Configure Wired Clients to Use PEAP-TLS

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

This procedure provides the steps that are required to configure a wired access connection profile for Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS) for authentication by using smart cards or user and computer digital certificates.

Membership in Domain Admins, or equivalent, is the minimum requirement to complete this procedure.

Tip

For more information about individual controls on any active dialog box in Wired Network (IEEE 802.3) Policies, press F1 while viewing that dialog box.

To configure a wired connection profile for PEAP-TLS

  1. If you have not already done so, open the Windows Vista Wired Network (IEEE 802.3) Policies properties page.

  2. In Windows Vista Wired Network (IEEE 802.3) Policies Properties, on the General tab, in Policy Name, type a name for your network policy, or leave the default name New Wired Network Policy.

  3. In Description, type a description for your network policy.

  4. Select Use Windows Wired Auto Config service for clients to specify that Wired AutoConfig is used to configure wired network adapter settings.

  5. Click the Security tab, click Advanced, and then configure the following:

    1. To configure advanced 802.1X settings, in IEEE 802.1X, select Enforce advanced 802.1X settings.

      When the advanced 802.1X settings are enforced, the default values for Max Eapol-Start Msgs, Held Period, Start Period, and Auth Period are sufficient for most wired access deployments.

    2. To enable Single Sign On, select Enable Single Sign On for this network.

    3. The remaining default values in Single Sign On are sufficient for typical wired access deployments.

  6. Click OK to return to the Security tab. In Select a network authentication method, select Protected EAP (PEAP), and then click Properties. The Protected EAP Properties page opens.

  7. In Protected EAP Properties, verify that Validate server certificate is selected.

  8. In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your computer running Network Policy Server (NPS).

Note

This setting limits which root CAs that clients trust to the selected CAs. If no trusted root CAs are selected, clients will trust all root CAs listed in their trusted root certification authority store.

  1. Select Do not prompt user to authorize new servers or trusted certification authorities. Selecting this setting provides an enhanced user experience and better security.

  2. In the Select Authentication Method list, select Smart Card or other certificate, and then click Configure. The Smart Card or other Certificate Properties dialog box opens.

  3. In the Smart Card or other Certificate Properties dialog box, in When connecting, for smart card deployments, select Use my smart card. Otherwise, for computer and user digital certificate deployments, select Use a certificate on this computer.

  4. Verify that Validate server certificate is selected.

  5. In Trusted Root Certification Authorities, select the trusted root certification authority (CA) that issued the server certificate to your computer running Network Policy Server (NPS).

  6. Select Do not prompt user to authorize new servers or trusted certification authorities.

  7. Click OK. The Smart Card or other Certificate Properties dialog box closes, returning you to Protected EAP Properties.

  8. On the Protected EAP Properties dialog box, to enable PEAP fast reconnect, select Enable Fast Reconnect.

  9. If Network Access Protection (NAP) is configured on your network, select Enable Quarantine checks. Otherwise, clear this check box.

  10. Click OK, to close the Protected EAP Properties dialog box, click OK to close the Security tab, and then click OK again to close the Windows Vista Wired (IEEE 802.3) Network Policy.