Deploying Certificate-Based Authentication for Demand-Dial Routing

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

The use of certificates for authentication of calling routers is the strongest form of authentication in the Windows Server family. For certificate-based authentication of demand-dial connections, you must use the Extensible Authentication Protocol (EAP) with the Smart card or other certificate (TLS) EAP type, also known as EAP-Transport Level Security (EAP-TLS). EAP-TLS requires the use of user certificates for the calling router and machine certificates (also known as computer certificates) for the answering router.

The deployment of certificate-based authentication for demand-dial routing typically occurs in the following situations: