Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure PEAP-EAP-TLS Authentication for a Windows Device

Follow these steps to configure a Windows client device for Protected Extensible Authentication Protocol (PEAP) authentication with EAP-TLS as the inner authentication method.

The Protected Extensible Authentication Protocol (PEAP) uses a tunneled EAP method for the authentication process. PEAP uses Transport Layer Security (TLS) to establish a secure, encrypted tunnel between a client and an authentication server. It encapsulates the EAP authentication process within this tunnel, thus enabling secure exchange of authentication data between the client and server.

Note: Juniper Mist Access Assurance supports PEAP with EAP-TLS authentication only; PEAP with EAP-MSCHAP v2 is not supported.

PEAP-EAP-TLS uses EAP-TLS as the inner authentication method within the secure tunnel. EAP-TLS requires both client and server certificates for mutual authentication. To configure PEAP-EAP-TLS on a Windows device:

  1. On your Windows device, navigate to Control Panel > Network and Internet > Network and Sharing Center. Then, click Set up a new connection or network.
  2. Select Manually connect to a wireless network and click Next.
  3. Enter the following details for the wireless network and click Next:

    • Network name—Provide an SSID name.

    • Security type—Select the WPA2-Enterprise or WPA3-Enterprise option.

  4. Click Change connection settings.
    The Wireless Network Properties dialog box appears.
  5. Select the Security tab and click Settings under Choose a network authentication method.

  6. Select the following options in the Protected EAP Properties dialog box:
    • Connect to these servers—Enter auth.mist.com if you're using the default Mist Access Assurance server certificate. If you're using a custom RADIUS server certificate, provide the certificate SAN:DNS name.
    • Trusted Root Certification Authorities—Select the Mist Org CA certificate (or your custom RADIUS server certificate).
    • Authentication Method—Select Smart Card or other certificate (EAP-TLS)

    Click Configure.

    The Smart Card or other certificate Properties dialog box appears.

  7. Verify that the server is listed as auth.mist.com. Select the Mist Org CA certificate and click OK.
  8. In the Security tab of the Wireless Network Properties dialog box, click Advanced settings.
  9. In the Advanced settings dialog box:
    1. Select the Specify authentication mode check box and choose the appropriate authentication mode.
    2. Click OK and then click Close.
  10. Verify the configuration:
    1. In the Juniper Mist portal, create an authentication policy. Add a rule to allow the PEAP-TLS Auth Type.
    2. Add the CA certificate to enable Juniper Mist Access Assurance to trust client certificates issued by your added CAs. To add the certificate, navigate to the Organization > Access > Certificates> Add Certificate Authority page. For detailed steps about adding a CA certificate, see Use Certificate Authority (CA) Certificate.
    3. Connect the client to the network.
    4. Navigate to the Monitor > Service Levels > Insights page and go to the Client Events section. Verify the NAC Client authentication events.