Windows 10 802.1 X User Authentication
Basically, upon any change to an interface, including 802.1X re-authentication, the Windows 10 firewall will disallow any new TCP connections and any UDP traffic for eight seconds: Interface quarantining is intended to secure network communications for non-classified networks. The default method is EAP-TTLS/PAP, as this is the most widely supported authentication method. Windows 10 and iOS require special configuration to use PEAP-GTC. Note: EAP-MSCHAPv2 is not supported with Meraki Local Auth.
When using 802.1x authentication (wired or wireless) on a Windows computer joined to an Active Directory Domain, Windows Group Policies Objects (GPO) can deploy the Native Supplicant configuration. The native supplicant can use different authentication methods, the common method being PEAP/MSCHAPv2 which uses Username and Password authentication. Slightly less common due to the perceived complexity is EAP-TLS which uses computer and/or user certificates.
This blog post describes the configuration of PEAP/MSCHAPv2, this requires only valid username and password for successful authentication.
Group Policy Configuration
- Create a new GPO (or if required modify an existing policy) link the policy to an OU that the computers will inherit the policy configuration
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services
- Locate the Wired AutoConfig service and double click to edit
- Select Define this policy setting
- Ensure Automatic is selected as startup mode
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Wired Network (IEEE 802.3) Policies
- Right click and select Create A New Wired Network Policy for Windows Vista and Later Releases
- Name the policy appropriately, e.g. Wired Authentication Policy
- Click the Security tab
- Select the desired Authentication Mode it would be recommended to use User or Computer authentication, in order for both the Computer and User to be authenticated in order to grant network access in order to process Computer and User Group Policies.
- Select the authentication method, e.g. Microsoft: Protected EAP (PEAP)
- Click Properties
- Ensure Validate server certificate is selected
- Select the Trusted Root Certification Authorities certificate is selected (this certificate must be present in the Trusted Root certificate store of the RADIUS server and the client computer)
- Ensure the authentication method is Secured password (EAP-MSCHAPv2)
- Leave other settings as default
- Click Ok
- Click Ok to complete the configuration
Verification
- Apply the GPO to a test computer
- Open the Services MMC and check the status of the Wired AutoConfig service, this needs to be running
- Open the Local Area Connection Properties, if the service is running the Authentication tab will be present
Notice that configuration is not possible as this settings have been applied from the GPO previous configured.
If the Wired AutoConfig service is not started, the Authentication tab will not be present.
802.1x Authentication Windows 10
Confirm the Trusted Root Certificate is present in the Local Computer certificate store. This certificate should automatically be present if joined to the Active Directory Domain.
Assuming the RADIUS server is configured correctly and the same Trusted Root Certificate is trusted by the Computer and the RADIUS server. Refer to this previous blogpost that describes how to configure Cisco ISE for Wired 802.1x authentication.