Integrating EAP-TLS Authentication With Microsoft NPS

The ability of a RADIUS Server to authenticate and authorize network users depends heavily on the effectiveness of its security system and authentication method. Using passwords invites a host of user experience shortcomings and security vulnerabilities that put your secure data at risk.

By combining SecureW2’s EAP-TLS certificate solutions with Microsoft NPS, your 802.1x network is protected from all manner of data theft attacks. SecureW2’s onboarding software auto-configures a user’s device in minutes through a few simple sets. Once configured, the certificate is tied to the user’s identity and device for the life of the certificate.

The many weaknesses of passwords are bypassed with certificate-based authentication. The need for password change policies that disrupt network connection are eliminated. From a user experience standpoint, the process can be described as set-and-forget; they complete the onboarding software once and have uninterrupted network connection.

For administration, the simplicity of certificates results in fewer support tickets and connection errors. Certificate-based authentication can also be configured to support managed devices alongside BYOD. Employing a SCEP Gateway allows for auto-configuration of managed devices with no end user interaction.

Combining secure Microsoft NPS RADIUS with certificate solutions creates a network environment that is strongly protected and a straightforward experience for users.

Integration Process Overview

  1. Configure the WPA2-Enterprise network to authenticate using 802.1x certificates
  2. Connect the Microsoft NPS RADIUS to the secure network
    • The RADIUS will authenticate and authorize users for network access by confirming their identity within the identity provider.
  3. Connect the PKI and download and install the Certificate Authorities (CA)
    • Connect the Root and Intermediate CA’s to the RADIUS and secure network. As users enroll for network access, they will be distributed certificates from the connected CA.

To complete this setup, you will need to have configured:

  • A SecureW2 Network Profile
  • A Microsoft NPS RADIUS Server
  • An Identity Provider


Configure the Secure Network for 802.1x Certificates

  1. Go to Windows > Run > MMC
  2. In the Console, navigate to File > Add/Remove Snap-in
  3. In the Add/Remove Snap-in window, select Network Policy Server from the Available snap-ins, and click Add
  4. In the Select Computer window, select Local Computer, and click OK

Adding the Network Policy Server (NPS)

  1. In the Add/Remove Snap-in window, click OK
  2. In the Console, navigate to NPS (Local) > Policies > Network Policies
  3. In the Actions pane on the right, click New under Network Policies and the New Network Policy wizard will appear
  4. In the Specify Network Policy Name and Connection Type page, enter the Policy Name and click Next
  5. In the Specify Conditions page, click Add and the Select condition page appears
  6. Select NAS Port Type, and click Add, and the NAS Port Type window appears
  7. From the Common 802.1X connection tunnel types section, select Wireless – IEEE 802.1, and click OK
    • The condition gets added to the Specify Conditions page
  8. Click Next and the Configure Authentication Methods window appears
  9. Under EAP Types, click Add and the Add EAP window appears
  10. Select Microsoft Smart Card or other certificate, and click OK
  11. De-select all the other check boxes under Less secure authentication methods and click Next
  12. In the Configure Constraints window, click Next
  13. In the Configure Settings window, click Next
  14. In the Completing New Network Policy window, click Finish

Configuring Network Policy for EAP-TLS

Connecting the Microsoft NPS RADIUS Client

  1. Go to Windows > Run > MMC
  2. In the Console, navigate to NPS (Local) > RADIUS Clients and Servers > RADIUS Clients
  3. In the Actions pane on the right, click New RADIUS Clients and the New RADIUS Client window appears
  4. Enter a Name and the IP address in the Friendly name and Address (IP or DNS) fields, respectively
  5. Enter the shared secret in the Shared secret and Confirm shared secret fields, and click OK

Creating a RADIUS Client

Downloading the Root and Intermediate CA from SecureW2

  1. Go to the SecureW2 JoinNow MultiOS and Connector Management Portal
  2. Navigate to PKI Management > Certificate Authorities
  3. Download both the Root and Intermediate CAs for the organization

Installing certificates onto the management server

Installing the Root and Intermediate Certificates

  1. Go to your server where you want to install your the certificates
  2. Go to Windows > Run > CMD and go to the folder where you have saved your certificates
  3. To install the certificates, run the following command consecutively for both the certificates:
C:\Certificates Folder> certutil -dspublish -f <certificate name>

Installing the Certificate Authority on the server

Secure Your WPA2-Enterprise NPS Network with EAP-TLS

By leveraging the infrastructure already in place with a WPA2-Enterprise network, a more secure 802.1x wireless connection can be easily achieved through our SecureW2 integration solution.For network administrators, the ability to remotely diagnose and address connection issues, as well as tie every user and device to a network connection, will greatly reduce the number of wireless connection support tickets.

We have affordable options for organizations of all sizes. Click here to see our pricing.

Microsoft NPS is either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks, logos and service marks used in this site are the property of SecureW2 or other third parties.