EAP

Applies To: Windows 7, Windows Server 2008 R2

Extensible Authentication Protocol (EAP) allows the authentication mechanism to be negotiated by the remote access client and the authenticator (either the RRAS or RADIUS server). By default, RRAS supports EAP-Transport Level Security (EAP-TLS). You can enable other EAP modules on the RRAS server to provide other EAP types.

EAP allows for an open-ended conversation between the remote access client and the authenticator. The conversation consists of authenticator requests for authentication information and the responses from the remote access client. For example, when EAP is used with security token cards, the authenticator can separately query the remote access client for a name, PIN, and card token value. As each query is asked and answered, the remote access client passes through another level of authentication. When all questions have been answered satisfactorily, the remote access client is authenticated.

Both the remote access client and the authenticator must support the same EAP type for successful authentication to occur.

EAP-TLS

EAP-TLS is an EAP type used in certificate-based security environments. If you are using smart cards for remote access authentication, you must use EAP-TLS. The EAP-TLS exchange of messages provides mutual authentication, negotiation of an encryption method, and encrypted key determination between the remote access client and the authenticator. EAP-TLS provides the strongest authentication and key determination method.

EAP-TLS is supported only on RRAS servers that are joined to a domain. An RRAS server running as a stand-alone server or a member of a workgroup does not support EAP-TLS.

EAP-RADIUS

EAP-RADIUS is not an EAP type, but the passing of EAP messages of any EAP type by the RRAS server to a RADIUS server for authentication. For example, for an RRAS server that is configured for RADIUS authentication, the EAP messages sent between the remote access client and remote access server are encapsulated and formatted as RADIUS messages between the remote access server and the RADIUS server.

EAP-RADIUS is used in environments where RADIUS is the authentication provider. An advantage of using EAP-RADIUS is that modules to support additional EAP types do not need to be installed at each remote access server, only at the RADIUS server. In the case of a server running Network Policy Server (NPS), you only need to install EAP types on the server.

In a typical use of EAP-RADIUS, an RRAS server is configured to use EAP and to use a server running NPS for authentication. When a connection is made, the remote access client negotiates the use of EAP with the RRAS server. When the client sends an EAP message to the RRAS server, the RRAS server encapsulates the EAP message as a RADIUS message and sends it to the server running NPS. The server running NPS processes the EAP message and sends a RADIUS-encapsulated EAP message back to the RRAS server. The RRAS server then forwards the EAP message to the remote access client. In this configuration, the RRAS server is only a pass-through device. All processing of EAP messages occurs at the remote access client and the server running NPS.

RRAS can be configured to authenticate locally, or to a RADIUS server. If RRAS is configured to authenticate locally, all EAP methods will be authenticated locally. If RRAS is configured to authenticate to a RADIUS server, all EAP messages will be forwarded to the RADIUS server with EAP-RADIUS.

Enabling EAP

To enable EAP-based authentication, you must do the following:

  1. Enable EAP as an authentication protocol on the remote access server.

  2. Enable EAP and, if required, configure the EAP type on the appropriate network policy.

  3. Enable and configure EAP on the remote access client.

Additional considerations

  • Make sure your network access server (NAS) supports EAP before you enable it on a network policy on a server running NPS. For more information, see your NAS documentation.

Additional references