Use this procedure to configure an Extensible Authentication Protocol–Transport Layer Security (EAP-TLS) profile for authentication that uses smart cards or other certificates.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
|To configure an EAP-TLS profile for wired connections
On the General tab, do the following:
- In Policy Name, type a name for the wired network
- In Description, type a brief description of the
- Ensure that Use Windows Wired Auto Config service for
clients is selected.
- To permit users with computers running Windows 7 to enter
and store their domain credentials (username and password), which
the computer can then use to log on to the network (even though the
user is not actively logged on), in Windows 7 Policy
Settings, select Enable Explicit Credentials.
- To specify the duration for which computers running
Windows 7 are prohibited from making auto connection attempts
to the network, select Enable Block Period, and then in
Block Period (minutes), specify the number of minutes for
which you want the block period to apply. The valid range of
minutes is 1-60.
For more information about the settings on any tab, press F1 while viewing that tab.
- In Policy Name, type a name for the wired network policy.
On the Security tab, do the following:
- Select Enable use of IEEE 802.1X authentication for network
- In Select a network authentication method, select
Smart Card or other certificate.
- In Authentication mode, select from the following,
depending on your needs: User or Computer authentication,
Computer authentication, User authentication,
Guest authentication. By default, User or Computer
authentication is selected.
- In Max Authentication Failures, specify the maximum
number of failed attempts allowed before the user is notified that
authentication has failed. By default, the value is set to “1.”
- To specify that user credentials are held in cache, select
Cache user information for subsequent connections to this
- Select Enable use of IEEE 802.1X authentication for network access.
To configure Single Sign On or advanced 802.1X settings, click Advanced. On the Advanced tab, do the following:
- To configure advanced 802.1X settings, select Enforce
advanced 802.1X settings, and then modify — only as necessary —
the settings for: Max Eapol-Start Msgs, Held Period,
Start Period, Auth Period, Eapol-Start
- To configure Single Sign On, select Enable Single Sign On
for this network, and then modify — as necessary — the settings
- Perform Immediately before User
- Perform Immediately after User
- Max delay for connectivity
- Allow additional dialogs to be displayed
during Single Sign On
- This network uses different VLAN for
authentication with machine and user credentials
- Perform Immediately before User Logon
- To configure advanced 802.1X settings, select Enforce advanced 802.1X settings, and then modify — only as necessary — the settings for: Max Eapol-Start Msgs, Held Period, Start Period, Auth Period, Eapol-Start Message.
Click OK. The Advanced Security Settings dialog box closes, returning you to the Security tab. On the Security tab, click Properties. The Smart Card or other Certificate Properties dialog box opens.
On the Smart Card or other Certificate Properties dialog box, do the following:
- In When connecting, select either Use my smart
card, or select both Use a certificate on this computer
and Use simple certificate selection (Recommended).
- Select Validate server certificate.
- To specify which Remote Authentication Dial-In User Service
(RADIUS) servers your wired access clients must use for
authentication and authorization, in Connect to these
servers, type then name of each RADIUS server, exactly as it
appears in the subject field of the server’s certificate. Use
semicolons to specify multiple RADIUS server names.
- In Trusted Root Certification Authorities, select the
trusted root certification authority (CA) that issued the server
certificate to your server running Network Policy Server (NPS).
This setting limits the trusted root CAs that clients trust to the selected values. If no trusted root CAs are selected, then clients will trust all trusted root CAs in their trusted root certification authority store.
- To specify that clients use an alternate name for the access
attempt, select Use a different user name for the
- For improved security and a better user experience, select
Do not prompt user to authorize new servers or trusted
- Click OK to save the Smart Card or other Certificate
Properties settings. Click OK again to return to the
New Wired Network Policy Properties dialog box.
- In When connecting, select either Use my smart card, or select both Use a certificate on this computer and Use simple certificate selection (Recommended).