Network Authentication Methods Properties
Applies To: Windows 7, Windows Server 2008 R2
This topic presents information about Extensible Authentication Protocol (EAP) settings. You can access the EAP properties for 802.1X authenticated wired and wireless access in the following ways:
By configuring the Wired Network (IEEE 802.3) Policies and Wireless Network (IEEE 802.11) Policies extensions in Group Policy Management.
By manually configuring wired or wireless connections on client computers.
You can access the EAP properties for virtual private network (VPN) connections in the following ways:
By using Connection Manager Administration Kit (CMAK) to configure VPN connections.
By manually configuring a VPN connection on client computers.
By default, you can configure EAP settings for two network authentication methods: Microsoft: Smart Card or other certificate (EAP-TLS) or Microsoft: Protected EAP (PEAP).
Authentication methods
This topic contains configuration information specific to the following authentication methods:
EAP-Transport Layer Security (TLS): Smart Card or Other Certificate Properties - Configuration Items for EAP-TLS
Protected EAP (PEAP): Protected EAP (PEAP) Properties- Configuration Items
Additionally, this section contains setting information for two EAP types within PEAP:
EAP-TLS: Smart Card or Other Certificate Properties - Configuration Items for EAP-TLS
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2): Secure password (EAP-MSCHAP v2) Properties - Configuration Items
Smart Card or other Certificate Properties - configuration items for EAP-TLS
| Item | Details |
|---|---|
Use my smart card |
Specifies that clients making authentication requests must present a smart card certificate for network authentication. Defaults:
|
Use a certificate on this computer |
Specifies that authenticating clients must use a certificate located in the either the Current User or Local Computer certificate stores. Defaults:
|
Use simple certificate selection (Recommended) |
To limit the list of available certificates when prompting the user to select a certificate, this setting specifies whether Windows filters out certificates that are unlikely to meet authentication requirements. Defaults:
|
Validate server certificate |
Verifies that the server certificates presented to the client computers have the correct signature, have not expired, and were issued by a trusted root certification authority (CA). Important Do not disable this check box or else client computers cannot verify the identity of your servers during the authentication process. If server authentication does not occur, users are exposed to severe security risks, including the possibility that users might unknowingly connect to a rogue network. Default = enabled |
Connect to these servers |
Allows you to specify the name for Remote Authentication Dial-In User Service (RADIUS) servers that provide network authentication and authorization. Note You must type the name exactly as it appears in the Subject field of each RADIUS server certificate, or use regular expressions to specify the server name. The complete syntax of regular expression can be used to specify the server name, but to differentiate a regular expression with the literal string you must use at least one '' in the string specified. For example, you can specify nps.example.com to specify the RADIUS server nps1.example.com or nps2.example.com. Defaults:
Note Even if no RADIUS servers are specified, the client will still verify that the RADIUS server certificate was issued by a trusted root CA. |
Trusted Root Certification Authorities |
The list in Trusted Root Certification Authorities is built from the trusted root CAs installed in the computer and user certificate stores. You can specify which trusted root CA certificates that supplicants use to determine whether they trust your servers, such as your server running Network Policy Server (NPS) or your provisioning server. If no trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by an installed trusted root CA. If one or multiple trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by a selected trusted root CA. If you have a public key infrastructure (PKI) on your network, and you use a RADIUS server certificate, that certificate is automatically added to the list of trusted root CAs. The root CA is installed on a client computer when the computer is joined to a domain against which the RADIUS certificate is verified. You can also purchase a server certificate from a third-party vendor. Some third-party trusted root CAs provide software with your purchased certificate that automatically installs the purchased certificate into the Trusted Root Certification Authorities store; in this case the trusted root CA automatically appears in the list of trusted root CAs. Note The trusted root CA certificates that you designate must already be installed on client computers. Do not specify a trusted root CA certificate that client computers do not already have in the Trusted Root Certification Authoritiesstores for Current User and Local Computer. If you designate a certificate that is not installed on client computers, authentication will fail.Default = not enabled, no trusted root CAs selected. Note Even if no trusted root CAs are selected, the client will still verify that the RADIUS server certificate was issued by a trusted root CA. |
View Certificate |
Enables you to view the properties of the certificate selected in the Trusted Root Certification Authorities list. |
Use a different user name for the connection |
Specifies whether to use a user name for authentication that is different from the user name in the certificate. If enabled, the user is prompted to select a user certificate, even if only one user certificate is installed. The certificate is used until the user terminates the session. Default = not enabled |
Do not prompt user to authorize new servers or trusted certification authorities |
Prevents the user from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both. It is recommended that you select this check box in order to simplify the user experience and to prevent users from inadvertently choosing to trust a server deployed by an attacker. Default = not enabled |
Protected EAP Properties - configuration items
Important
When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP with EAP-TLS (PEAP-EAP-TLS), do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type — one with and the other without the protection of PEAP — creates a security vulnerability.
| Item | Details |
|---|---|
Validate server certificate |
Verifies that the server certificates presented to the client computers have the correct signature, have not expired, and were issued by a trusted root CA. Important Do not disable this check box or else client computers cannot verify the identity of your servers during the authentication process. If server authentication does not occur, users are exposed to severe security risks, including the possibility that users might unknowingly connect to a rogue network. Default = enabled |
Connect to these servers |
Allows you to specify the name for RADIUS servers that provide network authentication and authorization. Note You must type the name exactly as it appears in the Subject field of each RADIUS server certificate, or use regular expressions to specify the server name. The complete syntax of regular expression can be used to specify the server name but to differentiate a regular expression with the literal string you must use at least one '' in the string specified. For example, you can specify nps.example.com to specify the RADIUS server nps1.example.com or nps2.example.com. Defaults:
Note Even if no RADIUS servers are specified, the client will still verify that the RADIUS server certificate was issued by a trusted root CA. |
Trusted Root Certification Authorities |
The list in Trusted Root Certification Authorities is built from the trusted root CAs installed in the computer and user certificate stores. You can specify which trusted root CA certificates that supplicants use to determine whether they trust your servers, such as your NPS server or your provisioning server. If no trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by an installed trusted root CA. If one or multiple trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by a selected trusted root CA. If you have a public key infrastructure (PKI) on your network, and you use a RADIUS server certificate, that certificate is automatically added to the list of trusted root CAs. The root CA is installed on a client computer when the computer is joined to a domain against which the RADIUS certificate is verified. You can also purchase a server certificate from a third-party vendor. Some third-party trusted root CAs provide software with your purchased certificate that automatically installs the purchased certificate into the Trusted Root Certification Authorities store; in this case the trusted root CA automatically appears in the list of trusted root CAs. Note The trusted root CA certificates that you designate must already be installed on client computers. Do not specify a trusted root CA certificate that client computers do not already have in the Trusted Root Certification Authorities stores for Current User and Local Computer. If you designate a certificate that is not installed on client computers, authentication will fail.Default = not enabled, no trusted root CAs selected. Note Even if no trusted root CAs are selected, the client will still verify that the RADIUS server certificate was issued by a trusted root CA. |
Do not prompt user to authorize new servers or trusted certification authorities. |
Prevents the user from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both. It is recommended that you select this check box in order to simplify the user experience and to prevent users from inadvertently choosing to trust a server deployed by an attacker. Default = not enabled |
Select Authentication Method |
Allows you to select the EAP type to use with PEAP for network authentication. Note By default two EAP types are available, Secured password (EAP-MSCHAPv2) and Smart card or other certificate (EAP-TLS). However, EAP is a flexible protocol that allows inclusion of additional EAP methods, and is not restricted to these two types. For information about Secured password (EAP-MSCHAPv2) or Smart card or other certificate (EAP-TLS) configuration settings, see:
Default = Secured password (EAP-MSCHAP v2) |
Configure |
Provides access to property settings for the specified EAP type. |
Enable Fast Reconnect |
Allows users to roam with their wireless computers between access points without being reauthenticated each time they encounter a new access point. Fast reconnect works only when access points are configured as Remote Authentication Dial-In User Service (RADIUS) clients to the same computer running Network Policy Server (NPS); if a client computer associates with an access point that is configured as a RADIUS client to a different NPS server, the authentication process occurs in full, including client authentication of the NPS server. Default = enabled |
Enforce Network Access Protection |
Specifies that before connections to a network are permitted, system health checks are performed on EAP supplicants to determine if they meet system health requirements. Default = not enabled |
Disconnect if server does not present cryptobinding TLV |
Specifies that connecting clients must end the network authentication process if the RADIUS server does not present cryptobinding Type-Length-Value (TLV). Note Cryptobinding TLV increases the security of the TLS tunnel in PEAP by combining the inner method and the outer method authentications together so that attackers cannot perform man-in-the-middle attacks by redirecting an MS-CHAP v2 authentication by using the PEAP channel. Default = not enabled |
Enable Identity Privacy |
Specifies that clients are configured so that they cannot send their identity before the client has authenticated the RADIUS server, and, optionally, provides a place to type an anonymous identity value. For example, if you select Enable Identity Privacy and type “guest” as the anonymous identity value, the identity response for a user with identity alice@example is guest@example. If you select Enable Identity Privacy but do not provide an anonymous identity value, the identity response for the user alice@example is @example. This setting applies only to computers running Windows 7 and later versions of Windows. Default = not enabled |
Secure password (EAP-MSCHAP v2) Properties - configuration items
Secure password EAP-MS-CHAP v2 is an EAP type that is used with PEAP-MS-CHAP v2, for password-based network authentication.
| Item | Details |
|---|---|
Automatically use my Windows logon name and password (and domain if any) |
Specifies that the current user-based Windows logon name and password are used as network authentication credentials. Defaults:
|
See Also
Concepts
New Wired Network Policy Properties - Security
New Profile Properties - Security
New Preferred Setting Properties - IEEE 802.1X