Configure PEAP and EAP methods

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To configure PEAP and EAP methods

  1. Open Internet Authentication Service and, if necessary, double-click Internet Authentication Service.

  2. In the console tree, click Remote Access Policies.

  3. In the details pane, double-click the policy that you want to configure.

  4. Click Edit Profile.

  5. On the Authentication tab, click EAP Methods.

  6. In Select EAP providers, click Add. Select the authentication methods that you want to use, and then click OK.

  7. In Select EAP providers, click the EAP type that you want to configure, and then click Edit. Depending on the EAP type selected, one of the following dialog boxes is displayed:

    • If Protected EAP (PEAP) is selected, the Protected EAP Properties dialog box opens. In Certificate Issued, select the certificate that the server uses to identify itself to client computers. To enable PEAP fast reconnect for 802.11 wireless client computers, click Enable Fast Reconnect. Secure password user authentication with EAP-MSCHAPv2 is the default in EAP Types. To configure EAP-MSCHAPv2 properties, click Edit. To configure certificate or smart card user authentication click Add. In Authentication methods, click Smart Card or other certificate, and then click OK.

    • If Smart Card or other Certificate Properties is selected, the Smart Card or other Certificate Properties dialog box opens. In Certificate issued to, select the certificate that the server uses to authenticate to client computers.

  8. In Select EAP providers, click Move Up or Move Down to specify the negotiation order of EAP methods. The server starts negotiation with the client according to the order specified in EAP types.

Notes

  • To open Internet Authentication Service, click Start, click Control Panel, double-click Administrative Tools, and then double-click Internet Authentication Service.

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.

  • If the EAP types displayed in the Select EAP Providers dialog box are selected as (Server-Configured), then the configuration of the EAP type is common to the server and applies to all remote access policies that are configured on the server. Otherwise, the EAP type configuration is specific to the current remote access policy, in which case the EAP method must be configured for each policy to which you want it to apply.

  • PEAP is used as an authentication method for 802.11 wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients. Because of this, you can only configure PEAP as the authentication method for a remote access policy when you are using IAS.

  • When using the PEAP-EAP-TLS and EAP-TLS authentication methods with certificates, TLS uses cached certificate properties instead of reading the certificate from the certificate store. If a certificate is either changed or deleted and replaced by a new certificate, TLS continues using outdated cached certificate information until the cache expires or is refreshed. If you change or replace a certificate, you can refresh the TLS cache by restarting the server computer.

  • EAP-TLS is not supported if the IAS or remote access server is not a member of the domain.

  • If you have issued a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server. To change this, you can use Certificate Templates to create a new certificate for enrollment on your IAS server. In the certificate properties, on the Subject Name tab, in Subject name format, select a value other than None.

  • For information about configuring specific authentication protocols, see Related Topics.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

EAP
MS-CHAP
CHAP
PAP
Unauthenticated access
PEAP
Network access authentication and certificates