PEAP and EAP-TLS on Server 2008 and Cisco WLC

To make wireless networks really secure you should use a RADIUS server to authenticate your users instead of using a pre-shared key. The RADIUS server will handle the authentication requests and uses EAP (Extensible Authentication Protocol) to communicate with users. There are many EAP types and the most popular ones are:

  • PEAP (Protected EAP)


PEAP is normally used to authenticate users by using a username and password. The RADIUS server will show a certificate to the users so that they can verify that they are talking to the correct RADIUS server. EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate.

This tutorial will walk you through the installation and configuration of Windows Server 2008 using NPS (Network Policy Server) as the RADIUS server for a Cisco wireless LAN controller. We will configure the server so that it supports PEAP using MS-CHAPv2 for password authentication but we’ll also look at EAP-TLS which can be used to authenticate clients using certificates that we will generate on the server.

Using the group policy to deploy the WLAN profile: 

Configure 802.1X Wireless Access Clients running Windows 7 and Windows Vista

Cisco wifi WPA2-Enterprise PEAP authentication with Active Directory

Tutorial: 802.1X Authentication via WiFi – Active Directory + Network Policy Server + Cisco WLAN + Group Policy


同时关于user和计算机证书的deployment , 可以参考:

How to automatically enroll user and computer certificate in AD