PowerShell Logo Small

New-NetIPsecPhase2AuthSet



This is the built-in help made by Microsoft for the command 'New-NetIPsecPhase2AuthSet', in PowerShell version 5 - as retrieved from Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.

For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.

SYNOPSIS

Creates a phase 2 authentication set that specifies the methods offered for second user authentication during IPsec negotiations.

SYNTAX


New-NetIPsecPhase2AuthSet [-AsJob] [-CimSession <CimSession[]>] [-Default] [-Description <String>] [-GPOSession <String>] [-Group <String>] [-Name <String>] [-PolicyStore
<String>] [-ThrottleLimit <Int32>] -DisplayName <String> -Proposal <CimInstance[]> [-Confirm] [-WhatIf] [<CommonParameters>]



Search powershellhelp.space

DESCRIPTION


The New-NetIPsecPhase1AuthSet cmdlet creates a set that specifies the computerof authentication methods, usually for computer, to use during IPsec negotiations. The first
phase of authentication is typically a computer authentication method such as Kerberos v5, certificate, or pre-shared key (PSK) authentication.


A phase 1 authentication set is contains an ordered list of computer authentication proposals. Each proposal in the set specifies the authentication methods to propose. A
proposal is created by running the New-NetIPsecAuthProposal cmdlet. During the main mode negotiation, the first proposal that both peers have in common will be used for
mutual authentication. The main mode exchange will use the first proposal that the peers have in common. A NetIPsecPhase1AuthSet object and a NetIPsecMainModeCryptoSet
object are associated to a NetIPsecMainModeRule object to provide all the necessary security association (SA) parameters for customized main mode negotiations. When the
negotiation is successful, a network IPsec main mode SA is created. Use the Get-NetIPsecMainModeSA cmdlet to monitor the SAs that are created.


The default computer authentication set is used with all IPsec rules as specified by the Default parameter at creation time. Additional authentication sets can be used with
IPsec main mode rules for fully customized main mode negotiations.


The newly created authentication set can be configured associated with one or more IPsec rules using the main mode or an IPsec rule with the Set-NetIPsecRule and cmdlet or
the Set-NetIPsecMainModeRule cmdlets.


This cmdlet creates a set that specifies the authentication methods, usually for user, to use during IPsec negotiations. The second phase of authentication is typically a
user authentication method, such as Kerberos v5, certificate, or PSK authentication. The New-NetIPsecPhase1AuthSet cmdlet creates a set of authentication methods to use
during IPsec negotiations. The first phase of authentication is typically a computer authentication method such as Kerberos v5, certificate, or PSK authentication.


A phase 1 authentication set contains an ordered list of authentication proposals. A proposal is created by running the New-NetIPsecAuthProposal cmdlet. During the main mode
negotiation, the first proposal that both peers have in common will be used for mutual authentication. A NetIPsecPhase1AuthSet object and a NetIPsecMainModeCryptoSet object
provide all of the necessary SA parameters for a NetIPsecMainModeRule. Use the Get-NetIPsecMainModeSA cmdlet to monitor the SAs that are created.


The default computer authentication set is used with all IPsec rules as specified by the Default parameter at creation time. Additional authentication sets can be used with
IPsec main mode rules for fully customized main mode negotiations.


The newly created authentication set can be associated with one or more IPsec rules using the Set-NetIPsecRule and Set-NetIPsecMainModeRule cmdlets.


A phase 2 authentication set is an ordered list of user authentication proposals. Each proposal in the set specifies the authentication methods to propose. A proposal is
created by the New-NetIPsecAuthProposal cmdlet. The phase 2 authentication set is configured to an IPsec rule.


Note: A second authentication cannot be specified in an IPsec rule when a PSK is in the first authentication methods list, with the PhaseAuthSet object.


The user authentication set can be configured to an existing IPsec rule with the Set-NetIPsecRule cmdlet. The default user authentication set is used with all IPsec rules,
and specified with Default parameter at creation time.



<

RELATED LINKS

Online Version: http://go.microsoft.com/fwlink/?LinkId=288117
Get-NetIPsecMainModeCryptoSet
New-NetIPsecPhase1AuthSet
New-NetIPsecMainModeCryptoSet
New-NetIPSecRule
Open-NetGPO
Rename-NetIPsecMainModeCryptoSet
Save-NetGPO
Set-NetIPsecMainModeCryptoSet
Set-NetIPsecRule
New-NetIPsecAuthProposal
New-GPO

REMARKS

<

Examples


EXAMPLE 1

PS C:\>$mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos



PS C:\>$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM



PS C:\>$p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop



PS C:\>$ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos



PS C:\>$unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM



PS C:\>$anonyauthprop = New-NetIPsecAuthProposal –Anonymous



PS C:\>$p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop



PS C:\>New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet $p1Auth.Name -Phase2AuthSet
$p2Auth.Name



This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.