Events
19 Nov, 23 - 21 Nov, 23
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
Windows supports a number of EAP authentication methods.
EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2):
EAP-Transport Layer Security (EAP-TLS):
Supports the following types of certificate authentication:
Certificate filtering:
Server validation - with TLS, server validation can be toggled on or off:
Protected Extensible Authentication Protocol (PEAP):
Server validation - with PEAP, server validation can be toggled on or off:
Inner method - the outer method creates a secure tunnel inside while the inner method is used to complete the authentication:
Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
Cryptobinding: By deriving and exchanging values from the PEAP phase 1 key material (Tunnel Key) and from the PEAP phase 2 inner EAP method key material (Inner Session Key), it's possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.
Tunneled Transport Layer Security (TTLS)
For a UWP VPN plug-in, the app vendor controls the authentication method to be used. The following credential types can be used:
See EAP configuration for EAP XML configuration.
Note
To configure Windows Hello for Business authentication, follow the steps in EAP configuration to create a smart card certificate. Learn more about Windows Hello for Business..
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
Events
19 Nov, 23 - 21 Nov, 23
Gain the competitive edge you need with powerful AI and Cloud solutions by attending Microsoft Ignite online.
Register now