This is the built-in help made by Microsoft for the command 'New-NetIPsecPhase2AuthSet', in PowerShell version 3 - as retrieved from
Windows version 'Microsoft Windows Server 2012 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Creates a phase 2 authentication set that specifies the methods offered for second user authentication during IPsec negotiations.
New-NetIPsecPhase2AuthSet [-AsJob [<SwitchParameter>]] [-CimSession <CimSession[]>] [-Default [<SwitchParameter>]] [-Description <String>]
[-GPOSession <String>] [-Group <String>] [-Name <String>] [-PolicyStore <String>] [-ThrottleLimit <Int32>] -DisplayName <String> -Proposal
<CimInstance[]> [-Confirm [<SwitchParameter>]] [-WhatIf [<SwitchParameter>]] [<CommonParameters>]
The New-NetIPsecPhase1AuthSet cmdlet creates a set that specifies the computerof authentication methods, usually for computer, to use during
IPsec negotiations. The first phase of authentication is typically a computer authentication method such as Kerberos v5, certificate, or
pre-shared key (PSK) authentication.
A phase 1 authentication set is contains an ordered list of computer authentication proposals. Each proposal in the set specifies the
authentication methods to propose. A proposal is created by running the New-NetIPsecAuthProposal cmdlet. During the main mode negotiation, the
first proposal that both peers have in common will be used for mutual authentication. The main mode exchange will use the first proposal that
the peers have in common. A NetIPsecPhase1AuthSet object and a NetIPsecMainModeCryptoSet object are associated to a NetIPsecMainModeRule
object to provide all the necessary security association (SA) parameters for customized main mode negotiations. When the negotiation is
successful, a network IPsec main mode SA is created. Use the Get-NetIPsecMainModeSA cmdlet to monitor the SAs that are created.
The default computer authentication set is used with all IPsec rules as specified by the Default parameter at creation time. Additional
authentication sets can be used with IPsec main mode rules for fully customized main mode negotiations.
The newly created authentication set can be configured associated with one or more IPsec rules using the main mode or an IPsec rule with the
Set-NetIPsecRule and cmdlet or the Set-NetIPsecMainModeRule cmdlets.
This cmdlet creates a set that specifies the authentication methods, usually for user, to use during IPsec negotiations. The second phase of
authentication is typically a user authentication method, such as Kerberos v5, certificate, or PSK authentication. The
New-NetIPsecPhase1AuthSet cmdlet creates a set of authentication methods to use during IPsec negotiations. The first phase of authentication
is typically a computer authentication method such as Kerberos v5, certificate, or PSK authentication.
A phase 1 authentication set contains an ordered list of authentication proposals. A proposal is created by running the
New-NetIPsecAuthProposal cmdlet. During the main mode negotiation, the first proposal that both peers have in common will be used for mutual
authentication. A NetIPsecPhase1AuthSet object and a NetIPsecMainModeCryptoSet object provide all of the necessary SA parameters for a
NetIPsecMainModeRule. Use the Get-NetIPsecMainModeSA cmdlet to monitor the SAs that are created.
The default computer authentication set is used with all IPsec rules as specified by the Default parameter at creation time. Additional
authentication sets can be used with IPsec main mode rules for fully customized main mode negotiations.
The newly created authentication set can be associated with one or more IPsec rules using the Set-NetIPsecRule and Set-NetIPsecMainModeRule
cmdlets.
A phase 2 authentication set is an ordered list of user authentication proposals. Each proposal in the set specifies the authentication
methods to propose. A proposal is created by the New-NetIPsecAuthProposal cmdlet. The phase 2 authentication set is configured to an IPsec
rule.
Note: A second authentication cannot be specified in an IPsec rule when a PSK is in the first authentication methods list, with the
PhaseAuthSet object.
The user authentication set can be configured to an existing IPsec rule with the Set-NetIPsecRule cmdlet. The default user authentication set
is used with all IPsec rules, and specified with Default parameter at creation time.
<
Get-NetIPsecMainModeCryptoSet
New-NetIPsecPhase1AuthSet
New-NetIPsecMainModeCryptoSet
New-NetIPSecRule
Open-NetGPO
Rename-NetIPsecMainModeCryptoSet
Save-NetGPO
Set-NetIPsecMainModeCryptoSet
Set-NetIPsecRule
New-NetIPsecAuthProposal
New-GPO
<
EXAMPLE 1
PS C:\> $mkerbauthprop = New-NetIPsecAuthProposal -Machine -Kerberos
PS C:\> $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM
PS C:\> $p1Auth = New-NetIPsecPhase1AuthSet -DisplayName "First Machine Auth" -Proposal $mkerbauthprop,$mntlmauthprop
PS C:\> $ukerbauthprop = New-NetIPsecAuthProposal -User –Kerberos
PS C:\> $unentlmauthprop = New-NetIPsecAuthProposal -User –NTLM
PS C:\> $anonyauthprop = New-NetIPsecAuthProposal –Anonymous
PS C:\> $p2Auth = New-NetIPsecPhase2AuthSet -DisplayName "Second User Auth" –Proposal $ukerbauthprop,$unentlmauthprop,$anonyauthprop
PS C:\> New-NetIPSecRule -DisplayName "Authenticate Both Computer and User" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet
$p1Auth.Name -Phase2AuthSet $p2Auth.Name
This example creates a rule that requires a first, or computer, authentication and attempts an optional second, or user, authentication.