1
00:00:02,440 --> 00:00:04,540
Next, we'll click Configure,

2
00:00:04,540 --> 00:00:09,240
and we want to select the option to Use a certificate on this computer.

3
00:00:09,240 --> 00:00:11,380
Simple certificate selection is fine.

4
00:00:11,380 --> 00:00:16,200
And once again, you'll see very much the same menus that we saw before,

5
00:00:16,200 --> 00:00:19,880
Verify the server's identity, Connect to these specific servers.

6
00:00:19,880 --> 00:00:23,160
And the reason we're kind of repeating this here is that Protected

7
00:00:23,160 --> 00:00:27,900
EAP essentially establishes a secure tunnel,

8
00:00:27,900 --> 00:00:31,610
TLS encrypted actually, and sometimes it's actually referred to as EAP TLS.

9
00:00:31,610 --> 00:00:32,970
But principally,

10
00:00:32,970 --> 00:00:37,480
we're establishing a secure channel within that tunnel we

11
00:00:37,480 --> 00:00:40,020
are now going to exchange our credentials,

12
00:00:40,020 --> 00:00:43,460
and we want to again perform validation just to

13
00:00:43,460 --> 00:00:44,970
ensure that there's no problems here.

14
00:00:44,970 --> 00:00:48,090
So we're going to enter the NPS server's hostname again,

15
00:00:48,090 --> 00:00:53,760
and we're also going to select our root CA.

16
00:00:53,760 --> 00:00:57,480
And once again here, you'll see that there's another prompt that says,

17
00:00:57,480 --> 00:01:00,680
Don't prompt users to authorize new servers.

18
00:01:00,680 --> 00:01:02,980
And once again, we definitely want that.

19
00:01:02,980 --> 00:01:06,320
We don't want users taking these security decisions into their hands.

20
00:01:06,320 --> 00:01:07,460
We want to make them for them.

21
00:01:07,460 --> 00:01:09,140
We're going to say Don't prompt.

22
00:01:09,140 --> 00:01:12,210
We want this connection to fail. Call the help desk, and

23
00:01:12,210 --> 00:01:15,060
we'll sort it out from there, but don't connect to, you

24
00:01:15,060 --> 00:01:18,040
know, an insecure server for sure.

25
00:01:18,040 --> 00:01:22,670
Next, we're going to go ahead and click Advanced. And this is

26
00:01:22,670 --> 00:01:26,360
optional, but highly recommended is to enable Certificate

27
00:01:26,360 --> 00:01:30,940
Issuer for our certificate selection.

28
00:01:30,940 --> 00:01:35,440
In many cases, you're going to have more than one user authentication

29
00:01:35,440 --> 00:01:39,330
certificate in the user store. In ours, we have, again, this is a really clean

30
00:01:39,330 --> 00:01:42,900
lab, we just have a single certificate, but you might have a number of

31
00:01:42,900 --> 00:01:47,620
different certificates issued by maybe your PKI, but maybe other PKIs as well,

32
00:01:47,620 --> 00:01:53,800
and so we want to ensure that the client knows which certificate to use

33
00:01:53,800 --> 00:01:55,960
specifically for this VPN connection.

34
00:01:55,960 --> 00:02:00,490
So we're going to enable Certificate Issuer. We're going to go down here and

35
00:02:00,490 --> 00:02:05,510
select our root CA. And by the way, I'm selecting the root CA, but you can

36
00:02:05,510 --> 00:02:11,460
also select and get more granular and select your individual issuing CA. If

37
00:02:11,460 --> 00:02:13,080
you want to go that far, that's great.

38
00:02:13,080 --> 00:02:16,760
If you have multiple issuing CAs, you might want to just step back

39
00:02:16,760 --> 00:02:19,480
and use the root CA, and that should be sufficient.

40
00:02:19,480 --> 00:02:24,070
Next, select Extended Key Usage here, and then uncheck

41
00:02:24,070 --> 00:02:27,410
All purpose and uncheck Any Purpose.

42
00:02:27,410 --> 00:02:30,130
We don't need either of those EKUs.

43
00:02:30,130 --> 00:02:34,170
We only want the Client Authentication EKU. So, in this

44
00:02:34,170 --> 00:02:37,780
configuration, when this connection is established,

45
00:02:37,780 --> 00:02:41,840
the VPN client will look for a certificate issued by this CA that

46
00:02:41,840 --> 00:02:46,260
has the Client Authentication EKU, and that should be more than

47
00:02:46,260 --> 00:02:50,290
sufficient in most cases to identify the proper certificate and

48
00:02:50,290 --> 00:02:53,540
present that for authentication.

49
00:02:53,540 --> 00:02:58,980
So we'll click OK and OK out of that a few times, and we're good to

50
00:02:58,980 --> 00:03:03,480
go. Next, we're going to go here to the Networking tab, and we'll

51
00:03:03,480 --> 00:03:09,670
select IPv4 and choose Properties and Advanced. And here, if you are

52
00:03:09,670 --> 00:03:13,560
planning to test a force tunnel scenario, there's nothing that you

53
00:03:13,560 --> 00:03:14,660
need to do here.

54
00:03:14,660 --> 00:03:17,120
This option, Use default gateway and remote network,

55
00:03:17,120 --> 00:03:18,840
basically should say force tunneling.

56
00:03:18,840 --> 00:03:22,480
This is enable force tunneling, send everything over the tunnel.

57
00:03:22,480 --> 00:03:25,120
Since we're going to use split tunneling here because that's the most

58
00:03:25,120 --> 00:03:29,320
common deployment model, I'm going to uncheck this option, but I'm also

59
00:03:29,320 --> 00:03:32,360
going to disabled class based route addition.

60
00:03:32,360 --> 00:03:41,130
And what that means is that a class‑based route is added by the VPN client when

61
00:03:41,130 --> 00:03:45,650
the connection establishes, and to really put it bluntly,

62
00:03:45,650 --> 00:03:48,360
it just guesses at what the best route is.

63
00:03:48,360 --> 00:03:52,720
It basically adds a route that's based on the IP address that it was assigned.

64
00:03:52,720 --> 00:03:54,020
Sometimes it works,

65
00:03:54,020 --> 00:03:58,100
sometimes it doesn't. It's often less than ideal, so we want to

66
00:03:58,100 --> 00:04:01,070
be very explicit and add our own specific routes, and we're

67
00:04:01,070 --> 00:04:02,340
going to do that in just a second.

68
00:04:02,340 --> 00:04:05,580
So check the box, Disabled class based route addition.

69
00:04:05,580 --> 00:04:08,800
We're going to jump over to the DNS tab, and we also want to add our

70
00:04:08,800 --> 00:04:24,000
internal DNS suffix to this particular VPN connection as well. So once that's done, click OK, and then we can just OK out.