Below is the reference topology for EAP



This document provides a sample configuration for the Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2 authentication in a Cisco Unified Wireless network with the Microsoft Network Policy Server (NPS) as the RADIUS server.

Components used

  • Windows 2008 Enterprise Server with NPS, Certificate Authority (CA), dynamic host control protocol (DHCP), and Domain Name System (DNS) services installed 
  • Ray Access points
  • Windows pc wireless clients
  • Ray RSL2-8P Switch

PEAP Overview


PEAP uses Transport Level Security (TLS) to create an encrypted channel between an authenticating PEAP client, such as a wireless laptop, and a PEAP authenticator, such as Microsoft NPS or any RADIUS server. PEAP does not specify an authentication method, but provides additional security for other Extensible Authentication Protocols (EAPs), such as EAP-MS-CHAP v2, that can operate through the TLS-encrypted channel provided by PEAP. The PEAP authentication process consists of two main phases.



PEAP Phase One: TLS-Encrypted Channel


The wireless client associates with the AP. An IEEE 802.11-based association provides an open system or shared key authentication before a secure association is created between the client and the access point. After the IEEE 802.11-based association is successfully established between the client and the access point, the TLS session is negotiated with the AP. After authentication is successfully completed between the wireless client and NPS, the TLS session is negotiated between the client and NPS. The key that is derived within this negotiation is used to encrypt all subsequent communication.



PEAP Phase Two: EAP-Authenticated Communication


EAP communication, which includes EAP negotiation, occurs inside the TLS channel created by PEAP within the first stage of the PEAP authentication process. The NPS authenticates the wireless client with EAP-MS-CHAP v2. The Ray AP's only forward messages between the wireless client and NPS/RADIUS server. The Ray Access points cannot decrypt these messages because they are not the TLS end points.


The RADIUS message sequence for a successful authentication attempt (where the user has supplied valid password-based credentials with PEAP-MS-CHAP v2)  is:


  1. The NPS sends an identity request message to the client: EAP-Request/Identity.
  2. The client responds with an identity response message: EAP-Response/Identity.
  3. The NPS sends an MS-CHAP v2 challenge message: EAP-Request/EAP-Type=EAP MS-CHAP-V2 (Challenge).
  4. The client responds with an MS-CHAP v2 challenge and response: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Response).
  5. The NPS sends back an MS-CHAP v2 success packet when the server has successfully authenticated the client: EAP-Request/EAP-Type=EAP-MS-CHAP-V2 (Success).
  6. The client responds with an MS-CHAP v2 success packet when the client has successfully authenticated the server: EAP-Response/EAP-Type=EAP-MS-CHAP-V2 (Success).
  7. The NPS sends an EAP-type-length-value (TLV) that indicates successful authentication.
  8. The client responds with an EAP-TLV status success message.
  9. The server completes authentication and sends an EAP-Success message in plain text. If VLANs are deployed for client isolation, the VLAN attributes are included in this message.

Deploy Ceritificate services


  1. Select the service Active Directory Certificate Services, and click Next.


  2. Review the Introduction to Active Directory Certificate Services, and click Next.


  3. Select the Certificate Authority, and click Next.


  4. Select Enterprise, and click Next.


  5. Select Root CA, and click Next.


  6. Select Create a new private key, and click Next.


  7. Click Next on Configuring Cryptography for CA.


  8. Click Next to accept the default Common name for this CA.


  9. Select the length of time this CA certificate is valid, and click Next.


  10. Click Next to accept the default Certificate database location.


  11. Review the configuration, and click Install to start the Active Directory Certificate Services.


  12. After the install is completed, click Close.



Install the Network Policy Server on the Microsoft Windows 2008 Server


In this setup, the NPS is used as a RADIUS server to authenticate wireless clients with PEAP authentication. Complete these steps in order to install and configure NPS on the Microsoft WIndows 2008 server:


  1. Click Start > Server Manager.


  2. Click Roles > Add Roles.


  3. Click Next.


  4. Select the service Network Policy and Access Services, and click Next.


  5. Review the Introduction to Network Policy and Access Services, and click Next.


  6. Select Network Policy Server, and click Next.


  7. Review the confirmation, and click Install.


    After the install is completed, a screen similar to this one is displayed.


  8. Click Close.



Install a Certificate


Complete these steps in order to install the computer certificate for the NPS:


  1. Click Start, enter mmc, and press Enter.
  2. Click File > Add/Remove Snap-in.
  3. Choose Certificates, and click Add.


  4. Choose Computer account, and click Next.


  5. Select Local Computer, and click Finish.


  6. Click OK to return to the Microsoft Management Console (MMC).


  7. Expand the Certificates (Local Computer) and Personal folders, and click Certificates.


  8. Right-click in the whitespace beneath the CA certificate, and choose All Tasks > Request New Certificate.


  9. Click Next.


  10. Select Domain Controller, and click Enroll.


  11. Click Finish once the certificate is installed.


    The NPS certificate is now installed.

  12. Ensure that the Intended Purpose of the certificate reads Client Authentication, Server Authentication.




Configure the Network Policy Server Service for PEAP-MS-CHAP v2 Authentication


Complete these steps in order to configure the NPS for authentication:


  1. Click Start > Administrative Tools > Network Policy Server.
  2. Right-click NPS (Local), and choose Register server in Active Directory.


  3. Click OK.


  4. Click OK.


  5. Add the Wireless LAN Controller as an authentication, authorization, and accounting (AAA) client on the NPS.
  6. Expand RADIUS Clients and Servers. Right-click RADIUS Clients, and choose New RADIUS Client.


  7. Enter a Friendly name (WLC in this example), the management IP address of the WLC ( in this example) and a shared secret. The same shared secret is used to configure the WLC.


  8. Click OK to return to the previous screen.


  9. Create a new Network Policy for wireless users. Expand Policies, right-click Network Policies, and choose New.


  10. Enter a policy name for this rule (Wireless PEAP in this example), and click Next.


  11. To have this policy allow only wireless domain users, add these three conditions, and click Next:

    • Windows Groups - Domain Users
    • NAS Port Type - Wireless - IEEE 802.11
    • Authentication Type - EAP


  12. Click Access granted to grant connection attempts that match this policy, and click Next.


  13. Disable all the authentication methods under Less secure authentication methods.


  14. Click Add, select PEAP, and click OK to enable PEAP.


  15. Select Microsoft: Protected EAP (PEAP), and click Edit. Ensure the previously created domain controller certificate is selected in the Certificate issued drop-down list, and click Ok.


  16. Click Next.


  17. Click Next.


  18. Click Next.


  19. Click Finish.




--> In case, A user does not want to install certificate in all the machines, createa wlan profile and disable server validation.