|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How to implement PEAP-EAP-TLD authentication?I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
authentication. I already have a two-tier CA infrastructure, an my clients all have certificates for workstation, user and IPSec authentication. No Smart Cards yet. How do I go about getting the IAS/RADIUS server to recognize my workstation on my client? Right now it rejects the request; only MSCHAPv2 works. How do I make use of my existing certificates for WLAN authentication? Thanks in advance. Ed
http://www.microsoft.com/wifi has some info
http://www.microsoft.com/vpn may be helpful too. Basically, it's the same as PEAP except: 1. each user must have a valid certificate for user auth 2. each machine must have a valid certificate for machine auth 3. you must enable EAP-TLS in the IAS policy 4. you must set the client to use EAP-TLS 5. the IAS server must have valid certs (server certs) By "valid" I mean that the certs chain properly and that the CA certs needed for validation are present. EAP-TLS is cert-based, so properly deploying it is more of a PKI-thing. If your certs are standard issue from a Windows-based CA, it should be usable for wireless and it should all work smoothly - same as PEAP. Certificates are best for domain-joined machines - if you have machines in other domains or workgroup machines you'll probably still want to use PEAP. If you can be more specific about what happens when the request is rejected, I can give you more specific solutions. Does IAS just deny authentication or does it drop the packets or something? There is also a microsoft.public.internet.radius newsgroup that might help you answer IAS questions. -- Show quoteHide quoteStandard Disclaimers - This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send e-mail directly to this alias. This alias is for newsgroup purposes only. "Edward W. Ray" <edward_***@hotmail.com> wrote in message news:u5TICmgUFHA.612@TK2MSFTNGP12.phx.gbl... >I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless >authentication. > > I already have a two-tier CA infrastructure, an my clients all have > certificates for workstation, user and IPSec authentication. No Smart > Cards yet. > > How do I go about getting the IAS/RADIUS server to recognize my > workstation on my client? Right now it rejects the request; only MSCHAPv2 > works. How do I make use of my existing certificates for WLAN > authentication? > > Thanks in advance. > > Ed > I have a valid workstation certificate, as well as a user certificate issued
by an Windows 2003 enterprise subordinate CA. I verified this on my client via mmc->certificates->personal. from windump packet logs, it rejects the request when I set up for PEAP-EAP-TLS. On both XP wireless setup and IAS, the server certificate used is the enterprise sub CA. Since my IPSec works with certificate authentication, I know my certificates are valid. Autoenrollment is set for Workstation, Computer, and User certificates in GPO. Ed Show quoteHide quote "Carl DaVault [MSFT]" <car***@online.microsoft.com> wrote in message news:%23hRfWKnUFHA.2616@TK2MSFTNGP14.phx.gbl... > http://www.microsoft.com/wifi has some info > > http://www.microsoft.com/vpn may be helpful too. > > Basically, it's the same as PEAP except: > > 1. each user must have a valid certificate for user auth > 2. each machine must have a valid certificate for machine auth > 3. you must enable EAP-TLS in the IAS policy > 4. you must set the client to use EAP-TLS > 5. the IAS server must have valid certs (server certs) > > By "valid" I mean that the certs chain properly and that the CA certs > needed for validation are present. EAP-TLS is cert-based, so properly > deploying it is more of a PKI-thing. > > If your certs are standard issue from a Windows-based CA, it should be > usable for wireless and it should all work smoothly - same as PEAP. > Certificates are best for domain-joined machines - if you have machines in > other domains or workgroup machines you'll probably still want to use > PEAP. > > If you can be more specific about what happens when the request is > rejected, I can give you more specific solutions. Does IAS just deny > authentication or does it drop the packets or something? > > There is also a microsoft.public.internet.radius newsgroup that might help > you answer IAS questions. > > -- > Standard Disclaimers - > This posting is provided "AS IS" with no warranties, > and confers no rights. Please do not send e-mail directly > to this alias. This alias is for newsgroup purposes only. > > > "Edward W. Ray" <edward_***@hotmail.com> wrote in message > news:u5TICmgUFHA.612@TK2MSFTNGP12.phx.gbl... >>I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless >>authentication. >> >> I already have a two-tier CA infrastructure, an my clients all have >> certificates for workstation, user and IPSec authentication. No Smart >> Cards yet. >> >> How do I go about getting the IAS/RADIUS server to recognize my >> workstation on my client? Right now it rejects the request; only >> MSCHAPv2 works. How do I make use of my existing certificates for WLAN >> authentication? >> >> Thanks in advance. >> >> Ed >> > > My computer authetication request via cert worked fine, but user auth
failed, see below: __________________________________________________________________________________________________________________________ Event Type: Information Event Source: IAS Event Category: None Event ID: 1 Date: 5/6/2005 Time: 2:02:59 PM User: N/A Computer: BLACKDOG Description: User host/eraylap.mmicmanhomenet.local was granted access. Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/ERAYLAP NAS-IP-Address = 192.168.1.254 NAS-Identifier = 0012177af760 Client-Friendly-Name = hunglikethor Client-IP-Address = 192.168.1.254 Calling-Station-Identifier = 0012173570c2 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 7 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Wireless Computers Authentication-Type = PEAP EAP-Type = Smart Card or other certificate For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 00 00 .... Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 5/6/2005 Time: 1:57:48 PM User: N/A Computer: BLACKDOG Description: User ewray0967@mmicmanhomenet.local was denied access. Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/Edward W. Ray NAS-IP-Address = 192.168.1.254 NAS-Identifier = 0012177af760 Called-Station-Identifier = 0012177af760 Calling-Station-Identifier = 0012173570c2 Client-Friendly-Name = hunglikethor Client-IP-Address = 192.168.1.254 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 7 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Wireless Users Authentication-Type = PEAP EAP-Type = Smart Card or other certificate Reason-Code = 73 Reason = The user attempted to authenticate using a certificate with an Extended Key Usage or Issuance Policy that is not allowed by the matching remote access policy. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 00 00 00 00 .... ______________________________________________________________________________________________________________________________________________ I deleted then restablished my Wireless User policy, and the link was established. Strange.... Thanks for your help! Edward W. Ray CISSP, MCSE 2003+Security, P.E., SANS GCIA, SANS GCIH Were you able to get this to work? Does IAS have to go on a 2003 DC?
Show quoteHide quote "Edward W. Ray" <edward_***@hotmail.com> wrote in message news:O4ispDoUFHA.628@TK2MSFTNGP09.phx.gbl... > My computer authetication request via cert worked fine, but user auth > failed, see below: > > __________________________________________________________________________________________________________________________ > > Event Type: Information > Event Source: IAS > Event Category: None > Event ID: 1 > Date: 5/6/2005 > Time: 2:02:59 PM > User: N/A > Computer: BLACKDOG > Description: > User host/eraylap.mmicmanhomenet.local was granted access. > Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP > Laptops/ERAYLAP > NAS-IP-Address = 192.168.1.254 > NAS-Identifier = 0012177af760 > Client-Friendly-Name = hunglikethor > Client-IP-Address = 192.168.1.254 > Calling-Station-Identifier = 0012173570c2 > NAS-Port-Type = Wireless - IEEE 802.11 > NAS-Port = 7 > Proxy-Policy-Name = Use Windows authentication for all users > Authentication-Provider = Windows > Authentication-Server = <undetermined> > Policy-Name = Wireless Computers > Authentication-Type = PEAP > EAP-Type = Smart Card or other certificate > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 00 00 00 00 .... > > > > Event Type: Warning > Event Source: IAS > Event Category: None > Event ID: 2 > Date: 5/6/2005 > Time: 1:57:48 PM > User: N/A > Computer: BLACKDOG > Description: > User ewray0967@mmicmanhomenet.local was denied access. > Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/Edward > W. Ray > NAS-IP-Address = 192.168.1.254 > NAS-Identifier = 0012177af760 > Called-Station-Identifier = 0012177af760 > Calling-Station-Identifier = 0012173570c2 > Client-Friendly-Name = hunglikethor > Client-IP-Address = 192.168.1.254 > NAS-Port-Type = Wireless - IEEE 802.11 > NAS-Port = 7 > Proxy-Policy-Name = Use Windows authentication for all users > Authentication-Provider = Windows > Authentication-Server = <undetermined> > Policy-Name = Wireless Users > Authentication-Type = PEAP > EAP-Type = Smart Card or other certificate > Reason-Code = 73 > Reason = The user attempted to authenticate using a certificate with an > Extended Key Usage or Issuance Policy that is not allowed by the matching > remote access policy. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 00 00 00 00 .... > ______________________________________________________________________________________________________________________________________________ > > I deleted then restablished my Wireless User policy, and the link was > established. Strange.... > > Thanks for your help! > > Edward W. Ray > CISSP, MCSE 2003+Security, P.E., SANS GCIA, SANS GCIH > > 
Other interesting topics
|
|||||||||||||||||||||||
