This article describes how to use Extensible Authentication Protocol (EAP) to create more secure Virtual Private Network (VPN) configurations.
EAP can be used to provide an added layer of security to VPN technologies such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). EAP enables this functionality through Certificate Authority (CA) and SmartCard technologies, which provide mutual authentication of the client and the server.
To use EAP with a VPN, the server must be configured to accept EAP authentication as a valid authentication method and it must have a user certificate (X.509). The client must be configured to use EAP, and either have a SmartCard (with a SmartCard Certificate installed) or a user certificate.
The client computer may be either configured to use a SmartCard reader and SmartCard (that has a valid certificate installed), or you can install a user certificate on the client. To find the client user certificate, start the Certificates - Current User snap-in in Microsoft Management Console (MMC), click Personal
, and then click Certificates
. To load this snap-in, add the Certificates snap-in, and then click My User Account
: Both the client and server must have a certificate from the same CA or a CA in a trusted hierarchy.
Creating a Phonebook Entry
To enable the client to use EAP, you must first create a phonebook entry. To do this, follow these steps:
- Click Start, point to Settings, and then click Network and Dialup Connections.
- Click Make New Connection.
- Click Connect to a private network through the Internet and click Next.
- Click either Automatically dial this initial connection, or Do not dial the initial connection, and then click Next.
- Type the host name or IP address of the VPN server and click Next.
- Click either For all users, or Only for myself, and then click Next.
- In the Internet Connection Sharing dialog box, click Next.
- Name the connection and click Finish.
Configuring the Phonebook Entry to Use EAP
After you have created the phonebook entry, configure this entry to use EAP. To do this, follow these steps:
- Right-click the new phonebook entry, click Properties, and then click the Security tab.
- Click Advanced (custom settings), and then click the Settings button.
- Click Smart Card or other Certificate (encryption enabled).
- Click Properties, and then click either Use my smart card or Use a certificate on this computer
- Ensure that the Validate Server certificate option is enabled.
- If necessary, click to select the Connect only if server name ends with: check box.
- In the Trusted root certificate authority box, click the CA that issued the certificate for use with a SmartCard or the user certificate that is installed.
- If necessary, click to select the Use a different user name for the connection check box.
The user must be logged on to the computer to use EAP with a user certificate.
You cannot use EAP when you select the Log on using Dialup Networking
option. If it is necessary to log on by using the Log on using Dialup Networking
option, you must use SmartCard technologies.
The server must have a computer certificate installed. To verify the server computer certificate, start the Certificates - Local Computer
snap-in, click Personal
, and then click Certificates
. Both the client and server must have a certificate from the same CA or from a CA in a trusted hierarchy.
Configuring Routing and Remote Access to accept EAP authentication
To configure the Routing and Remote Access service to accept EAP authentication, follow these steps:
- Start the Routing and Remote Access snap-in.
- Right-click the server name, click Properties, and then click the Security tab.
- Click Authentication Methods.
- Click to select the Extensible authentication protocol (EAP) check box, and then click OK.
- Click OK.
Enabling EAP in Remote Access Policies
To enable EAP with remote access policies, follow these steps:NOTE
: The Remote Access Policies component is included in the Routing And Remote Access snap-in by default. However, if Internet Authentication Service (IAS) (also known as RADIUS) is installed, the Remote Access Policies component is included with the IAS snap-in instead.
- Click Remote Access Policies.
- In the right pane, double-click Allow access if dial-in permission is enabled.
- Click Edit Profile, and then click the Authentication tab.
- Click to select the Extensible Authentication Protocol check box.
- Click Smart Card or other Certificate, and then click Configure.
- The Smart Card or other Certificate Properties option should now be displayed. This option enables users to enter the certificate that is used for EAP in the Certificate issued to box.