7.5 Configuring 802.1X Authentication

The Novell Client 4.91 SP5 for Windows XP/2003 includes an Extensible Authentication Protocol (EAP) plug-in to the Microsoft Windows XP supplicant, which lets users authenticate through RADIUS to wireless access points and wired switches for added network security. Using FreeRADIUS as the RADIUS server, users can authenticate to their local machines, to eDirectory, and to 802.1X with the same set of credentials for a single sign-on experience.

When 802.1X authentication is enabled, the username and password entered in the Novell Login dialog box are first passed to the EAP plug-in module. An exchange of messages (PEAP/MSCHAPv2) between the Windows supplicant, the wireless access point/wired switch, and the RADIUS server allows network access if the correct credentials were entered. After the 802.1X authentication has succeeded, both the eDirectory and local logins take place just as they have in previous versions of the Novell Clients. If the 802.1X authentication fails, no access to the network is given, and the user will not be able to access the network.

The 802.1x authentication feature supports both wired and wireless connections. Only password-based authentication is supported (the Novell Client 4.91 SP5 for Windows XP/2003 supports only PEAP with MSCHAPv2). Biometrics (non-password-based) authentication types are not supported with this release. If you want certificate support, the Microsoft EAP plug-ins are sufficient and no Novell-specific EAP support is required.

The ability to browse for trees and servers in the Novell Login dialog box is not supported because the 802.1X port blocks all network access.

HINT:We recommend testing this functionality with user accounts that don't expire. There is a possibility that grace login messages won't display to users, which means that users might unknowingly exhaust their grace logins.

This configuration is intended for use only with the native 802.1x supplicant provided with Windows. We recommend that you install only the driver for your wireless adapter (that is, that you do not install other supplicants or utilities that come with wireless adapters). This is because such utilities often disable the wireless service in Windows. You should also make sure that the Use Windows to configure your wireless network setting is always enabled (to do this, right-click the wireless connection).

7.5.1 Prerequisites

  • Install a clean version of Windows XP Service Pack 2 (SP2).

  • Install the Windows WPA2 wireless patch, available from Update for Windows XP (KB893357).

    This update to Windows XP provides support for Wi-Fi Protected Access 2 (WPA2), which is the latest standards-based wireless security solution derived from the IEEE 802.11i standard.

  • Install the wlan api patch, available from Wireless LAN API (KB918997).

    Installing this set of application programming interfaces (APIs) lets you create applications that can manage wireless LAN profiles and connectivity on Microsoft Windows XP SP2 using the native wireless functionality in Windows, called Wireless Zero Configuration (WZC) service.

  • Make sure the Authenticate as computer when computer information is available option on the Authentication tab of your Local Area Connection Properties dialog box is selected.

7.5.2 Enabling 802.1X Authentication

  1. Right-click the Red N in the system tray, then click Novell Client Properties.

  2. In the Novell Client Configuration dialog box, click the Location Profiles tab.

  3. Select Default in the Location Profiles box, then click Properties.

  4. Select Default in the Service Instance drop-down list, then click Properties.

  5. Click the 802.1X tab, then select Enable Tab.

    Novell Login dialog box, 802.1X tab

  6. Select Login using 802.1X.

    You can also select any of the following options:

    802.1X Authenticate on subsequent logins: Causes 802.1X authentication to take place when a user logs in from the Red N, even if he or she is already logged in to the Windows workstation. If the user is not logged in, 802.1X authentication takes place even if this option is not selected.

    Append Domain name to User name: Prepends the user’s domain to the username when the username is submitted to 802.1X. The format is DomainName/username. Use this option if the RADIUS server expects the domain name to precede the username. This options is normally used when IAS/AD is the RADIUS backend.

    NOTE:Contextless login runs after you click OK.

  7. Click OK three times.

  8. Reboot the workstation for the changes to take effect.

    After it is enabled, a 802.1X tab appears in the Novell Login dialog box when you click the Advanced tab. Use the options on the tab (see Step 6) to control 802.1X authentication at login time.

    Novell Login dialog box, 802.1X tab

    IMPORTANT:For 802.1X to work correctly during the initial login, make sure that the Authenticate as computer when computer information is available option is selected on the Authentication tab of your Local Area Connection Properties dialog box.

7.5.3 Troubleshooting Tips

  • If 802.1X authentication succeeds after the desktop is up and you are log in from the Red N but fails on the initial boot login, check to see if the Authenticate as computer when computer information is available check box on the Authentication tab of your Local Area Connection Properties dialog box is selected. This option must be selected for the initial login to succeed.

  • If the authentication times out, check to see if the radius server is getting queried for the authentication. Also check to make sure the Validate server certificate check box on the Protected EAP Properties tab on the Local Area Connection Properties dialog box is not selected.

  • If you think debug or trace logs will help, start Regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing and enable tracing for Noveap. This causes Windows to create a Noveap.log file in the windows\tracing directory.

  • Utilities installed with many NIC cards can cause odd behavior. Make sure the user has only installed the drivers for the NIC card and none of the other utilities.

  • If you still cannot get 802.1X to work, remove the Novell Client and try to get the Microsoft authentication working first. Pre-desktop authentication will not likely work in this case, but after the desktop is up, Microsoft uses the Windows username and password for 802.1X authentication.

    For this to work, the username and password for Windows must match the username and password in eDirectory. There are many resources on the Web that can help you troubleshoot wireless access on Widows XP, including the following:

    After you have wireless authentication working without the Novell Client, install the Client and enable the Client’s 802.1X authentication.

7.5.4 For More Information

For more information on 802.1X, see the following: