Knowledge Transfer: 802.

1x and Radius Servers

Kyle Harbert Revision 1.0 March 4, 2010

INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to specifications and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "undefined." Intel reserves these for future definition and shall have no responsibility whatsoever for conflicts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not finalize a design with this information. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or by visiting Intel's Web Site. Intel Active Management Technology requires the computer system to have an Intel AMT-enabled chipset, network hardware and software, as well as connection with a power source and a corporate network connection. Setup requires configuration by the purchaser and may require scripting with the management console or further integration into existing security frameworks to enable certain functionality. It may also require modifications of implementation of new business processes. With regard to notebooks, Intel AMT may not be available or certain capabilities may be limited over a host OS-based VPN or when connecting wirelessly, on battery power, sleeping, hibernating or powered off. For more information, see www.intel.com/technology/platform-technology/intel-amt/ Intel, the Intel logo, Intel Core, Intel Centrino, and Intel vPro are trademarks or registered trademarks of Intel Corporation in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright 2009, 2010 Intel Corporation. All rights reserved.

ii

Contents
Introduction ......................................................................................1
What is 802.1x authentication? ............................................................................... 1 Why is 802.1x important? ...................................................................................... 1 Supplicants .......................................................................................................... 2 RADIUS Servers .................................................................................................... 2 Authentication Protocols ......................................................................................... 3 Public Key Infrastructure ........................................................................................ 3 Posture Validation ................................................................................................. 4

Implementation .................................................................................5
Workflow overview ................................................................................................ 5 How to use an 802.1x network connection ............................................................... 6

Intel AMT and 802.1x ........................................................................9

Intel AMT 802.1x ISV support ............................................................................... 10

Debug ..............................................................................................11
Tracing .............................................................................................................. 11 Tracing from network access device ............................................................... 11 Tracing from the RADIUS server .................................................................... 11 How to use Ethereal\Wireshark ..................................................................... 12 Tracing from the client ................................................................................. 13

Common Problems...........................................................................14
Logging ...................................................................................................... 14 Wrong protocol type .................................................................................... 14 User not found ............................................................................................ 14 Quarantined ................................................................................................ 14 CA not configured ........................................................................................ 15 Settings being lost in ACS ............................................................................. 15 Intel AMT Active Directory object does not exist .............................................. 15 Active Directory object allows remote access .................................................. 15 RADIUS server certificate and certificate signing chain should not contain any certificates with key size >2048-bits ........................................................ 16 RADIUS server is providing the full and correct certificate chain ........................ 16 Intel AMT is using correct EAP-RADIUS protocol. ............................................. 16 Intel AMT must be provisioned with root CA certificate of RADIUS server certificate signing chain. ........................................................................................ 16 Intel AMT checking RADIUS server certificate subject CN information correctly. ... 16 Intel AMT is providing correct client credentials to RADIUS server. ..................... 17 Verify the PKI.............................................................................................. 17

General Information ........................................................................17 Appendix .........................................................................................18

Microsoft NAP Configuration.................................................................................. 18

iii

Introduction
The purpose of this paper is to share key learnings acquired while getting up to speed on 802.1x and Radius servers. This section of the paper describes 802.1x authentication and provides overview information on Radius servers, supplicants, authentication protocols, and public key infrastructure.

What is 802.1x authentication?

From Wikipedia: IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC)("port" meaning a single point of attachment to the LAN infrastructure). It is part of the IEEE 802.1 group of networking protocols. It provides security through an authentication mechanism to devices wishing to attach to a LAN, either establishing a point-to-point connection or preventing it if authentication fails. It is used for most corporate wireless 802.11 access points and is based on the Extensible Authentication Protocol (EAP). 802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server. The supplicant is often software on a client device, such as a laptop; the authenticator is a wired Ethernet switch or wireless access point; and the authentication server is typically a host running software capable of speaking the RADIUS and EAP protocols. The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicants identity has been validated and authorized. An analogy to this is providing a valid passport at an airport before being allowed to pass through security to the terminal. With 802.1X port-based authentication, the supplicant provides credentials, such as user name / password or digital certificate, to the authenticator, and the authenticator forwards the credentials to the authentication server for verification. If the credentials are valid (in the authentication server database), the supplicant (client device) is allowed to access resources located on the protected side of the network.

Why is 802.1x important?

802.1x is the industry standard for providing security on corporate wireless networks and is part of the 802.11i security model. An 802.1x security implementation allows for more manageable and secure usage then a pre-shared key implementation. Although most commonly used for wireless networks, 802.1x authentication is also used to secure wired networks. Vendors of wired 802.1x schemas often apply brand names to them. Keep in mind that branded solutions often include posture validation (see below). Posture validation is independent of 802.1x. Cisco* calls its branded solution NAC (Network Access Control) and Microsoft* calls its solution NAP. (Network Access Protection) These brand names are also referred to as EAC (endpoint access control) types.

Knowledge Transfer: 802.1x and Radius Servers

Supplicants
When a client connects to a network access device (WAP or wired switch requiring 802.1x authentication), the network access device notifies the client that 802.1x authentication is required. A supplicant on the client is then required to provide authentication data. There are several supplicants to keep in mind: Cisco NAC* supplicant: This is a program created by Cisco to allow Windows XP clients to execute 802.1x authentication via Ciscos NAC solution. Windows wired interface: Windows Vista* and Window 7* have a built-in 802.1x supplicant. Windows wireless: Windows Vista and Window7 have built-in wireless connectivity components that are equipped with 802.1x authentication functionality. Third party wireless connection software: Most widely available wireless connection software (Intel* Proset, Lenovo* Thinkvantage etc.) is equipped with 802.1x authentication functionality. Wired Intel AMT: Intel Active Management Technology (Intel AMT) version 3+ is configured with wired 802.1x authentication functionality such that Intel AMT can maintain wired network access while OS based supplicants are unavailable. Wireless Intel AMT: Intel AMT versions 2.5\6, 4.x and 6.x are configured with wireless 802.1x authentication functionality such that Intel AMT can maintain wireless network access while OS based supplicants are unavailable.

RADIUS Servers
When a network access device that requires 802.1x receives 802.1x authentication data from a connecting supplicant, it forwards that data to a RADUIS server. RADIUS stands for Remote Authentication Dial-in User Service. The RADIUS server evaluates the clients 802.1x authentication data and notifies the network access device of the authentication outcome and access level to be assigned to the client. There are three RADIUS servers that receive validation attention with respect to Intel AMT. 1. Microsoft* IAS: IAS (Internet Authentication Service) is a very basic RADIUS server that was included as part of Windows Server 2003. 2. Microsoft* NPS: NPS (Network Policy Service) is an advanced RADIUS server that is included as part of Windows Server 2008. 3. Cisco* ACS: ACS (Access Control Server) is an advanced RADIUS server created by Cisco.

Knowledge Transfer: 802.1x and Radius Servers

Authentication Protocols
An 802.1x authentication schema can be implemented using a number of authentication protocols. The authentication protocol determines the structure and content of the 802.1x authentication data the client must provide to the RADIUS server. Authentication protocols offer varying degrees of convenience and security strength. Three of them are discussed here: 1. EAP-TLS: Extensible Authentication Protocol Transport Layer Security. This is the most secure protocol. It requires use of a user or machine certificate issued from a Certificate Authority trusted by the RADIUS server. This certificate is used to establish the accessing user or machines identity. It is supported by ACS, NPS and IAS RADIUS servers. 2. EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunneling. This protocol is only used when ACS is used as the RADIUS server. It can use either Active Directory or certificates for authentication. 3. PEAP: Protected Extensible Authentication Protocol. This method can use either certificates or Active Directory credentials to establish the identity of the accessing user. Given the option of using Active Directory credentials, PEAP is quite convenient in Windows environments.

Public Key Infrastructure

PKI (public key infrastructure) is a means of verifying the identity of a system on a network. At the core of PKI are systems called Certificate Authorities (CAs). CAs issue digital certificates. These certificates serve two functions: authentication and encryption. For the purposes of 802.1x, only the authentication functionality is utilized. A certificate contains the following data: Certificate chain data this allows the CA chain hierarchy to be constructed from issuing CA back up to a root CA. Subject Name Name of the system or user to which the cert was issued Public Key key used to encrypt data sent to certificate holder. Private Key key used to decrypt data that was encrypted with the public key

Certificates rely on a concept called signing. When a certificate is issued by a CA, it is also signed by that CA. By using cryptographic processes, CAs make it nearly impossible to spoof the signing of certificates. Signing serves the following purposes: 1. Makes it extremely difficult to spoof which CA issued a certificate. For example if a targeted computer trusts a certain CA, it will be extremely difficult to create a certificate the targeted computer will think is from the trusted CA. 2. Insures that the data in an issued certificate cannot be altered. For example, if a certificate is issued to a particular user or computer, it would be impossible to change the subject names listed in the issued cert to provide false identification for another user or computer without the targeted computer being able to easily detect it.

Knowledge Transfer: 802.1x and Radius Servers

For more in-depth documentation on PKI: http://technet.microsoft.com/en-us/library/cc700804.aspx

Posture Validation
In addition to the authentication aspects of a wired or wireless 802.1x schema, posture validation is also used by the RADIUS server to decide what level of network access to grant a system. Posture validation is essentially evaluation of other attributes of the accessing system. Posture validation can be used to require that anti-virus, firewall, operating system etc. are all up to date and properly configured. Integrating 802.1x authentication with posture validation is called an EAC (Endpoint Access Control) Solution. There are two common EAC solutions Microsoft NAP and Cisco NAC.

Knowledge Transfer: 802.1x and Radius Servers

Implementation
Workflow overview
A high level workflow of a basic 802.1x authentication process is illustrated below.

Knowledge Transfer: 802.1x and Radius Servers

How to use an 802.1x network connection

Assuming a pre-existing 802.1x network, a client can be configured to access it via the following steps. This guide assumes that a Microsoft NPS RADIUS server is being used with the PEAP authentication protocol. This section can be used for either wired or wireless. 1. Supplicant Configuration (Assuming Window 7 or Windows Vista)The client is assumed to be joined to the domain, configured with DHCP. 2. Enable wired 802.1x supplicant a. Click Start, click All Programs, click Accessories, and then click Run. b. Next to Open, type services.msc, and then press ENTER. c. In the list of services, right-click Wired AutoConfig, and then click Properties. d. Next to Startup type, choose Automatic. e. Under Service status, click Start, wait for the service to start, and then click OK. 3. Wired NAP Configuration. (optional) If posture validation is required by the RADIUS server, here is how it is enabled: a. In the list of services, right-click Network Access Protection Agent, and then click Properties. b. Next to Startup type, choose Automatic. c. Under Service status, click Start, wait for the service to start, and then click OK. d. Close the services window. e. Click Start, click All Programs, click Accessories, and then click Run. 11. Next to Open, type mmc, and then press ENTER. f. On the File menu, click Add/Remove Snap-in. g. Click NAP Client Configuration, and then click Add. h. In the NAP Client Configuration dialog box, click OK to accept the default selection, Local computer (the computer on which this console is running). i. j. l. Click Local Group Policy Object Editor, and then click Add. Click Finish to accept the default, Group Policy Object of Local Computer. In the left pane, double-click NAP Client Configuration (Local Computer), and then click Enforcement Clients.

k. In the Add or Remove Snap-ins dialog box, click OK.

m. In the middle pane, right-click EAP Quarantine Enforcement Client, and then click Enable. n. In the left pane, double-click Local Computer Policy, double-click Computer Configuration, double-click Administrative Templates, double-click Windows Components, and then click Security Center.

Knowledge Transfer: 802.1x and Radius Servers

o. In the middle pane, double-click Turn on Security Center (Domain PCs only). p. Select Enabled, and then click OK. q. Close the Console1 window. r. Click No when prompted to save console settings. 4. Configure Wired Network Connection a. Click Start, right-click Network, and then click Properties. b. Click Manage network connections. c. Right-click the connection that needs to be configured for 802.1x, and then click Properties. d. Click the Authentication tab, and verify that Enable IEEE 802.1X authentication is selected. e. Click Settings. In the Protected EAP Properties dialog box, verify that the following check boxes are selected: i. ii. iii. iv. Validate server certificate Enable Fast Reconnect Enable Quarantine checks The root of the CA that issued the certificate that the RADIUS server uses to identify itself to clients that are attempting to authenticate must be checked. Authentication method = EAP-MSCHAP v2

v. f.

Click Configure, verify that automatically use my Windows logon name and password (and domain if any) is selected, and then click OK. (PEAP can use certificates or Active Directory, this setting makes it use Active Directory.)

g. Click OK, and then click OK again. 5. Configure Wireless Network Connection a. Click Start, right-click Network, click Properties, click Manage wireless networks. b. Click Add > Manually create c. Add settings appropriate to wireless network and choose next. Click the Change Network Settings button and choose the security tab. d. Click Settings. In the Protected EAP Properties dialog box, verify that the following check boxes are selected: i. ii. iii. iv. Validate server certificate Enable Fast Reconnect Enable Quarantine checks The root of the CA that issued the certificate that the RADIUS server uses to identify itself to clients that are attempting to authenticate must be checked. Authentication method = EAP-MSCHAP v2

v.

Knowledge Transfer: 802.1x and Radius Servers

e. Click Configure, verify that automatically use my Windows logon name and password (and domain if any) is selected, and then click OK. (PEAP can use certificates or Active Directory, this setting makes it use Active Directory.) f. Click OK, and then click OK again. 6. Connect to the network a. Connect the wired NIC to an 802.1x enabled port or associate the wireless adaptor to an 802.1x configured wireless network. 7. Observe RADIUS logs a. Access the NPS server. b. Right click Computer > Manage > Diagnostics > Event Viewer > Custom Views > Server Roles > Network Policy Server. c. Refresh the event list. d. Browse the list for events pertaining to the test client. (Hopefully a message with title Network Policy Server granted full access to is listed.) 8. Verify client connection a. Open Manage Network Connections. There will be listed something like Local Area Connection for the local wired interface. When the connection is activated, the middle line of text beside the icon will say attempting to authenticate. b. When successful it will say enabled and then detecting. Once you see enabled the 802.1x authentication has taken place successfully. c. If posture validation is being used: If Windows* Firewall is enabled you should have access to the entire network. Find out by pinging the domain controller. If Windows Firewall is not enabled, then the NIC will still say enabled. However, the client will be unable to ping the domain controller, or anything else that is not in the quarantine VLAN.

Knowledge Transfer: 802.1x and Radius Servers

Intel AMT and 802.1x

Since Intel AMT must be able to access a customers network independently of the OS, Intel AMT must be able to authenticate to 802.1x equipped wired and wireless networks. Intel AMT is equipped with 802.1x supplicants for both wired and wireless networks. These supplicants are configured during Intel AMT provisioning. The required settings used with Intel AMT will be analogous to those used in the OS. Assuming a pre-existing 802.1x network, a client can be configured to access it via the following steps. This guide assumes that a Microsoft NPS RADIUS server is being used with the PEAP authentication protocol. This section can be used for either wired or wireless. 1. Provision the client. a. On the provisioning server of choice, configure the desired interface (wired, wireless or both) with the following settings. i. ii. Authentication type = PEAP Trusted Root for 802.1x authentication = The root CA for the CA that issued the certificate that the RADIUS server uses to identify itself to clients that are attempting to authenticate. Certificate Template = whatever certificate template is used for 802.1x authentication

iii.

b. Provision the client. c. With the client in the OS access Network and Sharing > Change Adaptor settings. d. Trigger Intel AMT authentication i. Right click the desired connection and choose disable. (For wireless it is not sufficient to simply disconnect.) Disabling the adaptor stops the network driver which signals Intel AMT to take over the connection. When Intel AMT detects an 802.1x equipped network, it will attempt to authenticate using the configuration parameters set during provisioning. Access the NPS server. Right click Computer > Manage > Diagnostics > Event Viewer > Custom Views > Server Roles > Network Policy Server. Refresh the event list. Browse the list for events pertaining to the test client. (Hopefully a message with title Network Policy Server granted full access to is listed.)

e. Observe RADIUS logs i. ii. iii. iv.

Knowledge Transfer: 802.1x and Radius Servers

f.

Verify client connection i. Ping the interface on the client that is being tested. Intel AMT will likely have the IP address the OS acquired. (It is difficult to verify a successful address acquisition for Intel AMT without looking at the DHCP server, so address acquisition must be observed by accessing Intel AMT features like a ping response or webui access.)

Intel AMT 802.1x ISV support

LANDesk*: No wired or wireless 802.1x support. No EAC support. Version 6.x: Integrates SCS 3.x. Wired and wireless 802.1x are supported. Only NAC EAC type is supported. Version 7.x: Integrates SCS 5.x. Wired and wireless 802.1x are supported. NAC and NAP EAC types are supported. SP1: No wired or wireless 802.1x support. No EAC support. SP2: Wired and wireless 802.1x are supported. Only NAC EAC types are supported due to a bug. (See debug section.) Symantec Altiris*:

Microsoft System Center Configuration Manager* (ConfigMgr)

10

Knowledge Transfer: 802.1x and Radius Servers

Debug
Tracing
When debugging 802.1x authentication failures, it is often necessary to perform network traces when available logs are not populated and communication between components needs to be verified.

Tracing from network access device

This is the most difficult tracing and will requires high security access to the network access device in most cases. 802.1x equipped network access devices are equipped with debug modes that allow technicians to view details of access attempts. These devices are also equipped the general event logs as well. Both of these tools can be used to verify that access attempts by the client are indeed being processed by the device.

Tracing from the RADIUS server

A common problem when troubleshooting 802.1x access is that no logs for a failing access attempt appear on the RADIUS server. This can be caused by a number of things: 1. Access attempts are not arriving at the network access device 2. Access attempts are being dropped by the network access device 3. Network access device cannot contact the RADIUS server. 4. The RADIUS server is dropping\not logging authentication attempts By initiating a network trace on the RADIUS server using (Ethereal\Wireshark etc.) network packets can be observed. Presence of a conversation between the network access device and the RADIUS server eliminates the possibility of #1, #2 and #3 above. Another common problem is that the user\computer that is attempting authentication is not found in Active Directory by the RADIUS server. A network trace can also be used to observe a conversation between a domain controller and the RADIUS server to prove that the RADIUS server really cannot find the user\computer as opposed to not being able to contact the Domain Controller.

11

Knowledge Transfer: 802.1x and Radius Servers

How to use Ethereal\Wireshark

Heres an example 1. Install Wireshark and open the program. 2. Click Capture > Interfaces 3. Click the Options button for the active network adaptor. 4. Check Update list of packets in real time. Uncheck Automatic scrolling. 5. Click start. 6. In the filter field, in put the string: ip.dst== X.X.X.X or ip.dst==Y.Y.Y.Y where X.X.X.X is the IP address of the machine or device the RADIUS needs to be observed communicating with and Y.Y.Y.Y is the IP address of the RADIUS server. Once entered, press ENTER to begin filtering. This will hide much of the non-relevant traffic. I simple trace looks like this:

In this example, a simple ICMP ping exchange is observed between the RADIUS server at 192.168.0.95 and a domain controller at 192.168.0.2.

12

Knowledge Transfer: 802.1x and Radius Servers

Tracing from the client

If no conversation is observed between the RADIUS server and the network access device, it can be simpler to put a trace between the client and the network port to verify a two-way conversation than to access logs and debug modes on the network access device. This can only be done on a wired connection. To obtain similar data on a wireless connection, the WAP must be accessed directly. Tracing a wired authentication attempt occurs as illustrated:

13

Knowledge Transfer: 802.1x and Radius Servers

Common Problems
Logging
RADIUS Server Logs ACS and NPS both have an aspect of logging that can make debug more difficult: When an authentication request is too messed up it will not be logged in detail in the standard log. Instead it will be logged only as a line item in a separate log file. The log files are located here: NPS: C:\windows\system32\logfiles ACS: C:\windows\ACS\CSAuth\auth.log With ACS for example, if an EAP-TLS authentication request arrives utilizing a certificate that does not chain back to a trusted root CA, that authentication request will not be placed in the main logs and will only be logged in auth.log. Network Access Device Logs If no logs appear on the RADIUS server for a particular access request and no meaningful data is present

Wrong protocol type

RADIUS servers can be configured to accept or reject any authentication protocol. If the client attempts to connect with an unsupported protocol the authentication attempt will typically be logged in the main log. Common error messages will say EAP type not configured or protocol not supported. This error messages are fairly self explanatory. All that is required is to adjust the RADIUS server or client supplicant so that the client uses a supported protocol. With ACS, these errors often result from settings being lost (See below) or the protocol type not being enabled in all of the necessary places.

User not found

This happens when active directory integration is used and the RADIUS server is attempting to verify the clients identity via active directory. For ACS, this can happen if Active Directory integration hasnt been properly configured. For AMT authentication requests, this can happen if the AMT Active Directory Object wasnt created properly. This can also result from an incorrect authentication protocol or EAC type being used. In this case the domain suffix of the machine or user is misinterpreted by the RADIUS server.

Quarantined
A client sometimes can pass authentication, but the RADIUS server will quarantine it resulting in limited or no connectivity. This is usually the result of a posture validation failure. A posture validation failure can have the following causes:

14

Knowledge Transfer: 802.1x and Radius Servers

1. Posture data is transmitted, but the system has legitimately violated posture requirements. 2. Posture data is not transmitted at all because the supplicant has not been configured to send posture data. With NPS this causes the log to state that the system is non-NAP capable. 3. Use of EAP-TLS with NPS. Problems have been seen where this configuration causes the log to state that the system is non-NAP capable. It seems the Windows native supplicant might have a problem transmitting posture data when EAP-TLS is used. 4. MS ConfigMgr currently has an error the causes the EAC type set in AMT to be set as to that of NAC. If a NAP solution is used the NPS server will quarantine the system and say that it is non-NAP capable due to the mis-configuration.

CA not configured
ACS has a known issue where all of the CAs in client certificates cert chain must be added to ACS as trusted root CAs. Cisco acknowledged this should not be a requirement. If a client presents the RADIUS server a certificate that is issued by or does not chain to a CA that is in the trusted root list, authentication will fail and the authentication attempt will not be logged in the main logs.

Settings being lost in ACS

Adjusting certain settings (global authentication settings in particular) within ACS can cause configuration settings to be lost.

Intel AMT Active Directory object does not exist

During Intel AMT provisioning, the provisioning server or application will create an Active Directory object pertaining to the Intel AMT controller. If this object is not created, Active Directory based authentication will fail. RADIUS log files will indicate something relating to user not found. This is typically caused by the provisioning server using a user with insufficient privileges to create the AD object.

Active Directory object allows remote access

RADIUS servers can be configured to grant access only to authenticated users\computers that are part of a specific security group within Active Directory. RADIUS log files normally indicate if network access was rejected due to absence from a required group. This is often caused by the provisioning server not being configured to add a newly created Intel AMT AD object to the required group, or the credentials of the provisioning server not having the correct permissions.

15

Knowledge Transfer: 802.1x and Radius Servers

RADIUS server certificate and certificate signing chain should not contain any certificates with key size >2048-bits
This should be checked on the RADIUS server by locating the RADIUS server certificate and inspecting the certificate and each certificate in the signing chain. Newer AMT firmware may support 4096-bit keys, but it remains an area to focus on if there are any keys >2048-bits. If there are certificates with key sizes that are too big, this does not mean a PKI rebuild. It is possible to do some cross-certification stuff to enable things to work and avoid costly rebuild of an existing PKI

RADIUS server is providing the full and correct certificate chain

Some RADIUS servers need specific configuration to pass the full certificate chain, and in environments with any cross-certificates, there is a possibility to send the wrong chain. Either eliminates any confusing cross-certificates or verify the RADIUS configuration carefully or take a network trace and confirm the correct certificates are being passed to Intel AMT

Intel AMT is using correct EAP-RADIUS protocol.

Protocol is configured during Intel AMT provisioning. Network administrator can provide information on protocol being used

Intel AMT must be provisioned with root CA certificate of RADIUS server certificate signing chain.
This is not normally a problem in environments with a single stable root CA or where the provisioning software verifies a root certificate is being used during provisioning. However if the environment contains more than one root CA or the environment is under development and the root CA certificate may have been re-issued, this should be checked

Intel AMT checking RADIUS server certificate subject CN information correctly.

Intel AMT supports the following methods of validating the RADIUS server certificate subject CN information (i) ignore the subject CN field (ii) compare the entire subject CN field with a user supplied string (iii) compare the domain part of the subject CN field with a user supplied string. Check the RADIUS server certificate and Intel AMT settings to ensure Intel AMT will correctly process the subject CN field. Intel AMT settings are configured during Intel AMT provisioning. Note: Intel AMT always checks the RADIUS server certificate was issued by a trusted CA.

16

Knowledge Transfer: 802.1x and Radius Servers

Intel AMT is providing correct client credentials to RADIUS server.

Client credentials are normally configured during Intel AMT provisioning. Intel AMT presents credentials in the format NetBIOS\Username rather than Username@Domain which can cause problems with disjoint namespaces (i.e. NetBIOS name not equal to DNS domain name). Different RADIUS server vendors expect to receive client credentials in different formats. RADIUS log files normally indicate the client credentials that were used. However, they are presented as they were parsed by the RADIUS server. If they were provisioned in the wrong format, they may be displayed incorrectly. Provisioning software provides options for authentication protocol and EAC type to change the format of client credentials contained in client certificates. Reconfiguring the certificate template used for Intel AMT certificates can also change the subject name formats.

Verify the PKI.

Microsoft software often requires access to Certificate Revocation Information. If the CRL Distribution Point (CDP) is inaccessible or the CRL is out of date this can lead to authentication failures where clients present a certificate to authenticate themselves

General Information
1. When using Intel SCS or Microsoft ConfigMgr SP2 as the provisioning software, Active Directory objects representing Intel AMT have SAM account name format hostname$iME. It can be helpful when examining RADIUS log files to locate this name to determine if authentication succeeded / failed with credentials of this type. 2. Be careful when re-provisioning an Intel AMT client where the 802.1X network port is being held open by Intel AMT. If this happens, it can lead to port closure before provisioning completes and loss of network connectivity. 3. Intel AMT event log contains details of 802.1X authentication failures if Intel AMT does not trust the RADIUS server. This information can be used to identify if authentication failures are caused by Intel AMT rejecting the RADIUS server or RADIUS rejecting Intel AMT. Knowing this helps focus further debug efforts. The Intel AMT event log is available from Intel AMT WebUI

17

Knowledge Transfer: 802.1x and Radius Servers

Appendix
Microsoft NAP Configuration
This document will outline steps required to configure Microsoft NAP with 802.1X enforcement. Upon completion of these steps a client running the NAP agent will be require to have Windows Firewall turned on. If it is the client will gain full network access. If it is not the client will be placed in an access limited VLAN until the setting is corrected. This document was written and baselined on the Brand Promise Validation (BPV) network infrastructure. Although the steps should be generic enough for any infrastructure, your mileage may vary. Configuring NAP has some baseline requirements of the network infrastructure. From there is involves three steps. Baseline requirements: 802.1x capable switch 1. Recommend Cisco 2960, 3560, 3750, 4900, or 6500 series switches, or any other vendors switch supporting 802.1x network access control. 2. Domain controller running Windows 2003 server or higher with a domain level of Windows Server 2003. Below are details to set the domain level: a. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts. b. In the left pane of the Active Directory Domains and Trusts dialog box, right-click your domain and then click Raise Domain Functional Level. c. From the drop-down list box, choose Windows Server 2003, and then click Raise. d. In the dialog box that warns this change cannot be reversed, click OK. o In the dialog box that confirms the functional level was raised successfully, click OK. 3. Enterprise CA running Windows 2003 server or higher, joined to the domain 4. System to run Long Horn Server 5. Client PC with Windows Vista, joined to the domain Main Steps: 1. Configure the 802.1x capable switch 2. Add a DHCP scope 3. Install and Configure the Long Horn Server 4. Configure the client Configure the 802.1x capable switch

18

Knowledge Transfer: 802.1x and Radius Servers

Because different switches use different command sets depending on the model and software running on this switch, it is not possible to provide an exact step-by-step guide on how to configure 802.1x on every possible switch. Please refer to the documentation provided by your switch vendor for instructions on configuring 802.1x. The following list shows the required configuration details for any 802.1x capable switch. Once the values below have been configured, it is recommended that they be written down, as following sections will require many of these details to configure the NAP server. Friendly name / hostname: Assign your switch a hostname. In the BPV network the admin assigns this setting. IP address: Assign your switch a management IP addresses (usually on vlan1). BPV uses <bench subnet>.254 Radius Server Address: Assign the IP address of the radius server, in this case the address of the NAP server. Shared RADIUS key: Assign a shared RADIUS key, this key must be the same on both the switch and the NAP server. Compliant VLAN: Create a VLAN that has full access to the rest of the network. This is the VLAN that a client is assigned to when it passes the NAP check. Write down the name of the VLAN. Also write down the network information (subnet & default route). BPV uses the following values: VLAN Name: <bench#>-NAP-COMPLIANT Subnet: <bench subnet>.2 /24 Default Route: <bench subnet>.2.254 Non-compliant VLAN: Create a non routed Layer 2 VLAN that has no access to the rest of the network. This is the VLAN that a client is assigned to when it fails the NAP check. Write down the name of the VLAN. uses the following values: VLAN Name: <bench#>-NAP-NONCOMPLIANT DHCP Forwarder/Helper: Configure the NAP Compliant VLAN with a DHCP Forwarder/helper if DHCP is desired. BPV uses DHCP. Non 802.1x authentication VLAN(s)/Port(s) for everything else: Configure the switch to permit all servers and non-NAP clients to access the entire network. This may be accomplished by connecting such PCs directly to non 802.1x authenticated ports on this switch or by an uplink port to the rest of the network. BPV uses the uplink method. Note, the uplink port must not have 802.1x enabled.

19

Knowledge Transfer: 802.1x and Radius Servers

(Optional) Configure Longhorn so its easier to manage (not required for NAP, but must be done in BPV) 1. Login as a domain administrator 2. Configure the desktop to your liking 3. Turn off Shutdown Event Tracking a. Click Start -- > Run b. In the Run box type "gpedit.msc" and click OK & then Continue c. Click the + sign before Administrative Templates (the one in Computer Configuration under Local Computer Policy) d. Click System e. Double click Display Shutdown Event Tracker and select the Disable radio button in the property page and press OK. 4. Turn off User Account Control (UAC) a. Click Start->Settings->Control Panel b. Double Click User Accounts c. Click Turn User Account Control on or off and Continue. d. Uncheck Use User Account Control. And click OK. e. Choose Restart Now. Upon reboot login as a Domain Admin (same one as before). 5. Turn off IE Enhanced Security a. Click Start->Programs->Administrative Tools->Server Manager b. Click Configure IE ESC. c. A dialog titled Internet Explorer Enhanced Security Configuration appears. Set Administrators and Users to off and click OK. 6. Turn off Windows Firewall a. Click Start->Programs->Administrative Tools->Server Manager b. In the left pane expand Configuration and click Windows Firewall with Advanced Security. c. In the right pane click Windows Firewall Properties d. The Windows Firewall with Advance Security Settings box will appear. Set the Firewall state to Off in the following tabs; Domain Profile, Private Profile, Public Profile Install the NPS Role 1. As a domain administrator Click Start->Programs->Administrative Tools>Server Manager 2. Click Roles 3. Click Add Roles 4. Click Server Roles 5. Check Network Policy and Access Services

20

Knowledge Transfer: 802.1x and Radius Servers

6. Click Next twice. 7. Check Network Policy Server and click next. 8. Click Install\ Obtain a computer certificate 1. As a domain administrator Click start->Run 2. Type mmc and click OK 3. Click File->Add/Remove Snap in 4. Choose Certificates and Click Add 5. A Certificates Snap-in dialog appears. Choose computer account and click next and then finish. 6. Click OK. 7. In the left pane expand certificates 8. Right click personal and choose all tasks->request new 9. Click Next 10. Check computer and click Enroll. 11. Click finish. 12. Close Console1 and dont save changes. Configure the Network Policy Server 1. As a domain administrator Click start->Programs->Administrative tools>Network Policy Server 2. Click Configure NAP 3. A Configure NAP Window will appear. Choose the following and click next: a. Network connection method: IEEE 802.1X (Wired) b. Policy Name: NAP 802.1X (Wired) 4. Choose add. On the New RADIUS Client window enter the following and click OK a. Friendly Name: <the friendly name of your 802.1x switch> (iLAB-NAC1 for Switches configured for ilab in DOPD lab.) b. Address: <the IP address of your 802.1x switch> iLAB-NAC1.vprodemo.com MUST USE IP ADDRESS, USING NAME MESSES UP c. Shared Secret: i. ii. Manual (!QAZxsw2 for now. Will be updated to P@ssw0rd for DOPD switches soon) <secret for your 802.1x switch>

5. Click next. Click next again in the Configure User Groups and Machine Groups form. 6. On the Configure an Authentication Method form choose Secure Password (PEAP.. and click next

21

Knowledge Transfer: 802.1x and Radius Servers

7. On the configure Virtual LANs (VLANs) form click configure for the Organization network VLAN and configure the following, then click OK: d. RADIUS Standard Attributes: i. ii. iii. iv. i. Tunnel-Medium-Type: 802 (includes all 802 media.. Tunnel-Pvt-Group-ID: <name of the good VLAN> interop-nac (bad = NAC Quarantine) Tunnel-Type: Virtual LANs (VLAN) (leave others as not configured) (Microsoft) Tunnel-Tag: 1

e. Vendor Specific attributes 8. On the configure Virtual LANs (VLANs) form click configure for the Restricted network VLAN and configure the following, then click OK: f. RADIUS Standard Attributes: i. ii. iii. iv. Tunnel-Medium-Type: 802 (includes all 802 media.. Tunnel-Pvt-Group-ID: <name of the bad VLAN> Tunnel-Type: Virtual LANs (VLAN) (leave others as not configured) aa. Vendor Specific attributes i. (Microsoft) Tunnel-Tag: 1 9. Click next and next again on the Define NAP Health Policy form. 10. Click finish. 11. In the left pane expand Policies and choose Connection Request Policies. 12. Disable all Policies except NAP 802.1X (Wired) 13. Right click NAP 802.1X (Wired) and go to properties 14. On the Conditions tab remove all conditions. Then add a Day and time restrictions condition that allows 24x7 access. 15. Click OK 16. In the left path choose network policies. a. Disable all policies except the following: i. ii. iii. i. ii. NAP 802.1X (Wired) Compliant NAP 802.1X (Wired) Noncompliant NAP 802.1X (Wired) Non NAP-Capable NAP 802.1X (Wired) Compliant > NAP 802.1X (Wired) Intel AMT Compliant NAP 802.1X (Wired) NonCompliant > NAP 802.1X (Wired) Intel AMT NonCompliant

g. Termination-Action: RADIUS-Request

b. Rename:

22

Knowledge Transfer: 802.1x and Radius Servers

c. Clone: i. ii. NAP 802.1X (Wired) Intel AMT Compliant > NAP 802.1X (Wired) OS Compliant NAP 802.1X (Wired) Intel AMT NonCompliant > NAP 802.1X (Wired) OS Noncompliant

d. 17.4 Order the Policies as such: NAP 802.1X (Wired) Intel AMT Compliant NAP 802.1X (Wired) Intel AMT NonCompliant NAP 802.1X (Wired) OS Compliant NAP 802.1X (Wired) OS Noncompliant 17. Install Intel SHV via setup file. a. In MMC window, go to Network Access Protection > System health validators. Verify Intel AMT SHV is present. b. Right click Windows Security Health Validator and choose properties. Click Configure. Uncheck all boxes except for Firewall in both tabs. Click OK twice. 18. In Policies > Health Policies, create the following policies: NAP 802.1X (Wired) Intel AMT Compliant NAP 802.1X (Wired) Intel AMT NonCompliant NAP 802.1X (Wired) OS Compliant NAP 802.1X (Wired) OS Noncompliant 19. For all the above policies right click > properties and a. For compliant policies, set the Client SHV checks option to Client passes all b. For non compliant policies, set the Client SHV checks option to Client fails all... c. For Intel AMT polices set SHVs used to Intel AMT SHV. d. For OS polices set SHVs used to Windows security. 20. Under Policies > Network policies, for each NAP 802.1x entry, right click, choose properties and select the conditions tab. a. For OS policies add corresponding system health policy. b. For Intel AMT policies add corresponding system health policy. Also choose add and add an Operating policy. Within the following menu, choose add again and check the Operating system version box and set it to be equal zero. c. Right click all policies and choose enable. Logs for the NPS server can be viewed in the Longhorn Management console: 1. Right click computer and click manage

23

Knowledge Transfer: 802.1x and Radius Servers

2. Expand Diagnostics->Event Viewer->Custom Views->Server Roles->Network Policy and Access Services. For every 802.1x authentication request there will be two information entries. These will give you information on the client, the RADIUS client (aka the switch), success/failure of authentication, and the policy used to measure success. Heres what too look for: If the client has Windows firewall enabled: o o o o Network Policy name: NAP 802.1X (Wired) Complaint Result: Full Access Network Policy name: NAP 802.1X (Wired) Noncomplaint Result: Full Access

If the client does not have Windows firewall enabled:

Note in both cases full access is granted. This means that full access to the appropriate VLAN was granted. In the case of the no windows firewall full access is granted to the bad VLAN, and thus the client cannot access the rest of the network. If the log shows other policies used double check the settings for all Policies in NPS. It is likely that one is enabled or disabled that should not be or that a condition is not properly set. If the log shows limited access double check NAP enforcement in the Network Policies. They should be set to Allow full network access. If the log looks correct but the client is not connecting to the network try static to eliminate DHCP issues. Also, verify with the switch that the client is being placed in the proper VLAN. If it is not double check the Network Policies Radius Attributes. Ensure the proper Tunnel-Pvt-Group-ID value (the name of the VLAN) is set. It is possible that some switches require the VLAN ID rather than the name. The recommended Cisco 2940 requires the name, not the ID. If the NPS logs are OK, the client is using a static IP, and is being assigned into the proper VLAN then there is likely an issue with VLAN/routing config somewhere on the network. Good luck. 802.1x can always be turned off temporarily to verify all VLAN/routing. Intel AMT Provisioning requirements: 1. 802.1x profile used for wired 802.1x authentication must be configured with EAP-PEAP (MS-CHAP v2). 2. Intel AMT profile used to provision the ME must have NAP enabled. NAP auth requests work as such: A WAP or switch with an entry under RADIUS Clients and Servers receives an access request from a NAP client. This request is then forwarded to the NPS. The NPS compares the request to the configured Connection Request Policies. The list of policies are evaluated in order. Each policy has a set of conditions and a set of constraints. If a connection request matches the conditions of a given policy, it is trapped by that policy. If the connection request does not meet the constraints of a policy that traps it, that connection request is dropped and processing ceases. If a connection request is trapped by a Connection Request policy and meets the constraints of that policy, processing continues to evaluate the access request

24

Knowledge Transfer: 802.1x and Radius Servers

based on Network Policies. Network Policies are evaluated in order and use the same condition and constraint schema that Connection Request Policies do. System heath validators are custom plug-ins that evaluates system health in arbitrary ways. Their output can be used by Heath Polices. Health Policies are used as conditions in Connection Request Policies and Network Polices. NPS NOTES: NAP posture transmission apparently is only available over PEAP. If the RADIUS server has two IP addresses and authentication data is received on one address and responses sent out on another it messes up the authentication process with the switch. If there are Machine certificates present, it can cause the client not to respond to authentication response from the switch. This is due to a suppressed pop-up balloon that prompts the user to select the appropriate certificate and username. Saw Win7 in band access attempts not being put in the regular log. Restarted wired auto config and NAP services. Disabled\re-enabled adaptor. Adaptor disappeared and had to be re-enabled via HW manager. After that auths worked fine. Changed iLAB-NAC1 Radius client to be NAP-capable. Upon domain rejoin of NPS server: 1. Re-execute register in AD step. Directory Right click NPS(local) > Register in Active

2. Upon domain rejoin of NPS server re-add ias-nap to RAS and IAS servers groups of both parent and child domains 3. Must go to AD and add dial-in for users that are doing nap access and choose allow access. NPS server cert must be requested via MMC. Webui cert request will not work for some reason.

25