Get PEAP with MSCHAP v2 working with NPS on Windows Server
This post provides a summary of how PEAP with MSCHAP v2 works, and provides links to some topics that can help you deploy and troubleshoot PEAP authentication on a network. PEAP with certificate based authentication (PEAP with EAP-TLS) is not discussed.
Background:
PEAP with MSCHAP v2 is a certificate-based authentication method used to gain access to local and remote networks. With PEAP-MS-CHAPv2, the network access server provides proof of identity with a certificate, while the end user provides password-based credentials as proof of identity during the authentication process.
This authentication method is commonly used for VPN connections and for networks using 802.1X enabled switches and access points. PEAP is an acronym for Protected Extensible Authentication Protocol. MSCHAP is an abbreviation for Microsoft Challenge Handshake Authentication Protocol.
How PEAP works:
There are five basic components required for the PEAP authentication method to work securely and correctly:
- A client device: This can be a computer or mobile device.
- A network access point:
- For VPN connections, this is a VPN server.
- For 802.1X based connections, this is a wireless access point or wired switch.
- A RADIUS server: Microsoft's RADIUS server is called Network Policy Server (NPS).
- A server certificate: A certificate must be installed on NPS that can be validated by the client device. You can use a Microsoft certification authority (CA) to issue this certificate, or you can purchase a certificate from a public CA such as VeriSign or Thawte.
- A user database: The database must support MSCHAP v2. This is typically Active Directory.
For PEAP to work correctly, the following must be configured:
- The network connection on the client computer must be configured to perform PEAP authentication.
- The network access point must be configured to forward (aka pass-thru) authentication requests to the RADIUS server. This typically also requires that a shared secret is configured on the network access point which matches a corresponding shared secret on the RADIUS server.
- A certificate with the server authentication purpose and correct subject alternative name must be installed on NPS. Note: This procedure must be completed prior to configuring PEAP on NPS (step 4 below).
- NPS must be configured to perform PEAP authentication. The preferred method to configure NPS is using the scenario wizard in the NPS console. To use the wizard, click NPS in the console tree and then under Standard Configuration in the right-hand pane, select an item from the drop-down list that matches the type of network connection used by the client device (ex: VPN or wireless). When the configuration scenario is selected, click the corresponding Configure text that is displayed under the drop-down to launch the wizard.
Note: Server certificate validation can be disabled on client devices. However, in order for PEAP authentication to be secure, the client device must be configured to validate the server's certificate. This validation occurs when the client verifies that the certificate (which was installed in step 3 above) meets either of two requirements:
- The certificate is found in the Enterprise NTAuth store.
- The certificate is found in the client's Trusted Root Certification Authorities container, and it is marked as trusted.
If the certificate is found in the Trusted Root Certification Authorities container (but not NTAuth) and it is not marked as trusted, the client device receives a warning. The warning message is intended to provide the client an opportunity to mark the CA as trusted. The client should only receive this message once, provided the certificate is marked as trusted.
If the certificate is not found in the Trusted Root Certification Authorities Container or the Enterprise NTAuth store, a PEAP error is generated and authentication fails.
References:
Server certificate requirements (14065/28365 in Windows Server 2003 retired content)