Provide Wireless Access that uses Secure Password Client Authentication

Applies To: Windows Server 2008, Windows Server 2008 R2

Wireless networks that use 802.1X to prevent unauthorized access to the network must use one of several Extensible Authentication Protocol (EAP) types. There are advantages and disadvantages to each. For administrators who must provide strong security, but can forgo a very strong EAP type security in exchange for lower deployment overhead, use Protected EAP (PEAP) with Microsoft Challenge-Handshake Authentication Protocol Version 2 (MS-CHAP v2).

For more information, see PEAP-MS-CHAP v2-based Authenticated Wireless Access Design.

To illustrate, Example Company ( wants to provide wireless access to corporate network employees at one of their remote site buildings. The wireless solution must provide strong security to protect their network from unwanted wireless access. To reduce deployment costs, they want the wireless deployment to rely on their existing domain infrastructure as much as possible. As an additional requirement, they do not want the additional time and cost of deploying a private certification authority (CA) on their network.

The following features and components are required for wireless access with domain user secure password authentication:

  • One or more 802.1X-capable 802.11 wireless access points (APs). This scenario requires that you purchase and deploy one or more 802.1X-capable wireless APs that are compatible with the Remote Authentication Dial-In User Service (RADIUS) protocol.

  • Active Directory Domain Services (AD DS). AD DS contains the user accounts, computer accounts, and account properties that are required by IEEE 802.1X and PEAP-MS-CHAP v2 to authenticate user credentials and to evaluate authorization for wireless connections.

  • Group Policy Management. This design uses the Group Policy Management extension to specify settings in Wireless Network (IEEE 802.11) Policies, which in turn configures the security and connectivity settings on wireless client computers that are required for 802.1X authenticated wireless access.

  • One or more servers running Network Policy Server (NPS). When you configure your 802.1X wireless access points as RADIUS clients in NPS, NPS processes the connection requests sent by the APs. During connection request processing, NPS performs authentication and authorization. Authentication determines whether the client has presented valid credentials. If NPS successfully authenticates the requesting client, then NPS determines whether the client is authorized to make the requested connection, and either allows or denies the connection.

  • Server certificates for computers running NPS. This deployment scenario requires server certificates for each NPS server that performs 802.1X authentication. A server certificate is a digital document that is commonly used for authentication and to secure information on open networks. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing CA, and they can be issued for a user, a computer, or a service. Because secure password authentication requires certificates only for servers, and not for clients, this PEAP-MS-CHAP v2 designs specifies two NPS server certificate options:

    • Deploying a private CA on your network by using Active Directory Certificate Services (AD CS).

    • Purchasing certificates from a public CA, such as VeriSign, that is already trusted by Windows-based clients. This option is typically recommended for smaller networks.

  • Wireless client computers. This deployment provides 802.1X authenticated access to domain-member users who connect to the network by using wireless client computers running either Windows Vista or Windows XP with Service Pack 2 (SP2) or later versions. Computers must be members of the domain in order to successfully establish authenticated access.