All certificates that are used for network access authentication with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), and PEAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) must meet the requirements for X.509 certificates and work for connections that use Secure Socket Layer/Transport Level Security (SSL/TLS). Both client and server certificates have additional requirements.
Minimum server certificate requirements
With PEAP-MS-CHAP v2, PEAP-TLS, or EAP-TLS as the authentication method, the NPS server must use a server certificate that meets the minimum server certificate requirements.
Client computers can be configured to validate server certificates by using the Validate server certificate option on the client computer or in Group Policy.
The client computer accepts the authentication attempt of the server when the server certificate meets the following requirements:
- The Subject name contains a value. If you
issue a certificate to your server running Network Policy Server
(NPS) that has a blank Subject name, the certificate is not
available to authenticate your NPS server. To configure the
certificate template with a Subject name:
- Open Certificate Templates.
- In the details pane, right-click the certificate template that
you want to change, and then click Properties.
- Click the Subject Name tab, and then click Build from
this Active Directory information.
- In Subject name format, select a value other than
None.
- Open Certificate Templates.
- The computer certificate on the server chains
to a trusted root certification authority (CA) and does not fail
any of the checks that are performed by CryptoAPI and that are
specified in the remote access policy or network policy.
- The computer certificate for the NPS server
or VPN server is configured with the Server Authentication purpose
in Extended Key Usage (EKU) extensions. (The object identifier for
Server Authentication is 1.3.6.1.5.5.7.3.1.)
- The server certificate is configured with a
required algorithm value of RSA. To configure the required
cryptography setting:
- Open Certificate Templates.
- In the details pane, right-click the certificate template that
you want to change, and then click Properties.
- Click the Cryptography tab. In Algorithm name,
click RSA. Ensure that Minimum key size is set to
2048.
- Open Certificate Templates.
- The Subject Alternative Name (SubjectAltName)
extension, if used, must contain the DNS name of the server. To
configure the certificate template with the Domain Name System
(DNS) name of the enrolling server:
- Open Certificate Templates.
- In the details pane, right-click the certificate template that
you want to change, and then click Properties.
- Click the Subject Name tab, and then click Build from
this Active Directory information.
- In Include this information in alternate subject name,
select DNS name.
- Open Certificate Templates.
When using PEAP and EAP-TLS, NPS servers display a list of all installed certificates in the computer certificate store, with the following exceptions:
- Certificates that do not contain the Server
Authentication purpose in EKU extensions are not displayed.
- Certificates that do not contain a Subject
name are not displayed.
- Registry-based and smart card-logon
certificates are not displayed.
Minimum client certificate requirements
With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
- The client certificate is issued by an
enterprise CA or mapped to a user or computer account in Active
Directory® Domain Services (AD DS).
- The user or computer certificate on the
client chains to a trusted root CA, includes the Client
Authentication purpose in EKU extensions (the object identifier for
Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the
checks that are performed by CryptoAPI and that are specified in
the remote access policy or network policy nor the Certificate
object identifier checks that are specified in IAS remote access
policy or NPS network policy.
- The 802.1X client does not use registry-based
certificates that are either smart card-logon or password-protected
certificates.
- For user certificates, the Subject
Alternative Name (SubjectAltName) extension in the certificate
contains the user principal name (UPN). To configure the UPN in a
certificate template:
- Open Certificate Templates.
- In the details pane, right-click the certificate template that
you want to change, and then click Properties.
- Click the Subject Name tab, and then click Build from
this Active Directory information.
- In Include this information in alternate subject name,
select User principal name (UPN).
- Open Certificate Templates.
- For computer certificates, the Subject
Alternative Name (SubjectAltName) extension in the certificate must
contain the fully qualified domain name (FQDN) of the client, which
is also called the DNS name. To configure this name in the
certificate template:
- Open Certificate Templates.
- In the details pane, right-click the certificate template that
you want to change, and then click Properties.
- Click the Subject Name tab, and then click Build from
this Active Directory information.
- In Include this information in alternate subject name,
select DNS name.
- Open Certificate Templates.
With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:
- Wireless clients do not display
registry-based and smart card-logon certificates.
- Wireless clients and VPN clients do not
display password-protected certificates.
- Certificates that do not contain the Client
Authentication purpose in EKU extensions are not displayed.