Wireless 802.1x Authentication
AuthLite supports 802.1x authentication through its NPS RADIUS plug-in.
Prerequisites
We do not provide extra client-end software to add 802.1x support to legacy workstations. It is assumed that your client machines are capable of performing wireless authentication, such as is possible with Windows 7. Alternately, you could use a third party solution such as NetMotion Mobility XE.
It is assumed your Access Point is capable of supporting authentication with RADIUS with PEAP/MS-CHAPv2.1 We use DD-WRT in our validation testing.
Microsoft NPS as a RADIUS server. It should be installed on a Domain Controller.
Windows 7 client machine whose Trusted Root certificate store trusts the certificate your NPS server is using.
Users you wish to authenticate are Active Directory users. AuthLite will use AD for the password portion of the authentication.
Configuration
Start without AuthLite. Get 802.1x wireless authentication working between your client workstations, the access point, and the NPS server. You should be able to type your username and password into the wireless authentication prompt on your workstation, and be authenticated and connected to the wireless network. Before you can add AuthLite, you need the basic setup to be working.
Additional Windows 7 client settings to work with AuthLite:
In the Security tab of the network, deselect "Remember my credentials" (OTPs will only be valid one time!).
In PEAP settings, select EAP-MSCHAPv2 for the authentication method and configure it NOT to use the Windows credentials automatically (we want to enter OTPs).
In Security->Advanced, select "user" authentication.
AuthLite configuration settings:
Make sure you have your AuthLite users reflected in one of your AuthLite User Groups
Enable the IAS/NPS plug-in
Restart the AuthLite and NPS services
Testing
After users are in an AuthLite User Group and the NPS plugin is active, those users will no longer be allowed to authenticate with just username and password. Instead of entering a username:
For YubiKey users, tap the OTP into the username field of the wireless authentication pop-up.
For OATH token users, type in your username followed by a dash “-” followed by the OTP from your OATH token app.
Then enter the password as normal, and you should get authenticated to the network.
1 The security of industry standard 802.1x wireless authentication is not affected by the 2012 breaking of the MS-CHAPv2 protocol because the entire tunnel is independently encrypted by PEAP first.