Use this procedure to configure a Protected Extensible Authentication Protocol–Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) profile for client authentication by using secured passwords.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
|To configure a profile for PEAP-MS-CHAP v2 wired connections|
On the General tab, do the following:
- In Policy Name, type a name for the wired network
- In Description, type a brief description of the
- Ensure that Use Windows Wired Auto Config service for
clients is selected.
- To permit users with computers running Windows 7 to enter
and store their domain credentials (username and password), which
the computer can then use to log on to the network (even though the
user is not actively logged on), in Windows 7 Policy
Settings, select Enable Explicit Credentials.
- To specify the duration for which computers running
Windows 7 are prohibited from making auto connection attempts
to the network, select Enable Block Period, and then in
Block Period (minutes), specify the number of minutes for
which you want the block period to apply. The valid range of
minutes is 1–60.
For more information about the settings on any tab, press F1 while viewing that tab.
- In Policy Name, type a name for the wired network policy.
On the Security tab, do the following:
- Select Enable use of IEEE 802.1X authentication for network
- In Select a network authentication method, select
Microsoft: Protected EAP (PEAP).
- In Authentication mode, select from the following,
depending on your needs: User or Computer authentication
(recommended), Computer authentication, User
authentication, Guest authentication. By default,
User or Computer authentication is selected.
- In Max Authentication Failures, specify the maximum
number of failed attempts allowed before the user is notified that
authentication has failed. By default, the value is set to “1.”
- To specify that user credentials are held in cache, select
Cache user information for subsequent connections to this
- Select Enable use of IEEE 802.1X authentication for network access.
To configure Single Sign On or advanced 802.1X settings, click Advanced. On the Advanced tab, do the following:
- To configure advanced 802.1X settings, select Enforce
advanced 802.1X settings, and then modify — only as necessary —
the settings for: Max Eapol-Start Msgs, Held Period,
Start Period, Auth Period, Eapol-Start
- To configure Single Sign On, select Enable Single Sign On
for this network, and then modify — as necessary — the settings
- Perform Immediately before User
- Perform Immediately after User
- Max delay for connectivity
- Allow additional dialogs to be displayed
during Single Sign On
- This network uses different VLAN for
authentication with machine and user credentials
- Perform Immediately before User Logon
- To configure advanced 802.1X settings, select Enforce advanced 802.1X settings, and then modify — only as necessary — the settings for: Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, Eapol-Start Message.
Click OK. The Advanced Security Settings dialog box closes, returning you to the Security tab. On the Security tab, click Properties. The Protected EAP Properties dialog box opens.
In the Protected EAP Properties dialog box, do the following:
- Select Validate server certificate.
- To specify which Remote Authentication Dial-In User Service
(RADIUS) servers your wired access clients must use for
authentication and authorization, in Connect to these
servers, type then name of each RADIUS server, exactly as it
appears in the subject field of the server certificate. Use
semicolons to specify multiple RADIUS server names.
- In Trusted Root Certification Authorities, select the
trusted root certification authority (CA) that issued the server
certificate to your server running Network Policy Server (NPS).
This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients trust all trusted root CAs in their trusted root certification authority store.
- For improved security and a better user experience, select
Do not prompt user to authorize new servers or trusted
- In Select Authentication Method, select Secured
Password (EAP-MSCHAP v2).
- To specify that PEAP Fast Reconnect is enabled, select
Enable Fast Reconnect.
- To specify that Network Access Protection (NAP) performs system
health checks on clients to ensure they meet health requirements,
before connections to the network are permitted, select Enforce
Network Access Protection.
- To require cryptobinding Type-Length-Value (TLV), select
Disconnect if server does not present cryptobinding TLV.
- To configure your clients so that they do not send their
identity in plaintext before the client has authenticated the
RADIUS server, select Enable Identity Privacy, and in
Anonymous Identity, type a name or value, or leave the field
For example, if Enable Identity Privacy is enabled, and you use “guest” as the anonymous identity value, the identity response for a user with identity alice@realm is guest@realm. If you select Enable Identity Privacy but do not provide an anonymous identity value, the identity response is @realm.
- Click OK, to save the Protected EAP Properties
settings, and then click OK again to save the policy.
- Select Validate server certificate.