Configuring Authentication with Certificates or Smart Cards

Enabling EAP authentication might or might not be enough to allow your users to authenticate with a smart card or public key certificate. If you are using an enterprise CA and your Routing And Remote Access servers are members of the same domain, they will be automatically configured to allow EAP authentication for certificates signed by the enterprise CA. To verify that certificate or smart card authentication is enabled for a remote access policy, follow this procedure:


1. Open the Routing And Remote Access console.
2. In the left pane, expand the server node, and then click Remote Access Policies.
3. In the right pane, right-click the RAP that applies to the users who will authenticate with certificates, and then click Properties. If the RAP does not yet exist, create one.
4. Click Edit Profile, and then click the Authentication tab.
5. Click the EAP Methods button. The Select EAP Providers list appears.
6. If Smart Card Or Other Certificate is not listed in the EAP Types list, click Add. Click Smart Card Or Other Certificate, and then click OK.
7. Click Smart Card Or Other Certificate, and then click Edit.
8. Click the Certificate Issued To list, and then click the certificate you will use to identify the Routing And Remote Access server. Click OK four times.

If your certificates are not issued by an enterprise CA, or if your computer has more than one certificate, you should add a remote access policy specifically for authenticating users with a smart card or other certificate. To do so, follow this procedure:

1. Open the Routing And Remote Access console.
2. In the left pane, expand the server node. Right-click Remote Access Policies, and then click New Remote Access Policy. The New Remote Access Policy Wizard appears.
3. Click Next.
4. On the Policy Configuration Method page, in the Policy Name box, type a name for the policy. Click Next.
5. On the Access Method page, click either VPN or Dial-Up. Click Next.
6. On the User Or Group Access page, select your preferred authorization method. Click Next.
7. On the Authentication Methods page, select Extensible Authentication Protocol (EAP). Click the Type list, and then click Smart Card Or Other Certificate.
8. Click the Configure button. Click the Certificate Issued list, and then click the certificate you will use to identify the Routing And Remote Access server. Click OK.
9. Clear Microsoft Encrypted Authentication Version 2 (MS-CHAPv2). Click Next.
10. On the Policy Encryption Level page, select the encryption levels you want to allow. Click Next, and then click Finish.
11. In the left pane, click Remote Access Policies. In the right pane, right-click the new policy, and then click Properties.
12. Click Grant Remote Access Permission, and then click OK.

Google