VPN authentication options

Applies to

• WindowsВ 10
• WindowsВ 10 Mobile

In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).

Windows supports a number of EAP authentication methods.

Method	Details
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)	User name and password authentication Winlogon credentials — can specify authentication with computer sign-in credentials
EAP-Transport Layer Security (EAP-TLS)	Supports the following types of certificate authentication Certificate with keys in the software Key Storage Provider (KSP) Certificate with keys in Trusted Platform Module (TPM) KSP Smart card certficates Windows Hello for Business certificate Certificate filtering Certificate filtering can be enabled to search for a particular certificate to use to authenticate with Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based Server validation — with TLS, server validation can be toggled on or off Server name — specify the server to validate Server certificate — trusted root certificate to validate the server Notification — specify if the user should get a notification asking whether to trust the server or not
Protected Extensible Authentication Protocol (PEAP)	Server validation — with PEAP, server validation can be toggled on or off Server name — specify the server to validate Server certificate — trusted root certificate to validate the server Notification — specify if the user should get a notification asking whether to trust the server or not Inner method — the outer method creates a secure tunnel inside while the inner method is used to complete the authentication EAP-MSCHAPv2 EAP-TLS Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials. Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed «cryptobinding», is used to protect the PEAP negotiation against «Man in the Middle» attacks.
Tunneled Transport Layer Security (TTLS)	Inner method Non-EAP Password Authentication Protocol (PAP) CHAP MSCHAP MSCHAPv2 EAP MSCHAPv2 TLS Server validation: in TTLS, the server must be validated. The following can be configured: Server name Trusted root certificate for server certificate Whether there should be a server validation notification

For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:

• Smart card
• Certificate
• Windows Hello for Business
• User name and password
• One-time password
• Custom credential type

Configure authentication

See EAP configuration for EAP XML configuration.

To configure Windows Hello for Business authentication, follow the steps in EAP configuration to create a smart card certificate. Learn more about Windows Hello for Business.

The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).

Параметры проверки подлинности для VPN VPN authentication options

Относится к: Applies to

• Windows 10 Windows 10
• Windows 10 Mobile Windows 10 Mobile

В дополнение к старым и менее безопасным методам проверки подлинности с паролем (которых следует избегать), встроенное решение VPN использует протокол EAP для безопасной проверки подлинности на основе сертификатов и на основе имени пользователя и пароля. In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. Вы можете настроить проверку подлинности на основе EAP, только выбрав встроенный тип VPN (IKEv2, L2TP, PPTP или автоматический). You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).

Windows поддерживает различные методы проверки подлинности EAP. Windows supports a number of EAP authentication methods.

Способ Method	Подробности Details
Протокол EAP-MSCHAP версии 2 (EAP-MSCHAPv2) EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2)	Проверка подлинности на основе имени пользователя и пароля User name and password authentication Учетные данные Winlogon — можно настроить проверку подлинности с помощью учетных данных компьютера Winlogon credentials — can specify authentication with computer sign-in credentials
Протокол EAP-TLS EAP-Transport Layer Security (EAP-TLS)	Поддерживает следующие типы проверки подлинности сертификата Supports the following types of certificate authentication Сертификат с ключами в программном поставщике хранилища ключей (KSP) Certificate with keys in the software Key Storage Provider (KSP) Сертификат с ключами в KSP доверенного платформенного модуля (TPM) Certificate with keys in Trusted Platform Module (TPM) KSP Сертификаты смарт-карты Smart card certficates Сертификат Windows Hello для бизнеса Windows Hello for Business certificate Фильтрация сертификатов Certificate filtering Фильтрацию сертификатов можно включить для поиска определенного сертификата, который будет использоваться для проверки подлинности Certificate filtering can be enabled to search for a particular certificate to use to authenticate with Фильтрация может быть основана на издателе или улучшенном ключе (EKU) Filtering can be Issuer-based or Enhanced Key Usage (EKU)-based Проверка сервера — при использовании TLS проверку сервера можно включить и отключить Server validation — with TLS, server validation can be toggled on or off Имя сервера — укажите сервер для проверки Server name — specify the server to validate Сертификат сервера — доверенный корневой сертификат для проверки подлинности сервера Server certificate — trusted root certificate to validate the server Уведомление — укажите, увидит ли пользователь уведомление с вопросом о том, нужно ли доверять серверу Notification — specify if the user should get a notification asking whether to trust the server or not
Протокол PEAP Protected Extensible Authentication Protocol (PEAP)	Проверка сервера — при использовании PEAP проверку сервера можно включить и отключить Server validation — with PEAP, server validation can be toggled on or off Имя сервера — укажите сервер для проверки Server name — specify the server to validate Сертификат сервера — доверенный корневой сертификат для проверки подлинности сервера Server certificate — trusted root certificate to validate the server Уведомление — укажите, увидит ли пользователь уведомление с вопросом о том, нужно ли доверять серверу Notification — specify if the user should get a notification asking whether to trust the server or not Внутренний метод — внешний метод создает безопасный туннель внутри, а внутренний метод используется для выполнения проверки подлинности Inner method — the outer method creates a secure tunnel inside while the inner method is used to complete the authentication EAP-MSCHAPv2 EAP-MSCHAPv2 EAP-TLS EAP-TLS Быстрое переподключение: сокращает задержку между запросом на проверку подлинности клиента и ответом сервера политики сети (NPS) или другого сервера RADIUS. Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. Это снижает требования к ресурсам для клиента и сервера, а также уменьшает число запросов учетных данных у пользователей. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials. Привязка с шифрованием: получая значения из материала ключа PEAP этапа 1 (туннельный ключ) и внутреннего материала ключа метода EAP PEAP этапа 2 (внутренний ключ сеанса), можно подтвердить, что два процесса проверки подлинности заканчиваются в одинаковых двух объектах (одноранговый элемент PEAP и сервер PEAP). Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). Этот процесс называется «привязкой с шифрованием» и используется для защиты согласования PEAP от атак типа «злоумышленник в середине». This process, termed «cryptobinding», is used to protect the PEAP negotiation against «Man in the Middle» attacks.
Протокол TTLS Tunneled Transport Layer Security (TTLS)	Внутренний метод Inner method Не EAP Non-EAP Протокол PAP Password Authentication Protocol (PAP) CHAP CHAP MSCHAP MSCHAP MSCHAPv2 MSCHAPv2 EAP EAP MSChapv2 MSCHAPv2 TLS TLS Проверка сервера: в TTLS сервер должен быть проверен. Server validation: in TTLS, the server must be validated. Следующие параметры можно настроить. The following can be configured: Имя сервера Server name Доверенный корневой сертификат для сертификата сервера Trusted root certificate for server certificate Следует ли отправлять уведомление о проверке сервера Whether there should be a server validation notification

Для подключаемого модуля UWP VPN поставщик приложения управляет используемым методом проверки подлинности. For a UWP VPN plug-in, the app vendor controls the authentication method to be used. Можно использовать следующие типы учетных данных: The following credential types can be used:

• смарт-карта; Smart card
• сертификат; Certificate
• Windows Hello для бизнеса; Windows Hello for Business
• имя пользователя и пароль; User name and password
• одноразовый пароль; One-time password
• пользовательский тип учетных данных. Custom credential type

Настройка проверка подлинности Configure authentication

Конфигурацию XML для EAP см. в разделе Конфигурация EAP. See EAP configuration for EAP XML configuration.

Чтобы настроить проверку подлинности Windows Hello для бизнеса, выполните действия, описанные в разделе Конфигурация EAP для создания сертификата смарт-карты. To configure Windows Hello for Business authentication, follow the steps in EAP configuration to create a smart card certificate. Подробнее о Windows Hello для бизнеса. Learn more about Windows Hello for Business.

На следующем изображении показано поле для EAP XML в профиле VPN решения Microsoft Intune. The following image shows the field for EAP XML in a Microsoft Intune VPN profile. Поле EAP XML отображается только при выборе встроенного типа подключения (автоматический, IKEv2, L2TP, PPTP). The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).

Windows 10 eap-tls authentication

I am currently trying to enable 802.1x on the switch.

State I am in:
— Windows 10 never sends the client cert to the switch, it ignores the Request Identity packets.

— On windows 10, authentication always fails, no internet access through the ethernet, however, in wireshark that interface says it has an IP and I can see broadcasts on the network (in the adapter settings details tab, it shows ip to be 169.254.232.155, but wireshark does indeed have valid vlan IP listed — this IP does not show in the DHCP server leases and it persists over reinstalling wireshark)
— Since my network adapter then disappeared I reinstalled the windows, however, I still get broadcasts from the ethernet, but now even wireshark tells me it has no IPs for that interface.
— When my adapter was gone in windows (and thus no longer received broadcasts), I managed to connect with Ubuntu VM (but I still had to fool it by making a wpa_supplicant config file and setting the key management to wpa-tls, connecting and then manually requesting dhcp info — it did not work when I only put it into the gui manager, it would ask for password forever, but worked by itself upon reboot)

My only clue right now is that the NPS Windows Server is necessary and I will not get this to work without it.

Some notes:
-I put client cert into personal store and my CA cert into Trusted CA list (then I also put it into Trusted intermediary CAs, along with switch’s cert). I did this first only in the machine certs, but then I added them to user certs as well, for the sake of it
-Switch has CA.pem and Server.pem certs in it
-Certs were generated via the Makefile freeradius provides, since on the website they state the certs should be compatible with windows’ requirements
-I tested certs via eapol_test utility, so I know they can authenticate against radius, but first it would be cool if WIndows sent the cert over to it
-I am using Simple Cert Selection (I tried both with and without verify the server’s identity)

Which leads me to my questions:
1 — Can Windows 10 do 802.1x without NPS? Since editing group policies on NPS is like the only thing I have not done (there is no NPS)
2 — This is lower priority, but how can I make windows not receive packets on interface that is not authenticated? It is setup for 802.1x on switch and should not show anything when the client is not authenticated (at least thats what I imagined). In other words, can I reset the adapter?