Enable Authentication Protocols

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

For a VPN site-to-site connection you must implement user-level authentication, which is provided by EAP-TLS or MS-CHAP v2 by default. For greater security, you can add computer-level authentication. With demand-dial routing, computer-level authentication is provided in the following cases:

• When IPSec is used for an L2TP/IPSec demand-dial connection, computer-level authentication is performed through the exchange of computer certificates — also known as machine certificates — during the establishment of the IPSec security association.

• When EAP-TLS is used for user-level authentication, the answering router authenticates itself to the calling router by sending its computer certificate.

Enable Authentication Protocols

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

1. Open the Routing and Remote Access MMC snap-in.

2. In the console tree, right-click the name of the server for which you want to enable authentication protocols, and then click Properties.

3. On the Security tab, click Authentication Methods.

4. In the Authentication Methods dialog box, select the check boxes that correspond to the authentication protocols that the answering router will use to authenticate remote clients over the site-to-site connection, and then click OK.