I googled for hours and didn't find my answer. I found information about PEAP and MS-CHAPv2, of course, but nothing for my particular situation (which seems like something that should be easy to find). Basically, I'm trying to have a Windows user on a PC remotely (though on the same subnet) access a Cisco router to manage and configure it. Topology here. This user is authenticated via the Active Directory NPS. The user has an AD account and this credential is used to log in to the router. I got this working with PAP, but now I have to do it with MS-CHAPv2 and then PEAP (same general configuration, separate instances).
The router is configured as a client in NPS under Active Directory. The network policy for MS-CHAPv2 can be found here. You can find the for PEAP here. Is there something wrong with these network policies so far? The service type and framed protocol are parts that I'm not 100% sure of for this part.
The biggest challenge is getting information about what needs to be configured on the Cisco router (7200). Here is the configuration for what I have using the PAP:
aaa group server radius RAD_SERVER server-private
auth-port 1812 acct-port 1813 key 7 03105E07030C2E417D584D51 ! aaa authentication login default group RAD_SERVER local aaa authorization console aaa authorization exec default group RAD_SERVER local if-authenticated crypto pki trustpoint NPS.domain.org enrollment mode ra enrollment url http:// :80/certsrv/mscep/mscep.dll serial-number fqdn R1.domain.org subject-name CN=R1.domain.org revocation-check none ! ! crypto pki certificate chain NPS.domain.org certificate ca 2ED7D81DA1FFF88D46A85518E717BE02
As far as I know, the client must be able to authenticate the RADIUS server. That's why I installed the RADIUS server certificate on the router (also a necessary step for PEAP). So I have to somehow change the above configuration to tell the Cisco router to use EAP-MS-CHAPv2 or PEAP (whichever I want to use) instead of PAP. How do I do that?
tl; dr: Windows AD users must authenticate with MS-CHAPv2 and PEAP on separate routers. Let this work with PAP.