Article ID: 259880 - View products that this article applies to.
This article was previously published under Q259880
This article describes how to use Extensible Authentication Protocol (EAP) to create more secure Virtual Private Network (VPN) configurations.
EAP can be used to provide an added layer of security to VPN technologies such as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). EAP enables this functionality through Certificate Authority (CA) and SmartCard technologies, which provide mutual authentication of the client and the server.
To use EAP with a VPN, the server must be configured to accept EAP authentication as a valid authentication method and it must have a user certificate (X.509). The client must be configured to use EAP, and either have a SmartCard (with a SmartCard Certificate installed) or a user certificate.
Client ConfigurationThe client computer may be either configured to use a SmartCard reader and SmartCard (that has a valid certificate installed), or you can install a user certificate on the client. To find the client user certificate, start the Certificates - Current User snap-in in Microsoft Management Console (MMC), click Personal, and then click Certificates. To load this snap-in, add the Certificates snap-in, and then click My User Account.
NOTE: Both the client and server must have a certificate from the same CA or a CA in a trusted hierarchy.
Creating a Phonebook EntryTo enable the client to use EAP, you must first create a phonebook entry. To do this, follow these steps:
Configuring the Phonebook Entry to Use EAPAfter you have created the phonebook entry, configure this entry to use EAP. To do this, follow these steps:
You cannot use EAP when you select the Log on using Dialup Networking option. If it is necessary to log on by using the Log on using Dialup Networking option, you must use SmartCard technologies.
Server ConfigurationThe server must have a computer certificate installed. To verify the server computer certificate, start the Certificates - Local Computer snap-in, click Personal, and then click Certificates. Both the client and server must have a certificate from the same CA or from a CA in a trusted hierarchy.
Configuring Routing and Remote Access to accept EAP authenticationTo configure the Routing and Remote Access service to accept EAP authentication, follow these steps:
Enabling EAP in Remote Access PoliciesTo enable EAP with remote access policies, follow these steps:
NOTE: The Remote Access Policies component is included in the Routing And Remote Access snap-in by default. However, if Internet Authentication Service (IAS) (also known as RADIUS) is installed, the Remote Access Policies component is included with the IAS snap-in instead.