Export (0) Print
Expand All
1 out of 1 rated this helpful - Rate this topic

Configure 802.1X Wired Access Clients for PEAP-TLS Authentication

Updated: March 29, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Use this procedure to configure a Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS) profile for client authentication by using smart cards or other certificates.

Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure.

To configure a profile for PEAP-TLS wired connections

  1. On the General tab, do the following:

    1. In Policy Name , type a name for the wired network policy.

    2. In Description , type a brief description of the policy.

    3. Ensure that Use Windows Wired Auto Config service for clients is selected.

    4. To permit users with computers running Windows 7 to enter and store their domain credentials (username and password), which the computer can then use to log on to the network (even though the user is not actively logged on), in Windows 7 Policy Settings , select Enable Explicit Credentials .

    5. To specify the duration for which computers running Windows 7 are prohibited from making auto connection attempts to the network, select Enable Block Period , and then in Block Period (minutes) , specify the number of minutes for which you want the block period to apply. The valid range of minutes is 1–60.

      noteNote
      For more information about the settings on any tab, press F1 while viewing that tab.

  2. On the Security tab, do the following:

    1. Select Enable use of IEEE 802.1X authentication for network access .

    2. In Select a network authentication method , select Microsoft: Protected EAP (PEAP) .

    3. In Authentication mode , select from the following, depending on your needs: User or Computer authentication , Computer authentication , User authentication , Guest authentication . By default, User or Computer authentication is selected.

    4. In Max Authentication Failures , specify the maximum number of failed attempts allowed before the user is notified that authentication has failed. By default, the value is set to “1.”

    5. To specify that user credentials are held in cache, select Cache user information for subsequent connections to this network .

  3. To configure Single Sign On or advanced 802.1X settings, click Advanced . On the Advanced tab, do the following:

    1. To configure advanced 802.1X settings, select Enforce advanced 802.1X settings , and then modify — only as necessary — the settings for: Max Eapol-Start Msgs , Held Period , Start Period , Auth Period , Eapol-Start Message .

    2. To configure Single Sign On, select Enable Single Sign On for this network , and then modify — as necessary — the settings for:

      • Perform Immediately before User Logon

      • Perform Immediately after User Logon

      • Max delay for connectivity

      • Allow additional dialogs to be displayed during Single Sign On

      • This network uses different VLAN for authentication with machine and user credentials

  4. Click OK . The Advanced Security Settings dialog box closes, returning you to the Security tab. On the Security tab, click Properties . The Protected EAP Properties dialog box opens.

  5. In the Protected EAP Properties dialog box, do the following:

    1. Select Validate server certificate .

    2. To specify which Remote Authentication Dial-In User Service (RADIUS) servers your wired access clients must use for authentication and authorization, in Connect to these servers , type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUS server names.

    3. In Trusted Root Certification Authorities , select the trusted root certification authority (CA) that issued the server certificate to your servers running Network Policy Server (NPS).

      noteNote
      This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store.

    4. For improved security and a better user experience, select Do not prompt user to authorize new servers or trusted certification authorities .

    5. In Select Authentication Method , select Smart Card or other certificate .

    6. To enable PEAP fast reconnect, select Enable Fast Reconnect .

    7. To specify that Network Access Protection (NAP) performs system health checks on clients to ensure they meet health requirements, before connections to the network are permitted, select Enforce Network Access Protection .

    8. To require cryptobinding Type-Length Value (TLV), select Disconnect if server does not present cryptobinding TLV .

    9. To configure your clients so that they do not send their identity in plaintext before the client has authenticated the RADIUS server, select Enable Identity Privacy , and then in Anonymous Identity , type a name or value, or leave the field empty.

      For example, if Enable Identity Privacy is enabled, and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select Enable Identity Privacy , but do not provide an anonymous identity value, the identity response is @realm.

    10. To configure PEAP-TLS properties, click Configure , and then in Smart Card or other Certificate Properties , configure the following items according to your needs:

      • In When connecting , select either Use my smart card , or select both Use a certificate on this computer and Use simple certificate selection (Recommended) .

      • To require that access clients validate the NPS server certificate, select Validate server certificate .

      • To specify which RADIUS servers your wired access clients must use for authentication and authorization, in Connect to these servers , type then name of each RADIUS server, exactly as it appears in the subject field of the server’s certificate. Use semicolons to specify multiple RADIUUS server names.

      • In Trusted Root Certification Authorities , select the CA that issued NPS server certificates on your network.

      • To specify that clients use an alternate name for the access attempt, select Use a different user name for the connection .

      • To prevent users from being prompted to trust a server certificate if that certificate is incorrectly configured, is not already trusted, or both, select Do not prompt user to authorize new servers or trusted certification authorities . (Recommended)

      • Click OK to close the Smart card or other Certificate Properties dialog box, and then click OK again to close the Protected EAP (PEAP) Properties dialog box. This returns you to the New Wired Network Policy Properties dialog box.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.