EAP-TLS-based Authenticated Wireless Access Design

Applies To: Windows Server 2008, Windows Server 2008 R2

Many organizations want to supply their network users with wireless access that meets the following goals:

  • Control wireless network access and protect wireless transmissions.

  • Centrally manage wireless client security and connectivity settings.

  • Centrally manage the 802.1X authentication and authorization of wireless access clients.

  • Provide wireless access that uses smart cards or user and computer certificates for client authentication.

Authenticated wireless access design based on Extensible Authentication Protocol – Transport Level Security (EAP-TLS) can use either smart cards or user and computer certificates to authenticate wireless access clients. EAP-TLS provides stronger security than secure password authentication that is based on user credentials (user name and password) to authenticate wireless access clients.

The following diagram illustrates the core components of an 802.1X authentication infrastructure that uses digital certificates for client authentication.

You can deploy Institute of Electrical and Electronics Engineers (IEEE) 802.1X authenticated wireless access using Extensible Authentication Protocol (EAP) in conjunction with computers running Network Policy Server (NPS), and 802.1X-capable wireless access points (APs) to provide wireless access with strong security. By using EAP, you can support additional authentication schemes, known as EAP types. EAP, in conjunction with strong EPA types, is a critical technology component for secure 802.1X authenticated wireless connections. These schemes include token cards, user credentials, public key authentication using smart cards, and digital certificates.

EAP-TLS is an EAP type that is used in certificate-based security environments. EAP-TLS provides mutual authentication between the wireless access client and NPS.

When you deploy a private certification authority (CA) on your network by using Active Directory Certificate Services (AD CS), you can use either EAP-TLS or Protected EAP (PEAP) with EAP-TLS (PEAP-TLS) for authentication. Both EAP-TLS and PEAP-TLS use certificates for server authentication. For user and client computer authentication, both EAP-TLS and PEAP-TLS use can use either smart cards, which contain embedded digital certificates, or certificates issued to client computers that are stored on the local computer in the Trusted Root Certification Authorities certificate store.


Both PEAP-MS-CHAP v2 and PEAP-TLS provide PEAP fast reconnect. PEAP fast reconnect enables wireless clients to move between wireless access points on the same network without being reauthenticated each time they associate with a new wireless AP.

Starting infrastructure

The following sections provide brief overviews of the required technologies that must be in place before you can begin deploying wireless access on your network.

Active Directory Domain Services

Active Directory Domain Services (AD DS) is a hierarchical structure that stores information about objects on the network. AD DS, provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory Certificate Services

When you deploy 802.1X authenticated wireless access that uses either smart cards or user and computer digital certificates for client authentication, you must deploy a private CA on your network.

You can deploy AD CS, which is included in Windows Server 2008, as an enterprise root certification authority (CA) that is also an issuing CA. You can configure AD CS to deploy certificates to NPS servers and domain member client computers.

To deploy server certificates by using autoenrollment, AD CS requires the Windows Server 2008 Enterprise or Windows Server 2008 Datacenter operating systems. AD DS must be installed before AD CS is installed.


Domain Name System (DNS) is a name resolution protocol for TCP/IP networks, such as the Internet or an organization network. A DNS server hosts the information that enables client computers to resolve easily recognized, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.


Dynamic Host Configuration Protocol (DHCP) is an IP standard for simplifying management of host IP configuration. The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your private network.

Every computer on a TCP/IP network must have a unique IP address. The IP address (together with its related subnet mask) identifies both the host computer and the subnet to which it is attached. When you move a computer to a different subnet, the IP address must be changed. DHCP allows you to dynamically assign an IP address to a client from a DHCP server IP address database on your local network.

For TCP/IP-based networks, DHCP reduces the complexity and amount of administrative work involved in reconfiguring computers.

To increase control over DHCP lease times, you can separate IPv4 subnets. By using different subnets for wired and wireless clients, you must configure separate DHCP scopes. Because wireless clients can easily roam from one wireless subnet to another, configure the DHCP scopes for wireless subnets to have a shorter lease duration than for wired subnets. The typical lease duration for a DHCP scope for wired networks is a specified number of days. Because wireless clients do not release their addresses when roaming to a new subnet, you should shorten the lease duration to several hours for DHCP scopes corresponding to wireless subnets. By setting a shorter lease duration for wireless subnets, the DHCP server automatically makes expired IPv4 addresses available for reuse throughout the day instead of leaving the addresses unavailable for days.

Network Policy Server

Network Policy Server (NPS) allows you to centrally configure and manage network policies with the following three components: Remote Authentication Dial-In User Service (RADIUS) server, RADIUS proxy, and Network Access Protection (NAP) policy server.

You must install NPS if to deploy 802.1X wired or wireless access.

NPS server certificates

When you deploy 802.1X authenticated wireless access that uses smart cards or other digital certificates for client authentication, you must deploy a private CA on your network by using AD CS.


TCP/IP in Windows Server 2008 is the following:

  • Networking software based on industry-standard networking protocols.

  • A routable, enterprise networking protocol that supports the connection of your Windows-based computer to both local area network (LAN) and wide area network (WAN) environments.

  • Core technologies and tools for connecting your Windows-based computer with dissimilar systems for the purpose of sharing information.

  • A foundation for gaining access to global Internet services, such as the World Wide Web and File Transfer Protocol (FTP) servers.

  • A robust, scalable, cross-platform, client/server framework.

TCP/IP provides basic TCP/IP tools that enable Windows-based computers to connect and share information with other Microsoft and non-Microsoft systems.

802.1X capable wireless access points

Before configuring the Windows Server 2008 services for your 802.1X authenticated wireless access infrastructure, purchase and install 802.1X-capable wireless APs on your network.