To make an EAP-TLS VPN connection, you must have a user certificate on the client computer and a computer certificate on the IAS server.
To configure the test lab for EAP testing, configure DC1 to issue a user template, configure Active Directory for auto-enrollment of user certificates, and add VPNUser to the DialUsers group.
Configure a user certificate
Click Start, click Run, and type certtmpl.msc to open Certificate Templates.
In the details pane, click the User Template.
On the Action menu, click Duplicate Template.
In the Template Display Name text box, type VPNUser and ensure that the Publish Certificate In Active Directory check box is selected.
Click the Security tab.
In Group Or User Names, click Domain Users.
In Permissions For Domain Users, select the Enroll and Autoenroll check boxes, and click Apply.
In Group Or User Names, click Authenticated Users.
In Permissions For Authenticated Users, select the Enroll and Autoenroll check boxes, and click OK.
Configure the certification authority to issue the new certificate
Open the Certification Authority administrative tool.
In the console tree, open Certification Authority, then Example CA, and then Certificate Templates.
On the Action menu, point to New, and then click Certificate Template To Issue.
Click VPNUser and click OK.
Configure Active Directory for autoenrollment of user certificates
Open the Active Directory Users And Computers administrative tool.
In the console tree, right-click the example.com domain, and then click Properties.
On the Group Policy tab, click Default Domain Policy and then click Edit.
In the console tree for Group Policy Object Editor, open User Configuration, then Windows Settings, and then Security Settings. Click Public Key Policies.
In the details pane, right-click Autoenrollment Settings, and click Properties.
Click Enroll Certificates Automatically, select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates and Update Certificates That Use Certificate Templates check boxes, and click OK.
Configure group membership and update Group Policy
Open the Active Directory Users And Computers administrative tool, and add VPNUser to the DialUsers group.
Type gpupdate at a command prompt to update Group Policy on DC1.
To configure the test lab for EAP testing, configure IAS1 with a computer certificate and for EAP authentication.
Update Group Policy
Type gpupdate at a command prompt to update Group Policy on IAS1. This step autoenrolls IAS1 with the computer certificate.
Edit the VPN remote access policy
Open the Internet Authentication Service administrative tool.
In the console tree, click Remote Access Policies.
In the details pane, double-click VPN Remote Access To Intranet.
In the VPN Remote Access To Intranet Properties dialog box, click Edit Profile.
On the Authentication tab, click EAP Methods.
In the Select EAP Providers dialog box, click Add.
In the Add EAP dialog box, click Smart Card Or Other Certificate, and then click OK.
If the properties of the computer certificate that was issued to the IAS1 computer appear in the Smart Card Or Other Certificate Properties dialog box, IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK three times.
When prompted to view Help, click No. Click OK to save changes to the remote access policy, allowing it to authorize VPN connections using the EAP-TLS authentication method.
Use gpupdate to update Group Policy.
To configure the test lab for EAP access, install the appropriate certificate on VPN1, and create an EAP profile.
Update Group Policy
Type gpupdate at a command prompt to update Group Policy on VPN1.
Create the EAPCorp profile
Open the Connection Manager Administration Kit Wizard, and click Next.
On the Service Profile Selection page, click Existing Profile, click L2TPCorp, and click Next.
On the Service And File Names page, type EAP To CorpNet in the Service Name text box, type EAPCorp in the File Name text box, and click Next.
On the Realm Name page, click Add A Realm Name To The User Name. If Suffix is not already clicked, click it. In Realm Name, type @example.com and then click Next.
On the Merging Profile Information page, click Next.
On the VPN Support page, select the Phone Book From This Profile check box, click Always Use The Same VPN Server, type 10.0.0.2, and click Next.
On the VPN Entries page, click the default entry and click Edit.
Click the Security tab. In the Security Settings drop-down list, click Use Advanced Security Settings and then click Configure.
Under Logon Security, click Use Extensible Authentication Protocol (EAP), and select Smart Card Or Other Certificate from the drop-down list. In the VPN Strategy drop-down list, click Try Point To Point Tunneling Protocol First (as shown in the following figure), and click Properties.
In the Smart Card Or Other Certificate Properties dialog box, click Use A Certificate On This Computer. Type dc1.example.com in the Connect To These Servers text box (as shown in the following figure). In the Trusted Root Certification Authorities drop-down list, select the Example CA check box. Click OK three times, and then click Next.
On the Phone Book page, click Next.
On the Dial-up Networking Entries page, click Next.
On the Routing Table Update page, click Next.
On the Automatic Proxy Configuration page, click Next.
On the Custom Actions page, click Next.
On the Logon Bitmap page, click Next.
On the Phone Book Bitmap page, click Next.
On the Icons page, click Next.
On the Notification Area Shortcut Menu page, click Next.
On the Help File page, click Next.
On the Support Information page, type For help connecting, contact the Support Desk. in the Support Information text box and then click Next.
On the Connection Manager Software page, click Next.
On the License Agreement page, click Next.
On the Additional Files page, click Next.
On the Ready To Build The Service Profile page, click Next.
When the Completing The Connection Manager Administration Kit Wizard page appears, click Finish.
Prepare the EAPCorp profile for distribution
Browse to the \Program Files\Cmak\Profiles\EAPCorp folder.
Copy EAPCorp.exe to a floppy disk.
To configure the test lab for EAP access, install a user certificate and the EAPCorp profile on CLIENT1.
Get a certificate
Use the Dial-Up To CorpNet profile to connect to the network. Type VPNUser in the User Name text box, and type the password for the VPNUser account in the Password text box.
When connected, open a Web browser and type http://dc1.example.com
/certsrv. Click Request A Certificate.
Click User Certificate, and click Submit.
Click Yes to approve the request for a certificate.
When the request is finished processing, click Install This Certificate.
Click Yes to approve the installation of the certificate.
When the certificate has been installed, disconnect Dial-up To CorpNet.
Connect to CorpNet using the EAPCorp profile
Install the EAP To CorpNet profile on CLIENT1.
On the Connection Manager logon page, type VPNUser in the User Name text box, type the password for the account in the Password text box, and click Connect.
In the Connect EAP To CorpNet dialog box, click VPNUser@example.com, and click OK.
When prompted to accept the connection to IAS1.example.com, click OK.
Open a Web browser. In the Address text box, type http://IIS1.example.com
/iisstart.htm. You should see a Web page titled “Under Construction.”
Click Start, click Run, type \\IIS1\ROOT, and then click OK. You should see the contents of the root folder on IIS1.
Right-click the connection icon in the notification area, and then click Disconnect.
Open the Certificates administrative tool, and verify that Example CA was added to the list of Trusted Root Certification Authorities and that the VPNUser certificate was added to the personal certificates store.