Configure Wireless Computers Running Windows Vista to Use PEAP-TLS

Applies To: Windows Server 2008, Windows Vista

This procedure provides the steps that are required to configure a Protected Extensible Authentication Protocol–Transport Level Security (PEAP-TLS) wireless connection profile for authentication using smart cards or other certificates.

Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.

To configure a Windows Vista PEAP-TLS wireless connection profile

  1. If you have not already done so, open the Windows Vista Wireless Network (IEEE 802.11) Policies properties page.

  2. In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, select Use Windows to configure wireless network settings for clients to specify that WLAN AutoConfig is used to configure wireless network adapter settings.

  3. In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, do one of the following:

    • To add and configure a new profile, click Add, and then select Infrastructure.

    • To edit an existing profile, select the profile that you want to modify, and then click Edit.

  4. On the Connection tab, in Profile Name, if you are adding a new profile, type a name for the profile. If you are editing a profile that is already added, use the existing profile name, or modify the name as needed.

  5. In Network Name(s) (SSID), type the service set identifier (SSID) that corresponds to the SSID configured on your wireless APs, and then click Add.

    If your deployment uses multiple SSIDs and each wireless AP uses the same wireless security settings, repeat this step to add the SSID for each wireless AP to which you want this profile to apply.

    If your deployment uses multiple SSIDs and the security settings for each SSID do not match, configure a separate profile for each group of SSIDs that use the same security settings. For example, if you have one group of wireless APs configured to use WPA2-Enterprise and AES, and another group of wireless APs to use WPA-Enterprise and TKIP, configure a profile for each group of wireless APs.

  6. If NEWSSID is present, select it, and then click Remove.

  7. If you deployed wireless access points that are configured to suppress the broadcast beacon, select Connect even if the network is not broadcasting.


Enabling this option can create a security risk because wireless clients will probe for and try to connect to any wireless network. By default, this setting is not enabled.

  1. Click the Security tab, click Advanced, and then configure the following:

    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.

      When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, and Auth Period are sufficient for most wireless deployments.

    2. To enable Single Sign On, select Enable Single Sign On for this network.

    3. The remaining default values in Single Sign On are sufficient for typical wireless deployments.

    4. In Fast Roaming, if your wireless AP is configured for pre-authentication, select This network uses pre-authentication.

  2. Click OK to return to the Security tab. In Select the security methods for this network, in Authentication, select WPA2-Enterprise if it is supported by your wireless AP and wireless client network adapters. Otherwise, select WPA-Enterprise.

  3. In Encryption, if it is supported by your wireless AP and wireless client network adapters, select AES. Otherwise, select TKIP.


The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for typical wireless deployments.

  1. In Select a network authentication method, select Protected EAP (PEAP), and then click Properties. The Protected EAP Properties page opens.

  2. In Protected EAP Properties, verify that Validate server certificate is selected.

  3. In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued server certificates to your computers running Network Policy Server (NPS).


This setting limits the root CAs that clients trust to the selected CAs. If no trusted root CAs are selected, clients will trust all root CAs listed in their trusted root certification authority store.

  1. Select Do not prompt user to authorize new servers or trusted certification authorities. Selecting this setting provides an enhanced user experience and better security.

  2. In the Select Authentication Method list, select Smart Card or other certificate.

  3. To enable PEAP Fast Reconnect, select Enable Fast Reconnect.

  4. If Network Access Protection (NAP) is configured on your network, select Enable Quarantine checks. Otherwise, clear this check box.

  5. Click Configure. In the Smart Card or other Certificate Properties dialog box, in When connecting, specify one of the following.

    • For deployments that use smart cards, select Use my smart card.

    • For other certificate deployments, select Use a certificate on this computer.

  6. Select Validate server certificate.

  7. To specify which NPS servers your client computers can use for authentication and authorization, select connect to these servers, and then for each NPS server, type the name of each server, exactly as it appears in the Subject filed of each NPS server’s certificate, separated by a semicolon.

  8. In Trusted Root Certification Authorities, select the CA that issued certificates to your NPS servers.

  9. Click OK two times, to close the Protected EAP properties, returning you to the Security tab.

  10. Click OK to close the Security tab, and then click OK again to close the Windows Vista Wireless Network Policy.