Configure Wired Authentication for NAP in Group Policy

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Windows Server® 2008, Windows Vista®, Windows Server 2008 R2, and Windows 7 include enhancements like an extended Active Directory schema to support 802.1X authenticating switches for 802.3 wired Ethernet connections. For more information, see Active Directory Schema Extensions for Windows Vista Wireless and Wired Group Policy Enhancements at

Membership in the local Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

Configure wired authentication settings in Group Policy

Use the following procedure to deploy wired authentication settings to NAP client computers for use with NAP and 802.1X enforcement.

To configure wired authentication settings in Group Policy

  1. On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.

  2. In the Group Policy Management console tree, open Group Policy Objects, right-click the name of the GPO you want to edit, and then click Edit. The Group Policy Management Editor opens.

  3. In the Group Policy Management Editor tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Wired Network (IEEE 802.3) Policies.

  4. Right-click Wired Network (IEEE 802.3) Policies, and then click Create A New Windows Vista Policy.

  5. In New Vista Wired Network Policy Properties, on the General tab, under Policy Name, type a name for the policy (for example, NAP 802.1X Policy).

  6. Click the Security tab, under Select a network authentication method, verify that Microsoft: Protected EAP (PEAP) is selected, and then click Properties.

  7. In Protected EAP Properties, clear the Enable Fast Reconnect check box, and select the check box next to Enable Quarantine checks. See the following example.

  8. If you want to use EAP-TLS as an inner authentication method, under Select Authentication Method, choose Smart Card or other certificate from the drop-down list.


It might be difficult to see the available authentication methods. The two choices available from the drop-down list are Secured password (EAP-MSCHAP v2 and Smart Card or other certificate.

  1. If you want to customize EAP-MSCHAP v2 or EAP-TLS properties, click Configure. For example, you can prompt the user for credentials by clearing the Automatically use my Windows logon name and password (and domain if any) check box in EAP MSCHAP v2 Properties.

  2. Click OK twice, and then close the Group Policy Management Editor.

See Also


Configure NAP Client Security Groups