Configure Wireless Computers Running Windows Vista to Use EAP-TLS

Applies To: Windows Server 2008, Windows Vista

This procedure provides the steps that are required to configure an Extensible Authentication Protocol–Transport Level Security (EAP-TLS) wireless profile for authentication by using secure passwords.

Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.

To configure an EAP-TLS wireless profile

  1. In Windows Vista Wireless Network (IEEE 802.11) Policies Properties, on the General tab, click Add, and then select Infrastructure.


For more information about the settings on any tab, press F1 while you are viewing that tab.

  1. On the Connection tab, do the following:

    1. In Profile Name, type a name for the EAP-based profile.

    2. In Network Name(s) (SSID), type the service set identifier (SSID) that corresponds to the SSID configured on your wireless APs, and then click Add.

    3. If present, select NEWSSID, and then click Remove.

    4. If your wireless access point is configured to suppress its broadcast beacon, select Connect even if the network is not broadcasting.


Enabling this option can create a security risk because wireless clients will probe for and try to connect to any wireless network. By default, this setting is not enabled.

  1. Select the Security tab, click Advanced, and then configure the following:

    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.


When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held period, Start Period, and Auth Period are sufficient for most wireless deployments.

2.  In **Single Sign On**, select **Enable Single Sign On for this network**.  


The remaining default values in Single Sign On are sufficient for most wireless deployments.

3.  In **Fast Roaming**, if your wireless AP is configured for pre-authentication, select **This network uses pre-authentication**.  
  1. Click OK to return to the Security tab, and then configure the following:

    1. In Select the security methods for this network, for Authentication, if it is supported by your wireless AP and wireless client network adapters, select WPA2-Enterprise. Otherwise, select WPA-Enterprise.

    2. In Encryption, if it is supported by your wireless AP and wireless client network adapters, select AES (preferred). Otherwise, select TKIP.


The settings for both Authentication and Encryption must match the settings configured on your wireless AP. On the Security tab, the default settings for Authentication Mode, Max Authentication Failures, and Cache user information for subsequent connections to this network are sufficient for most wireless deployments.

  1. In Select a network authentication method, select Smart Card or other certificate (EAP-TLS). On the Security tab, click Properties, and then configure the following:

    1. In When connecting, verify that Use a certificate on this computer and Use simple certificate selection are selected.

    2. Verify that Validate server certificate is selected.

      In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your computers running Network Policy Server (NPS).


This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, clients will trust all trusted root CAs listed in their trusted root certification authority store.

  1. Click OK to close Smart Card or other Certificate Properties, and then click OK again to close the EAP Profile.