Provide Wireless Access that uses Digital Certificate Client Authentication

Applies To: Windows Server 2008, Windows Server 2008 R2

Wireless networks that use 802.1X to prevent unauthorized access to the network must use one of several Extensible Authentication Protocol (EAP) types. There are advantages and disadvantages to each. In general, the tradeoff is between ease of deployment and strength of security. Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is a good alternative for administrators who must provide very stronger security than that provided by Protected EAP (PEAP) with Microsoft Challenge-Handshake Authentication Protocol Version 2 (MS-CHAP v2).

For more information, see EAP-TLS-based Authenticated Wireless Access Design.

To illustrate, Example Company ( wants to provide wireless access to corporate network employees at their main location. The wireless solution must provide very strong security to protect their network from unwanted wireless access. As an additional requirement, they want to integrate their wireless access security solution with a smart card solution for employee identification and building access.

The following features and components are required for wireless access with digital certificate client authentication:

  • One or more 802.1X-capable 802.11 wireless access points (APs). This scenario requires that you purchase and deploy one or more 802.1X-capable wireless APs that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.

  • Active Directory Domain Services (AD DS). AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and EAP-TLS to authenticate user credentials and to evaluate authorization for wireless connections.

  • Group Policy Management. This design uses the Group Policy Management extension to specify settings in Wireless Network (IEEE 802.11) Policies, which in turn configures the necessary settings on wireless client computers for 802.1X authenticated wireless access.

  • One or more servers running Network Policy Server (NPS). When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection.

  • Server certificates for computers running NPS. This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication. A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service. Because digital certificate authentication requires certificates for servers and clients, this deployment design requires that you deploy a private CA on your network by using Active Directory Certificate Services (AD CS).

  • Dynamic Host Configuration Protocol (DHCP) servers. This deployment scenario requires that DHCP servers are deployed and configured to allocate TPC/IP addresses to wireless client computers that NPS has authenticated and authorized for wireless access.

  • Wireless client computers. This deployment provides 802.1X authenticated access to domain-member users who connect to the network by using wireless client computers running either Windows Vista or Windows XP with Service Pack 2 (SP2) or later versions. Computers must be members of the domain in order to successfully establish authenticated access.