Configure Extensible Authentication Protocol (EAP) for connections
Applies To: Windows Server 2008 R2, Windows Server 7
You can use this procedure to configure EAP settings in 802.1X wired and wireless, VPN, dial-up, and Broadband connection properties.
Use the following sections to configure EAP:
To configure Microsoft: Protected EAP (PEAP)
To configure Microsoft: Secured password (EAP-MSCHAP v2)
To configure Microsoft: Smart card or other certificate
Any user account can be used to complete this procedure.
To configure Microsoft: Protected EAP (PEAP)
Open the Network Connections folder and view available connections.
Right-click the network connection that you want to configure, and then click Properties. The connection Properties dialog box opens.
In the connection Properties dialog box, click the Security tab. In Authentication and Use Extensible Authentication Protocol (EAP), click the arrow to expand the list, and then click Microsoft: Protected EAP (PEAP).
Click Properties. The Protected EAP Properties dialog box opens.
In When connecting, ensure that Validate server certificate is selected.
Note
This setting ensures that the client computer verifies the identity of the remote access server to which you connect. To verify the remote access server identity, the client computer downloads and checks the remote access server certificate, allowing the connection only when the certificate is issued by a certification authority (CA) that the client computer trusts. Trust is established if the CA certificate exists in the Trusted Root Certification Authorities store on the local computer.
In When connecting, ensure that Connect to these servers is selected. Type the fully qualified domain name (FQDN) or the IP address of the VPN server(s) to which you want to connect.
In Trusted Root Certification Authorities, select the checkbox of the CA that issued the remote access server certificate and that you trust. For example, if you are connecting to a remote access server in the Contoso domain, select the CA certificate that is named Contoso Corporate Root Authority, Contoso Corporate Root CA, or something similar.
Ensure that Do not prompt user to authorize new servers or trusted certification authorities is not selected unless you have specific reasons to enable this setting.
In Select Authentication Method, click the arrow to expand the list, and then click either Secured Password (MS-CHAP v2) or Smart Card or other certificate.
Note
If you select Secured Password (MS-CHAP v2), you are configuring the authentication method named PEAP-MS-CHAP v2. With this authentication method, the client computer verifies the identity of the remote access server by downloading and processing the remote access server certificate. In addition, so that the remote access server can verify your identity, you are required to type a user name and password, which the remote access server then verifies against the organization user accounts database. If you select Smart Card or other certificate, you are configuring the authentication method PEAP with Transport Layer Security (PEAP-TLS). With this authentication method, the client computer verifies the identity of the remote access server by downloading and processing the remote access server certificate. In addition, so that the remote access server can verify your identity, the remote access server downloads and processes a certificate that is stored on your smart card or in the certificate store on the local computer.
Click Configure.
If you selected Secured Password (MS-CHAP v2) in Select Authentication Method, the EAP-MSCHAPv2 Properties dialog box opens. In When connecting, click Automatically use my Windows logon name and password (and domain, if any) if you do not want to be prompted to type your user name and password and if your correct user name and password for this connection are already stored by Windows on your computer. If your computer is a domain joined computer, Windows probably has your user name and password stored; if it is not, it probably does not. Click OK.
If you selected Smart Card or other certificate in Select Authentication Method, the Smart Card or other Certificate Properties dialog box opens.
In When connecting, click Use my smart card if you have a smart card; otherwise, click Use a certificate on this computer. If you choose Use a certificate on this computer, it’s recommended that you also click Use simple certificate selection, which allows Windows to choose the computer or user certificate that is best suited for the connection.
Ensure that Validate server certificate is selected.
Also ensure that Connect to these servers is selected. Type the fully qualified domain name (FQDN) or the IP address of the VPN server(s) to which you want to connect.
In Trusted Root Certification Authorities, select the checkbox of the CA that issued the VPN server certificate and that you trust.
Ensure that Do not prompt user to authorize new servers or trusted certification authorities is not selected unless you have specific reasons to enable this setting.
Click Use a different user name for the connection if you want to specify a different user name when connecting to the VPN server, and then click OK.
In Select Authentication Method, ensure that Enable Fast Reconnect is not selected. This setting is primarily used for wireless connections and allows roaming laptops to be reauthenticated quickly when they move between multiple wireless access points that are configured as Remote Authentication Dial In User Service (RADIUS) clients to the same RADIUS server. Because this is a VPN connection, this setting is not needed.
Click Enforce Network Access Protection (NAP) if your organization uses NAP.
Click Disconnect if server does not present cryptobinding TLV if your organization supports this level of security for remote access connections.
Click Enable Identity Privacy if your organization supports this level of security for remote access connections, and then type the Identity Privacy key in the text box.
Click OK.
To configure Microsoft: Secured password (EAP-MSCHAP v2)
Open the Network Connections folder and view available connections.
Right-click the network connection that you want to configure, and then click Properties. The connection Properties dialog box opens.
In the connection Properties dialog box, click the Security tab. In Authentication and Use Extensible Authentication Protocol (EAP), click the arrow to expand the list, and then click Microsoft: Secured password (EAP-MSCHAP v2).
Note
When you select Microsoft: Secured Password (MS-CHAP v2), you are configuring the authentication method EAP-MS-CHAP v2. With this authentication method, the client computer verifies the identity of the remote access server by downloading and processing the remote access server certificate. In addition, so that the remote access server can verify your identity, you are required to type a user name and password, which the remote access server then verifies against the organization user accounts database. EAP-MS-CHAP v2 is less secure than PEAP-MS-CHAP v2.
- Click Properties. The EAP-MSCHAPv2 Properties dialog box opens. In When connecting, click Automatically use my Windows logon name and password (and domain, if any) if you do not want to be prompted to type your user name and password and if your correct user name and password for this connection are already stored by Windows on your computer. If your computer is a domain joined computer, Windows probably has your user name and password stored; if it is not, it probably does not. Click OK.
To configure Microsoft: Smart card or other certificate
Open the Network Connections folder and view available connections.
Right-click the network connection that you want to configure, and then click Properties. The connection Properties dialog box opens.
In the connection Properties dialog box, click the Security tab. In Authentication and Use Extensible Authentication Protocol (EAP), click the arrow to expand the list, and then click Microsoft: Smart card or other certificate. The Smart Card or other Certificate Properties dialog box opens.
Note
When you select Microsoft: Smart Card or other certificate, you are configuring the authentication method EAP-TLS. With this authentication method, the client computer verifies the identity of the remote access server by downloading and processing the remote access server certificate. In addition, so that the remote access server can verify your identity, the remote access server downloads and processes a certificate that is stored on your smart card or in the certificate store on the local computer. EAP-TLS is less secure than PEAP-TLS.
In the Smart Card or other Certificate Properties dialog box, configure the following items.
In When connecting, click Use my smart card if you have a smart card; otherwise, click Use a certificate on this computer. If you choose Use a certificate on this computer, it’s recommended that you also click Use simple certificate selection, which allows Windows to choose the computer or user certificate that is best suited for the connection.
Ensure that Validate server certificate is selected.
Also ensure that Connect to these servers is selected. Type the fully qualified domain name (FQDN) or the IP address of the remote access server(s) to which you want to connect.
In Trusted Root Certification Authorities, select the checkbox of the CA that issued the remote access server certificate and that you trust.
Ensure that Do not prompt user to authorize new servers or trusted certification authorities is not selected unless you have specific reasons to enable this setting.
Click Use a different user name for the connection if you want to specify a different user name when connecting to the remote access server, and then click OK.