Testing IKEv2 VPN with PEAP authentication in Windows Server 2016 – Part2

After preparing the  server infrastructure for deploying IKEv2-based vpn access in part1 we can proceed to server configurations. The vpn server (vpn.testenterprise.net) will be the first server to deploy. Let’s start by installing remote access on vpn.testenterprise.net:

Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools

To configure the service in Server Manager I click Open the  Getting Started Wizard (it may take a couple of minutes for this window to appear – otherwise you can run Remote Access from Server Manager and run the wizard by clicking Run the Getting Started Wizard):



Now let’s open the server properties and configure the ip address asignment (I will use the static pool from to

In the Adapter drop-down list I’ll select the internal network adapter (TestENTERPRISE).

For I’m going to use the nps server for the accounting and authentication purposes I must select RADIUS Authentication on the Security tab and type in the preshared secret which will be used for authentication between the vpn and nps servers: this same secret should later be configured on the nps server:


Press OK, return to the server Security tab, select RADIUS Accounting in the Accounting provider and click Configure… :

Again, I enter the nps server name here and the shared secret:

Press OK

Click OK and then open the Ports‘ properties – as my goal is to provide only the IKEv2 vpn access I must disable all other port types except IKEv2 and set the number of ports available for client connections:

I must set the number of IKEv2 port to 20 (because the client ip range has been set to


The final list of ports:

Pressing  OK completes the installation and configuration of the vpn server.

Now the nps role can be installed and configured on nps.testenterprise.net:

Install-WindowsFeature NPAS -IncludeManagementTools

Before using NPS server it must be registered in Active Directory:

If at the time of the installation the firewall on the nps server was enabled  the following firewall rules would have been created:

If you prefer to configure your ports manually you should consider opening the following ports.

The next step is to configure accounting: I want my nps server to create the text log files in the C:\RemoteAccess folder:

You can check the default log file settings or change some of them here:

NPS logs can be parsed by IASViewer – you can download it beforehand to be able to read logs right after nps installation.

Now it’s time to configure the RADIUS Client – from nps server’s point of view any network access devices, including vpn servers, are RADIUS clients: is the internal ip of my vpn server (vpn.testenterprise.net). Shared secret – the same secret that was enterted on the vpn server.

On the Advanced tab we can leave the default setting:

Now it’s time to configure the Connection Request Policy and Network Policy for IKEv2 users – it can be done by clicking Configure VPN or Dial-Up link:

On the next page I should uncheck MS-ChapV2 because I’m going to use certificate-based PEAP authentication, NOT a login/password.

For the page illustrated above I’d like to make some clarification: many of you may be asking youselves now why there are three authentication methods available if by definition we can authenticate users either by certificates or by logins/passwords – here’s why:

As I want to use PEAP authentication I  should select Microsoft:Protected EAP(PEAP) and click Configure.

On the next page MS-Chap should be removed:

Press Add:

Select Smart Card or other certificate and press OK (we do add Smart Card or other certificate but inside the PEAP authentication, not as the standalone authentication method).

Press OK and then Next:

On the next pages the group may be added – only members of these groups will have remote access to  the network. I will add the group VPN-Users created in Part1.

All other pages in the wizard may be left at their defaults.

The connection request and network policies have been created:

Let’s take a look at the policies created by the wizard.
Network Policy:

And the Connection request policy:

The configuration of the nps server is completed.

In part3 I’ll show you how to configure a vpn client and test the connection.


%d bloggers like this: