Home > Wireless LAN > Encryption and Authentication > RADIUS: Creating a Policy in NPS to support EAP-TLS authentication

RADIUS: Creating a Policy in NPS to support EAP-TLS authentication

Table of contents
No headers
When using WPA2-Enterprise with 802.1x authentication EAP-TLS can be specified as an authentication method. When EAP-TLS is the chosen authentication method both the wireless client and the RADIUS server use certificates to verify their identities to each other and perform mutual authentication. Below are the steps for configuring policy in Windows Network Policy Server to support EAP-TLS. 

Creating a Connection Request Policy to support IEEE 802.11 wireless connections.

 

  1. Open the Network Policy Server console.
  2. Navigate to NPS(Local)>Policies>Connection Request Policies.
  3. Right click Connection Request Policies and select New.
  4. On Specify Connection Policy Name and Connection Type enter a Policy name: and click Next.
  5. On Specify Conditions click Add.
  6. Select NAS Port Type as a condition.
  7. For NAS Port Type check Wireless - IEEE 802.11 and Wireless - Other click OK.
  8. Click Next.
  9. On Specify Connection Request Forwarding leave the defaults and click Next.
  10. On Specify Authentication Methods leave the defaults and click Next.
  11. On Configure Settings click Next.
  12. Review the settings On Completing Connection Request Policy Wizard and click Finish
  13. Right click the Connection Policy created and select Move up so its processing order is before any other policies. 


Creating a Network Policy to support EAP-TLS as the authentication method for IEEE 802.11 wireless connections.

 

  1. Right click Network Policies and select New.
  2. On Specify Network Policy Name and Connection Type enter a Policy name: and click Next.
  3. On Specify Conditions click Add.
  4. Select NAS Port Type as a condition.
  5. For NAS Port Type check Wireless - IEEE 802.11 and Wireless - Other click OK.
  6. Click Next.
  7. On Specify Access Permissions make sure Access granted is selected and click Next.
  8. On Configure Authentication Methods click Add and choose Microsoft: Smart Card or other certificate for Add EAP and click OK.
  9. Uncheck any boxes under Less secure authentication methods.
  10. Select Microsoft: Smart Card or other certificate for EAP types and click Edit
  11. Verify the Certificate issued to: drop down shows the correct certificate and issuer which is the Active Directory CA server. Then click OK.
  12. Click Next.
  13. On Configure Constraints click Next.
  14. On Configure Settings choose NAP Enforcement.
  15. Under Auto-Remediation, uncheck the box Auto-remediation of client computers and click Next.
  16. Review the settings on Completing New Network Policy and Click Finish.
  17. Right click the Network Policy created and select Move up so its processing order is before any other policies. 


You must to post a comment.
Last modified
21:28, 2 Feb 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1626

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case