I'm looking to secure our small LAN of 25 users with certificates using 802.1x authentication. We've got two network segments communicating through our firewall: Server and Client. I also need this solution to work for users who connect via VPN when working from home. Can anyone recommend a detailed guide for configuring the NPS and AD CS components? I've come across some older guides from 2016, but I'm not sure if they're still relevant. Any advice or tips on potential pitfalls would be greatly appreciated!
3 Answers
The guide should work fine for your needs since not much has changed since 802.1x was introduced. Just ensure that the Ethernet adapters on your devices are set up correctly for authentication using the appropriate certificate chain. Also, keep an eye on the event viewer for troubleshooting issues that may come up.
For your VPN setup, make sure you understand that 802.1x is mainly for securing wired connections. It’s not really designed for VPN scenarios. If you’re looking at certificate authentication for VPN, EAP-TLS is what you want, and you can manage that through RRAS. Microsoft Always On VPN could fit your needs. About the wired setup, there’s a guide out there that’s a bit dated, but the core setup hasn’t changed much since then. Here’s a link to it: [Setting Up Wired 802.1x Authentication on Windows Server 2012](http://www.accessdenied.be/documentation/Configuring%20Wired%208021x%20Authentication%20on%20Windows%20Server%202012.pdf) .
Consider using MFA for users working remotely. It's a good layer of security when they're not onsite. But remember, for your current setup, since you’ve noted that you really only need security for the office LAN, stick to that for now.
Yeah, we’ve already implemented MFA, which helps. So focusing on the wired connections makes sense.
Thanks for the info! I didn’t realize VPN and 802.1x were so different. I’ll make sure to focus on wired LAN security and leave the VPN to our other methods.