Web sites:

http://www.microsoft.com/wifi for the latest news about WiFi solutions from Microsoft

http://www.microsoft.com/security for the latest news about security solutions

Common Issues

No Authentication tab - When the hotfix is installed, the 802.1X service is installed in a disabled state. To solve this, you must enable the Wireless Configuration service in the list of services:
1. Right-click My Computer, and then click Manage.
2. Click Services and Applications, and then click Services.
3. Set the Startup value for the service to Automatic, and then start the service.
Unavailable Authentication tab - If the Authentication tab is present but is unavailable, this indicates that the network adapter driver does not support 802.1x correctly. Use the following list or the hardware manufacturer's Web site to identify the correct network adapter driver version.

Tested Drivers and Utilities

The following list contains information from hardware manufacturers about which components they tested with the Windows 2000 802.1x client. This list is not comprehensive; it is intended only to help establish a baseline at the time of release (04-Nov-2002). For future updates, visit the manufacturer's Web site.
The following list contains information from hardware manufacturers about which components they tested with the Windows 2000 802.1x client. This list is not comprehensive; it is intended only to help establish a baseline at the time of release (04-Nov-2002). For future updates, visit the manufacturer's Web site.

Device manufacturer: 3COM Corporation
Device name: 3Com 3CRWE62092B Wireless LAN PC Card
Client utility version: 3Com Wireless LAN Manager Version 2.1 Wireless
driver version: 3Com 3CRWE62092B Wireless LAN PC Card (For Windows 98 Second Edition, Windows Millennium Edition [Me], Windows 2000 [Wlp92be.sys version 2.1.0.9]), for WindowsXP (Wlp92bf.sys [2.1.0.9]).
Firmware in all operating systems is version 5.2.0.0.
For current information about drivers and utilities, visit the following third-party Web site: http://www.3com.com

Device manufacturer: Cisco
Device name/type: Cisco 350 Series PCMCIA Wireless Adapter
Client Utility/Version: Cisco ACU 5.05.001
driver version: 8.2.3
Firmware in all operating systems is version 4.25.30.
For current information about drivers and utilities, visit the following third-party Web site: http://www.cisco.com

Device manufacturer: Proxim
Device name: Harmony 802.11a CardBus/PCI Card Software for Windows 98 Second Edition/Windows Me/Windows 2000/Windows XP/Windows NT 4.0
Client utility version: 1.4-B11
Driver Version: 1.4-B11

Device manufacturer: Proxim Corporation
Device name: - Harmony 802.11a Access Point
Client utility version: 2.0-B11
Firmware version: 2.0-B11
To obtain drivers, utilities, and more current information, visit the following third-party Web sites:
http://www.proxim.com/support/all/harmony/software/dl2002-harm14.html
http://www.proxim.com/support/all/harmony/software/dl2002-11ap20.html
http://www.proxim.com

Device manufacturer: Proxim Corporation
Device name: Proxim Harmony 802.11a
Client utility version: Proxim 1.4-B11
driver version: Proxim Wireless 802.11a card 1.4-B11 (1.4.1.1)
Firmware version: Loaded by driver
For current information about drivers and utilities, visit the following third-party Web site: http://www.proxim.com

Device manufacturer: Intel
Device name: Intel PRO/Wireless 2011B
Driver version: 3.1.1.27
Firmware version: Firmware is loaded by driver
To obtain drivers, utilities, and more current information, visit the following third-party Web site:
http://www.intel.com

Device manufacturer: Intel
Device name: Intel PRO/Wireless 5000 CardBus (802.11a)
Driver Version 1.0.1.30
Firmware version: Firmware is loaded by driver
To obtain drivers, utilities, and more current information, visit the following third-party Web site:
http://www.intel.com

Device manufacturer: Enterasys Networks, Inc.
Device name/type: Enterasys RoamAbout R2 Access Point
Firmware version: v2.00.16
For current information about drivers and utilities, visit the following third-party Web site:
http://www.enterasys.com/wireless

Device manufacturer: Enterasys Networks, Inc.
Device name/type: Enterasys RoamAbout AP2000 Access Point
Firmware version: v6.04
For current information about drivers and utilities, visit the following third-party Web site:
http://www.enterasys.com/wireless

Device manufacturer: Enterasys Networks, Inc.
Device name/type: RoamAbout 802.11 DS CSIBD-AA-128
Client utility version: v8.01
Wireless network adapter driver version: Enterasys Networks Wireless Driver 7.44.18.403
Firmware version: Loaded by driver
For current information about drivers and utilities, visit the following third-party Web site:
http://www.enterasys.com/wireless

Device manufacturer: Symbol
Device name: AP-4131-1000 WW
Client utility version: 3.50-26
Wireless network adapter firmware version: 3.50-26
For current information about drivers and utilities, visit the following third-party Web site:
http://www.symbol.com

Device manufacturer: Symbol
Device name: LA-4121-1000 WW
Client utility version: 3.0.19.20a
Wireless network adapter driver version: 2.51-08
Firmware version: Firmware is loaded by driver.
For current information about drivers and utilities, visit the following third-party Web site:
http://www.symbol.com

Device manufacturer: Symbol
Device name: LA-4131-1000 WW
Client utility version: 3.18
Wireless network adapter driver version: 3.18
Firmware version: Firmware is loaded by driver.
For current information about drivers and utilities, visit the following third-party Web site:
http://www.symbol.com

Device manufacturer: Broadcom Corporation
Device name: Broadcom AirForce cards: BCM94301MP, BCM94301CB, BCM94301PC5
Client utility version: Broadcom AirForce OneDriver 3.08.27 (and later)
driver version: Broadcom AirForce OneDriver 3.08.27+ (No firmware needed)
For current information about drivers and utilities, visit the following third-party Web site:
http://www.broadcom.com

Device manufacturer: HP-Compaq
Device name/type: Compaq WL100 11Mbps Wireless LAN PC Card Adapter
Client utility version: 4.06.3.0
Wireless network adapter driver version: 0.29.4
Firmware version: Loaded by driver
For current information about drivers and utilities, visit the following third-party Web site:
http://www.hewlettpackard.com/

Device manufacturer: HP-Compaq
Device name/type: Compaq WL 110 PC Card Adapter
Client utility version: 2.58
Wireless network adapter driver version: 7.44.19.445
Firmware version: Loaded by driver
For current information about drivers and utilities, visit the following third-party Web site:
http://www.hewlettpackard.com/

Device manufacturer: HP-Compaq
Device name/type: Compaq WL 215 Wireless USB Adapter
Client utility version: 2.58
Wireless network adapter driver version: 7.64.19.329
Firmware version: Loaded by driver
For current information about drivers and utilities, visit the following third-party Web site:
http://www.hewlettpackard.com/

Device manufacturer: HP-Compaq
Device name/type: HP Enterprise Access Point WL520
Firmware version: 2.0 (build 267)
For current information about drivers and utilities, visit the following third-party Web site:
http://www.hewlettpackard.com/

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

The information in this article applies to:

Microsoft Windows 2000 Server SP3
Microsoft Windows 2000 Server SP2
Microsoft Windows 2000 Server SP1
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional SP3
Microsoft Windows 2000 Professional SP2
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Advanced Server SP3
Microsoft Windows 2000 Advanced Server SP2
Microsoft Windows 2000 Advanced Server SP1
Microsoft Windows 2000 Advanced Server

Last Reviewed:	1/16/2004 (13.0)
Keywords:	kbfix kbprb kbQFE kbWin2000preSP4Fix KB313664

AMSS COMMUNITY HUB

James K. Murray (MCSA, MCSD)
President
A. M. Software Services, Inc.
347.247.6680
JamesMurray@AMSoftwareServices.com
http://www.amsoftwareservices.net