locked
802.1X Network Policy Server(NPS) Configuration with NAP RRS feed

  • Question

  • Hi,

     

    I am configuring NPS for testing wired 802.1x authentication with NAP using MSCHAPV2 Authentication Method. While Configuring I found there is no option for selecting MSCHAPV2 authentication method. It only has PEAP method with MSCHAPV2 and TLS as inner authentication methods. 

     

    Is it possible to use  MSCHAPV2 and TLS authentication methods for NPS with NAP? Whether only PEAP is supported by NPS with NAP? Why other methods are not supported?

     

    Answers will help me a lot to understand the NPS with NAP concept.

     

    Thanks in Advance,

     

    Chand N. 

    Monday, May 5, 2008 3:01 PM

Answers

  • Hey Chand, just to be clear – NAP requires PEAP when terminating NAP + 802.1x on NPS. The reason you don’t see any other option is because we have a hard dependency there. This may change in future versions.

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Monday, May 5, 2008 6:34 PM

All replies

  • In order to use NAP with 802.1x Authentication you have to use an EAP method and we support the following methods.

     

    ·         Protected EAP (PEAP)-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)  A combination of an encrypted TLS channel (created by PEAP) and a mutual authentication challenge-handshake protocol that can use user name and password credentials. Because of the TLS channel, PEAP-MS-CHAP v2 is not as susceptible to an offline dictionary attack. To perform the one-way TLS authentication for PEAP, the RADIUS servers must have a computer certificate installed that the supplicant computers trust. At this writing, PEAP-MS-CHAP v2 is the recommended EAP method for user name and password-based credentials.

    ·         EAP-TLS  A two-way mutual authentication method using TLS and digital certificates. EAP-TLS requires a public key infrastructure (PKI) to issue and renew computer or user certificates to supplicant computers and computer certificates to RADIUS servers.

    ·         PEAP-TLS  A combination of an encrypted TLS channel (created by PEAP) and a two-way mutual authentication method using TLS and digital certificates. Like EAP-TLS, PEAP-TLS requires a PKI to issue and renew computer or user certificates to supplicant computers and computer certificates to RADIUS servers. 

     

    www.microsoft.com/nap

     

    Hope this helps,

     

    Lousi Hardy

    Monday, May 5, 2008 5:39 PM
  • Hey Chand, just to be clear – NAP requires PEAP when terminating NAP + 802.1x on NPS. The reason you don’t see any other option is because we have a hard dependency there. This may change in future versions.

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Monday, May 5, 2008 6:34 PM
  • Thank you very much for the clarification.

     

    Regards,

    Chand N

    Tuesday, May 6, 2008 4:40 AM