Create NPS Policies for 802.1X Wired by Using a Wizard

Applies To: Windows Server 2008, Windows Vista

You can use this procedure to create the connection request policies and network policies required to deploy 802.1X-authenticating Ethernet switches as Remote Authentication Dial-In User Service (RADIUS) clients to the RADIUS server running Network Policy Server (NPS).


Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

After you run the wizard, the following policies are created:

  • One connection request policy

  • One network policy


You can run the New IEEE 802.1X Secure Wired and Wireless Connections wizard every time you need to create new policies for 802.1X authenticated access.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

Create policies for 802.1X authenticated wired access by using a wizard

  1. Open the NPS Microsoft Management Console (MMC) snap-in. If it is not already selected, click NPS (Local). If you are running the NPS MMC snap-in and want to create policies on a remote NPS server, select the server.

  2. In Getting Started and Standard Configuration, use the combination box to select RADIUS server for 802.1X Wireless or Wired Connections. The text and links below the text change to reflect your selection.

  3. Click Configure 802.1X. The Configure 802.1X wizard opens.

  4. On the Select 802.1X Connections Type wizard page, in Type of 802.1X connections, select Secure Wired Connections, and in Name, type a name for your policy. Click Next.

  5. On the Specify 802.1X Switches wizard page, in RADIUS clients, all 802.1X switches and wireless access points that you have added as RADIUS clients in the NPS snap-in are shown. Do any of the following:


Removing a RADIUS client from within the Configure 802.1X wizard deletes the client from the NPS server configuration. All additions, modifications, and deletions that you make within the Configure 802.1X wizard to RADIUS clients are reflected in the NPS snap-in, in the RADIUS Clients node under NPS / RADIUS Clients and Servers. For example, if you use the wizard to remove an 802.1X switch, the switch is also removed from the NPS snap-in.

  - To add additional network access servers (NASs), such as 802.1X-capable switches, in **RADIUS clients**, click **Add**, and then in **New RADIUS client**, enter the information for: **Friendly name**, **Address (IP or DNS)**, and **Shared Secret**.

  - To modify the settings for any switch, in RADIUS clients, select the AP for which you want to modify the settings, and then click **Edit**. Modify the settings as required.

  - To remove a switch from the list, in RADIUS clients, select the switch, and then click **Remove**.
  1. Click Next. In Configure an Authentication Method, in Type (based on method of access and network configuration), select Microsoft: Protected EAP (PEAP), and then click Configure.


If you receive an error message indicating that a certificate cannot be found for use with the authentication method, and you have configured Active Directory Certificate Services to automatically issue certificates to RAS and IAS servers on your network, first ensure that you have followed the steps to Register NPS in Active Directory Domain Services, then use the following steps to update Group Policy: Click Start, click Run, in Open, type gpupdate, and then press ENTER. When the command returns results indicating that both user and computer Group Policy have updated successfully, select Microsoft: Protected EAP (PEAP) again, and then click Configure.


If after refreshing Group Policy you continue to receive the error message indicating that a certificate cannot be found for use with the authentication method, the certificate is not being displayed because it does not meet the minimum server certificate requirements as documented in the Foundation Network Companion Guide: Deploying Server Certificates. If this happens, you must discontinue NPS configuration, revoke the certificate issued to your NPS server, and then follow the instructions in the Foundation Network Companion Guide: Deploying Server Certificates to configure a new certificate.

  1. On the Edit Protected EAP Properties wizard page, in Certificate issued, ensure that the correct NPS server certificate is selected, and then do the following:


Verify that the value in Issuer is correct for the certificate selected in Certificate issued. For example, the expected issuer for a certificate issued by a CA running Windows Server 2008 Active Directory Certificate Services (AD CS) named CA-01, in the domain, is example-CA-01-CA.

  - To allow users with mobile computers to move to a location that uses a different switch without requiring them to reauthenticate each time they connect to the network, select **Enable Fast Reconnect**.

  - To specify that connecting clients will end the network authentication process if the RADIUS server does not present cryptobinding Type-Length-Value (TLV), select **Disconnect Clients without Cryptobinding**.


Cryptobinding TLV increases the security of the TLS tunnel by combining the inner method and the outer method authentications together so that attackers cannot perform man-in-the-middle attacks by redirecting an MS-CHAP v2 authentication through the PEAP channel.

  - To modify the policy settings for the EAP type, in **EAP Types**, click **Edit**, in **EAP MSCHAPv2 Properties**, modify the settings as needed, and then click **OK**.
  1. Click OK. The Edit Protected EAP Properties dialog box closes, returning you to the Configure 802.1X wizard. Click Next.

  2. In Specify User Groups, click Add, and then type the name of the wired users security group that you configured for your network clients in the Active Directory Users and Computers snap-in. For example, if you named your wired users security group Wired Users, type Wired Users. Click Next.

  3. Click Configure to configure RADIUS standard attributes and vendor-specific attributes for virtual LAN (VLAN), and then modify the attributes as needed, and as specified by the documentation provided by your Ethernet switch hardware manufacturer. Click Next.

  4. Review the configuration summary details, and then click Finish.