Windows 2012 R2 NPS with PEAP-MSCHAPv2 Authentication for WIFI Users

To further understand on Windows 2012 R2 NPS following my previous post RADIUS Authentication between NPS & OpenVPN, I had borrow a HP MSM410 from my friend to setup a lab for PEAP-MSCHAPv2 Authentication for WIFI Client

Before continue my lab, I had done some study on the different between PEAP, EAP-TLS and EAP-MSCHAPv2

  1. PEAP uses Transport Layer Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as a server running Network Policy Server (NPS) or other Remote Authentication Dial-In User Service (RADIUS) server.
  2. PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MS-CHAP v2), that can operate through the TLS encrypted channel provided by PEAP
  3. PEAP fast reconnect, which reduces the delay between an authentication request by a client and the response by the NPS or other RADIUS server. PEAP fast reconnect also allows wireless clients to move between access points that are configured as RADIUS clients to the same RADIUS server without repeated requests for authentication. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
  4. After the TLS channel is created between the NPS server and the PEAP client, the client passes the credentials (user name and password or a user or computer certificate) to the NPS server through the encrypted channel.

    The access point only forwards messages between wireless client and RADIUS server; the access point (or a person monitoring it) cannot decrypt these messages because it is not the TLS endpoint.

    The NPS server authenticates the user and client computer with the authentication type that is selected for use with PEAP. The authentication type can be either EAP-TLS (smart card or other certificate) or EAP-MS-CHAP v2 (secure password).

EAP-MSCHAPv2 required Microsoft Certificate Authority (CA) server to present a certificate to the wireless users so that they can verify if they are talking to the correct RADIUS server, and we will install Microsoft CA on the same hosts with NPS in this lab

My Lab Setup as below

  1. Windows 2012 R2 Server – AD, NPS, IIS and Microsoft CA Server (Certification Authority & Certification Authority Web Enrollment are required)
  2. 1 x HP MSM410 Wireless Access Point (AP)
  3. 1 x Surface Pro 4 running on Windows 10 (Workgroup)

Please refer to the following PowerShell to install IIS, Microsoft CA & NPS Roles

We will need to install server certificate for NPS before configuring the NPS Policy 

  1. Enter mmc on PowerShell / Command Prompt 
  2. Click File > Add / Remove Snap-in > Certificate > Add > Computer Account 
  3. Expand Local Computer > Personal > Certificates 
  4. Right Click > All Tasks > Request New Certificate 


5. Select Next to continue 


6. Select Domain Controller as we installed Microsoft CA together with AD Domain Controller + NPS Server. If your NPS Server is installed on member server, please refer to the 2nd screen shot 


Select Computer if your NPS is installed on member server 


7. Click Finish to complete the certification import process 


Creating Policy for NPS 

Two types of policies are used with NPS: “Connection Request Policies” and “Network Policies”. When a request is received, it is first matched against Connection Request Policies, if the resulting match says “local authentication” the request is also matched against “Network Policies”. The order of Policies is important, once conditions are met processing of Policies are stopped

  1. Creating a New “NAP 802.1X (Wireless)” Connection Request Policies and disable the default “Use Windows Authentication for all users” 
    • EAP Type : Added Microsoft: Protected EAP (PEAP) & Microsoft: Smart Card or other certificate (will only required for my next post by using Certificate based authentication)


Highlight PEAP, and click “Edit” to verify the certificate which we requested and imported successfully is selected, and ensure that “Enable Fast Reconnect” 


2. Creating a New “NAP 802.1X (Wireless) Compliant” Network Policy with PEAP & Smart Card or other Certificate 


The following can be configured in Conditions 

  1. Windows Groups – Only allow users belongs to certain AD Group to login 
  2. NAS Port Type – Wireless – IEEE 802.11  to specify this policy only will be applied to WIFI users
  3. Removed the Healthy Policy (if any) for this lab

Configuration of HP MSM 410 for MSCHAPv2 Authentication 


Creating a new RADIUS Profile, and enter the IP Address of NAP Server in Primary Server, and Select MSCHAPv2 

#Login to WIFI using Windows 10 machine (Workgroup)

Enter your AD Username & Password which had are in the group included in Network Policy > Conditions > Windows Group, and click OK 

You should be able to connect to the WIFI successfully

** Ignore the connect using a certificate for this lab, and i will update again once i had tested it out soon


#Login to WIFI using iPhone 

Enter AD Username & Password and click “Trust” to accept the Certificate (First Time only), and you should be able to connect to WIFI successfully now. 



#Login using MacBook Air 


Mode = “Automatic” and click “Join” with valid AD Username & Password


MacBook Air successfully login using PEAP-MSCHAPv2 

No Root Certificate need to be imported to Windows 10, iPhone and MacBook Air prior WIFI Authentication with EAP-MSCHAPv2, and users can login to WIFI network once they Enter their AD Username & Password 

I will test EAP-TLS (smart card or other certificate) soon and update in my next post