Windows Clients and Group Policy - Part 9

The following is the configuration of Group Policy for DOT1X Authentication.

Please keep WIRED & WIRELESS Seperately!!!

Computer Policy Ethernet

 

Computer Configuration (Enabled)

Policies

Windows Settings

Security Settings

System Services

Wired AutoConfig (Startup Mode: Automatic)

Wired Network (802.3) Policies

Wired Network Policy

Name Wired Network Policy

Description Wired Network Policy

Global Settings

Setting Value

Use Windows wired LAN network services for clients Enabled

Shared user credentials for network authentication Enabled

Network Profile

Security Settings

Enable use of IEEE 802.1X authentication for network access Enabled

Enforce use of IEEE 802.1X authentication for network access Disabled

IEEE 802.1X Settings

Computer Authentication Computer only

Maximum Authentication Failures 3

Maximum EAPOL-Start Messages Sent 

Held Period (seconds) 

Start Period (seconds) 

Authentication Period (seconds) 

Network Authentication Method Properties

Authentication method Smart card or certificate

Validate server certificate Enabled

Connect to these servers 

Do not prompt user to authorize new servers or trusted certification authorities Disabled

Use a certificate on this computer Enabled

Use simple certificate selection Enabled

Use a different username for the connection Disabled

 

Computer Policy Wireless

Computer Configuration (Enabled)

Policies

Windows Settings

Security Settings

Wireless Network (802.11) Policies

Wireless Network Policy

Policy Name Wireless Network Policy

Policy Description Wireless Network Policy

Policy Type Windows Vista and Later Releases

Global Settings

Use Windows wireless LAN network services for clients Enabled

Shared user credentials for network authentication Enabled

Hosted networks Enabled

Allow user to view denied networks Enabled

Allow everyone to create all user profiles Enabled

Only use Group Policy profiles for allowed networks Disabled

Network Filters

Prevent connection to infrastructure networks Disabled

Prevent connection to adhoc networks Disabled

Allowed Networks

Network Name (SSID) Network Type

Protected WiFi Infrastructure

Preferred Network Profiles

Protected WiFi

Profile Name Protected WiFi

Network Type Infrastructure

Automatically connect to this network Enabled

Automatically switch to a more preferred network Disabled

   

Network Name (SSID) Network Broadcasts its SSID

Protected WiFi False

Security Settings

Authentication WPA2

Encryption AES

Use 802.1X Enabled

Pairwise Master Key (PMK) Caching Enabled

PMK Time-to-Live (minutes) 720

Number of Entries in PMK Cache 128

Maximum Pre-authentication Failures 3

IEEE 802.1X Settings

Computer Authentication Computer only

Maximum Authentication Failures 3

Maximum EAPOL-Start Messages Sent 

Held Period (seconds) 

Start Period (seconds) 

Authentication Period (seconds) 

Network Authentication Method Properties

Authentication method Smart card or certificate

Validate server certificate Enabled

Connect to these servers NPS_SRV1;NPS_SRV2

Do not prompt user to authorize new servers or trusted certification authorities Enabled

Use a certificate on this computer Enabled

Use simple certificate selection Enabled

Use a different username for the connection Disabled

 

 

Continuing to Deploying Certificates via the IssuingCA

 

Requirements Template Issuing CA.

To configure the certificate template

  1. On the IssuingCA, in Server Manager, click Tools, and then click Certification Authority. The Certification Authority Microsoft Management Console (MMC) opens.
  2. In the MMC, double-click the CA name, right-click Certificate Templates, and then click Manage.
  3. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane.
  4. In the details pane, click the Workstation Authentication template.
  5. Click the Action menu, and then click Duplicate Template. The template Properties dialog box opens.
  6. Click the Security tab.
  7. On the Security tab, in Group or user names, click Domain Computers and give Allow and Enroll and Auto Enroll permissions.
  8. Go Back to the General Tab and Give the Template the name: Workstation and give the Validity 1 Year Validity (Windows is perfectly capable of handeling Certificate Renewals).
    • Select Publish certificate in Active Directory
  9. Under Subject Name Select Build This From Active Directory, Select NONE in the Dropdown Box, and select the following two items.
    • DNS Name
  10. Under Request Handling Select – For automatic renewal of smart card certificates, use the existing key if a new key cannot be created.
  11. Under Compatabillity select Server 2008r2 and Certificate recipient Windows 7 / 2008r2
  12. Click Apply and OK
  13. In the Certification Authority MMC, click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens.
    •  

Add the Template via Certificate Templates > Right Mouse > New > Certificate Template to Issue and Select the Workstation Certificate Template.

 

issuingca.windows.general

issuingca.windows.request.handling

 

issuingca.windows.subject.name

 

issuingca.windows.extension

 

issuingca.windows.autoenroll