NPS Certificate Setup for PEAP/EAP-MSCHAPv2 Wireless Authentication on Windows Server 2008

So if you find yourself wanting to use PEAP 802.1x authentication, you will need to make sure there is a certificate bound to the PEAP authentication method on the network policy. In order to get the right type of certificate, you should follow the steps below. Note: In my case, I was unable to add a regular “Computer” enrollment so I had to follow the steps below to get it working. If you find yourself able to enroll a “Computer” certificate at step 9 below, you can ignore steps 1-8.

  1. In the Certificate Templates Console, under Template Display Name, find Computer. Right-click it, click Duplicate Template, and then click OK.
  2. In Properties of New Template, on the General tab, under Template display name, type a name for your new template. You can use something like Wireless Authentication. While you are on the General tab, you can also set a validity period. By default it will be 1 year. Do not select more than 2 years or some additional tweaking will be required (steps not listed here).
  3. Click the Security tab. Here is where you need to add permission for you to enroll. Click Authenticated Users and check the box next to Allow for Enroll. Click OK and now you’ll see the new certificate template at the bottom of the list.
  4. Close the Certificate Templates console. Click Start, Run, certsrv.msc, enter. This will open the local Certification Authority console.
  5. Right-click the Certificate Templates folder, point to New, then click Certificate Template to Issue. Scroll down the list and find the new template you created. The name I suggested was Wireless Server Auth but you might have picked something else. Highlight this template and then click OK. Now you should see that it is added to the list of Certificate Templates.
  6. While you are in this console, click on the Issued Certificates container. You should see a list here of all the certificates that this CA has issued. You can also view Pending Requests (for certificates that require approval before being issued) and Failed Requests (there was a problem issuing the cert).
  7. Go back to the local computer certificate console (Start, Run, mmc, enter, File… Add/Remove Snap-in, Certificates, Add, Computer account, Next, Local computer Finish, OK). Right-click the container under Personal\Certificates, point to All Tasks, Request New Certificate, Next, Next. You should now see the Wireless Authentication certificate. Choose it and click Enroll. At this point you should now see another certificate in the list. You can tell which one is the one you just issued by looking at the details tab and viewing Certificate Template Information.
  8. Go back to PEAP properties in the Network Policy and choose the newly created certificate.

Leave a Reply

Your email address will not be published.