- OS: Windows Server 2012 R2 - standalone machine / no Active Directory Domain services
- Features installed: Active Directory Certification Service / Network Policy Server / Remote and Routing Access Server
- Already functioning correctly: PPTP VPN with NAT on RRAS
I am trying to set up an IKEv2 VPN to run alongside the existing PPTP VPN.
I have successfully used AD CS to generate a Root CA Cert and a Certificate with the correct capabilities (Client Auth, Server Auth, IP security IKE intermediate). The Root CA Cert is installed as a Trusted Root Certification Authority, and the Certificate into Personal Certificates on both the machine running ADCS / NPS / RRAS, and on the client machine. Both machines claim the Certificate as OK and validated against the Root CA Cert.
When I configure NPS to create a Network Access policy, in Authentication Methods, the only EAP authentication methods available are:
- Microsoft: Protected EAP (PEAP)
- Microsoft: Secured Password (EAP-MSCHAP v2)
There is no option to add "Microsoft: Smart Card or Certificate".
If I add Protected EAP, and configure it, it shows my the correct Certificate and offers an EAP type of "Secured Password (EAP-MSCHAP v2)" - but again, no option to use certificates.
I have tried using PEAP with EAP-MSCHAP v2, but my Windows 10 client will not authenticate, failing with "IKE Authentication Credentials are unacceptable" (The Event Viewer shows error 13801).
Questions:
- How can I add / enable "Microsoft: Smart Card or Certificate" to the available EAP Authentication Methods in NPS
OR - How can I establish an IKE2 VPN which uses the certificate to encrypt the traffic, BUT allows username/password authentication to NPS using MS-CHAPv2
Thanks
Nick