Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Network Authentication Methods Properties

Applies To: Windows 7, Windows Server 2008 R2

This topic presents information about Extensible Authentication Protocol (EAP) settings. You can access the EAP properties for 802.1X authenticated wired and wireless access in the following ways:

  • By configuring the Wired Network (IEEE 802.3) Policies and Wireless Network (IEEE 802.11) Policies extensions in Group Policy Management.

  • By manually configuring wired or wireless connections on client computers.

You can access the EAP properties for virtual private network (VPN) connections in the following ways:

  • By using Connection Manager Administration Kit (CMAK) to configure VPN connections.

  • By manually configuring a VPN connection on client computers.

By default, you can configure EAP settings for two network authentication methods: Microsoft: Smart Card or other certificate (EAP-TLS) or Microsoft: Protected EAP (PEAP).

Authentication methods

This topic contains configuration information specific to the following authentication methods:

Smart Card or other Certificate Properties - configuration items for EAP-TLS

 

Item Details

Use my smart card

Specifies that clients making authentication requests must present a smart card certificate for network authentication.

Defaults:

  • Wired and wireless = not enabled

  • VPN = enabled

Use a certificate on this computer

Specifies that authenticating clients must use a certificate located in the either the Current User or Local Computer certificate stores.

Defaults:

  • Wired and wireless = enabled

  • VPN = not enabled

Use simple certificate selection (Recommended)

To limit the list of available certificates when prompting the user to select a certificate, this setting specifies whether Windows filters out certificates that are unlikely to meet authentication requirements.

Defaults:

  • Wired and wireless = enabled

  • VPN = not enabled

Validate server certificate

Verifies that the server certificates presented to the client computers have the correct signature, have not expired, and were issued by a trusted root certification authority (CA).

ImportantImportant
Do not disable this check box or else client computers cannot verify the identity of your servers during the authentication process. If server authentication does not occur, users are exposed to severe security risks, including the possibility that users might unknowingly connect to a rogue network.

Default = enabled

Connect to these servers

Allows you to specify the name for Remote Authentication Dial-In User Service (RADIUS) servers that provide network authentication and authorization.

noteNote
You must type the name exactly as it appears in the Subject field of each RADIUS server certificate, or use regular expressions to specify the server name. The complete syntax of regular expression can be used to specify the server name, but to differentiate a regular expression with the literal string you must use at least one '*' in the string specified. For example, you can specify nps*.example.com to specify the RADIUS server nps1.example.com or nps2.example.com.

Defaults:

  • Wired and wireless = not enabled

  • VPN = enabled

noteNote
Even if no RADIUS servers are specified, the client will still verify that the RADIUS server certificate was issued by a trusted root CA.

Trusted Root Certification Authorities

The list in Trusted Root Certification Authorities is built from the trusted root CAs installed in the computer and user certificate stores. You can specify which trusted root CA certificates that supplicants use to determine whether they trust your servers, such as your server running Network Policy Server (NPS) or your provisioning server. If no trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by an installed trusted root CA. If one or multiple trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by a selected trusted root CA.

If you have a public key infrastructure (PKI) on your network, and you use a RADIUS server certificate, that certificate is automatically added to the list of trusted root CAs. The root CA is installed on a client computer when the computer is joined to a domain against which the RADIUS certificate is verified.

You can also purchase a server certificate from a third-party vendor. Some third-party trusted root CAs provide software with your purchased certificate that automatically installs the purchased certificate into the Trusted Root Certification Authorities store; in this case the trusted root CA automatically appears in the list of trusted root CAs.

noteNote
The trusted root CA certificates that you designate must already be installed on client computers. Do not specify a trusted root CA certificate that client computers do not already have in the Trusted Root Certification Authoritiesstores for Current User and Local Computer.

If you designate a certificate that is not installed on client computers, authentication will fail.

Default = not enabled, no trusted root CAs selected.

noteNote
Even if no trusted root CAs are selected, the client will still verify that the RADIUS server certificate was issued by a trusted root CA.

View Certificate

Enables you to view the properties of the certificate selected in the Trusted Root Certification Authorities list.

Use a different user name for the connection

Specifies whether to use a user name for authentication that is different from the user name in the certificate. If enabled, the user is prompted to select a user certificate, even if only one user certificate is installed. The certificate is used until the user terminates the session.

Default = not enabled

Do not prompt user to authorize new servers or trusted certification authorities

Prevents the user from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both. It is recommended that you select this check box in order to simplify the user experience and to prevent users from inadvertently choosing to trust a server deployed by an attacker.

Default = not enabled

Protected EAP Properties - configuration items

ImportantImportant
When you deploy both PEAP and EAP unprotected by PEAP, do not use the same EAP authentication type with and without PEAP. For example, if you deploy PEAP with EAP-TLS (PEAP-EAP-TLS), do not also deploy EAP-TLS without PEAP. Deploying authentication methods with the same type — one with and the other without the protection of PEAP — creates a security vulnerability.

 

Item Details

Validate server certificate

Verifies that the server certificates presented to the client computers have the correct signature, have not expired, and were issued by a trusted root CA.

ImportantImportant
Do not disable this check box or else client computers cannot verify the identity of your servers during the authentication process. If server authentication does not occur, users are exposed to severe security risks, including the possibility that users might unknowingly connect to a rogue network.

Default = enabled

Connect to these servers

Allows you to specify the name for RADIUS servers that provide network authentication and authorization.

noteNote
You must type the name exactly as it appears in the Subject field of each RADIUS server certificate, or use regular expressions to specify the server name. The complete syntax of regular expression can be used to specify the server name but to differentiate a regular expression with the literal string you must use at least one '*' in the string specified. For example, you can specify nps*.example.com to specify the RADIUS server nps1.example.com or nps2.example.com.

Defaults:

  • Wired and wireless = not enabled

  • VPN = enabled

noteNote
Even if no RADIUS servers are specified, the client will still verify that the RADIUS server certificate was issued by a trusted root CA.

Trusted Root Certification Authorities

The list in Trusted Root Certification Authorities is built from the trusted root CAs installed in the computer and user certificate stores. You can specify which trusted root CA certificates that supplicants use to determine whether they trust your servers, such as your NPS server or your provisioning server. If no trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by an installed trusted root CA. If one or multiple trusted root CAs are selected, then the 802.1X client verifies that the computer certificate of the RADIUS server was issued by a selected trusted root CA.

If you have a public key infrastructure (PKI) on your network, and you use a RADIUS server certificate, that certificate is automatically added to the list of trusted root CAs. The root CA is installed on a client computer when the computer is joined to a domain against which the RADIUS certificate is verified.

You can also purchase a server certificate from a third-party vendor. Some third-party trusted root CAs provide software with your purchased certificate that automatically installs the purchased certificate into the Trusted Root Certification Authorities store; in this case the trusted root CA automatically appears in the list of trusted root CAs.

noteNote
The trusted root CA certificates that you designate must already be installed on client computers. Do not specify a trusted root CA certificate that client computers do not already have in the Trusted Root Certification Authorities stores for Current User and Local Computer.

If you designate a certificate that is not installed on client computers, authentication will fail.

Default = not enabled, no trusted root CAs selected.

noteNote
Even if no trusted root CAs are selected, the client will still verify that the RADIUS server certificate was issued by a trusted root CA.

Do not prompt user to authorize new servers or trusted certification authorities.

Prevents the user from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both. It is recommended that you select this check box in order to simplify the user experience and to prevent users from inadvertently choosing to trust a server deployed by an attacker.

Default = not enabled

Select Authentication Method

Allows you to select the EAP type to use with PEAP for network authentication.

noteNote
By default two EAP types are available, Secured password (EAP-MSCHAPv2) and Smart card or other certificate (EAP-TLS). However, EAP is a flexible protocol that allows inclusion of additional EAP methods, and is not restricted to these two types.

For information about Secured password (EAP-MSCHAPv2) or Smart card or other certificate (EAP-TLS) configuration settings, see:

Default = Secured password (EAP-MSCHAP v2)

Configure

Provides access to property settings for the specified EAP type.

Enable Fast Reconnect

Allows users to roam with their wireless computers between access points without being reauthenticated each time they encounter a new access point.

Fast reconnect works only when access points are configured as Remote Authentication Dial-In User Service (RADIUS) clients to the same computer running Network Policy Server (NPS); if a client computer associates with an access point that is configured as a RADIUS client to a different NPS server, the authentication process occurs in full, including client authentication of the NPS server.

Default = enabled

Enforce Network Access Protection

Specifies that before connections to a network are permitted, system health checks are performed on EAP supplicants to determine if they meet system health requirements.

Default = not enabled

Disconnect if server does not present cryptobinding TLV

Specifies that connecting clients must end the network authentication process if the RADIUS server does not present cryptobinding Type-Length-Value (TLV).

noteNote
Cryptobinding TLV increases the security of the TLS tunnel in PEAP by combining the inner method and the outer method authentications together so that attackers cannot perform man-in-the-middle attacks by redirecting an MS-CHAP v2 authentication by using the PEAP channel.

Default = not enabled

Enable Identity Privacy

Specifies that clients are configured so that they cannot send their identity before the client has authenticated the RADIUS server, and, optionally, provides a place to type an anonymous identity value. For example, if you select Enable Identity Privacy and type “guest” as the anonymous identity value, the identity response for a user with identity alice@example is guest@example. If you select Enable Identity Privacy but do not provide an anonymous identity value, the identity response for the user alice@example is @example.

This setting applies only to computers running Windows 7 and later versions of Windows.

Default = not enabled

Secure password (EAP-MSCHAP v2) Properties - configuration items

Secure password EAP-MS-CHAP v2 is an EAP type that is used with PEAP-MS-CHAP v2, for password-based network authentication.

 

Item Details

Automatically use my Windows logon name and password (and domain if any)

Specifies that the current user-based Windows logon name and password are used as network authentication credentials.

Defaults:

  • Wired and wireless = enabled

  • VPN = not enabled

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

Show:
© 2014 Microsoft. All rights reserved.