Re: PEAP based 802.1x LAN authentication

• Previous message: Jason Gregson: "RE: Windows Server 2003 Service Pack 1"
• Maybe in reply to: Rodrigo Blanco: "PEAP based 802.1x LAN authentication"
• Next in thread: Rui Francisco: "Re: PEAP based 802.1x LAN authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 7 Apr 2005 14:12:34 +0200
To: "Menicucci, Dan" <dan0@pitt.edu>

I enter

IAS snap-in > Remote Access Policy > Edit Profile > Authentication >
EAP types > EAP

And select "PEAP". Then I click on "Configure..." and there is were
the error message shows up.

I tend to think it is because my server's certificate does not have an
attribute "1.3.6.1.4.1.311.17.1" for CSP within its certificate
properties.

Thank you,
Rodrigo.

On Apr 7, 2005 1:54 PM, Menicucci, Dan <dan0@pitt.edu> wrote:
> Check this next.
>
> In the IAS snapin, under Remote Access Policies click on the Policy you
> created to authenticate your users via PEAP. Hit Edit Profile,
> Authentication, EAP Methods. Do you have PEAP added here? If so, hit
> edit and make sure the certificate that you want to use is selected.
>
> Thanks,
> Dan
>
> -----Original Message-----
> From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> Sent: Thursday, April 07, 2005 5:30 AM
> To: Menicucci, Dan
> Cc: focus-ms@securityfocus.com
> Subject: Re: PEAP based 802.1x LAN authentication
>
> Hello again,
>
> I have checked:
>
> - that the RSA key is 1024 bits long : OK
> - that the usage "Server auth" : OK
> - the server certificate is now stored in "Personal (Local Computer)"
> (it has a corresponding private key) and the CA certificate is installed
> on "Trusted Root CAs (Local Computer)". : OK
>
> It still does give the same error message. :-/
>
> In
> http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.msp
> x?pf=true,
> I have read that server certificates from a non-MS CA must accomplish:
>
> - "They must contain the fully qualified domain name (FQDN) of the
> computer account of the IAS server computer in the Subject Alternative
> Name property.".
>
> I have created the certificate so that this property is DNS:<FQDN of the
> server> this is correctly interpreted on Windows cert. repository.
>
> - "The cryptographic service provider for the certificates supports
> SChannel."
>
> I have no idea what this means (it is something related to the
> schannel.dll) and how it affects to the certificate creation. Any clues
> on this? I really see no other errors in the configuration.
>
> Thanks again and best regards,
>
> Rodrigo.
>
> On Apr 7, 2005 1:27 AM, Menicucci, Dan <dan0@pitt.edu> wrote:
> > Hi Rob,
> >
> > We do it wih a Verisign certificate. The trusted root needs to be on
> > the client machines and the certificate needs to be installed under
> > the Personal folder of the Computer section of the certificate snapin.
> >
> > Thanks,
> > Dan
> >
> > -----Original Message-----
> > From: Won, Henry # PHX [mailto:henry.won@ndchealth.com]
> > Sent: Wednesday, April 06, 2005 3:13 PM
> > To: Rodrigo Blanco; focus-ms@securityfocus.com
> > Cc: rodrigob@myway.com
> > Subject: RE: PEAP based 802.1x LAN authentication
> >
> > We are using MS CA with IAS and only enhanced key usage listed is
> > server authentication. If I remember correctly the RSA key size had to
>
> > be 1024 bits long. If it is bigger, try generating a new certificate
> > with 1024 bits instead.
> >
> > -----Original Message-----
> > From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> > Sent: Wednesday, April 06, 2005 8:42 AM
> > To: focus-ms@securityfocus.com
> > Cc: rodrigob@myway.com
> > Subject: PEAP based 802.1x LAN authentication
> >
> > Hello list,
> >
> > I am currently trying to configure an Active Directory (w2K server)
> > both for windows auth and also as RADIUS server (IAS) for LAN 802.1x
> > authentication. I have successfully tried 802.1x with auth methods
> > such as PAP, CHAP... and now am trying to move to PEAP so I can have
> > joint AD/802.1x auth. with a single logon.
> >
> > According to
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
> > /S erverHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
> > I should install MS CA and generate a certificate for the win2K server
>
> > acting as AD/IAS.
> >
> > I do not want to use this CA, but openssl instead (XCA, in fact). With
>
> > this, I have created a certificate with key usage = Server auth and
> > installed both the CA certificate and this certificate through the
> > browser.
> >
> > When I try to configure PEAP in the IAS Dial-in profile, I get an
> > error message stating: "A certificate could not be found that can be
> > used with this Extensible Authentication Protocol". I think some key
> > usage or extended key usage attributes must be missing, or that I have
>
> > created / installed the certificate wrong, but did not find the
> problem.
> >
> > Any help or ideas would be more than welcome.
> >
> > Thanks in advance,
> > Rodrigo.
> >
> > ----------------------------------------------------------------------
> > --
> > ---
> > ----------------------------------------------------------------------
> > --
> > ---
> >
> > This E-mail message is for the sole use of the intended recipient(s)
> > and may contain confidential and privileged information. Any
> > unauthorized review, use, disclosure or distribution is prohibited.
> > If you are not the intended recipient, please contact the sender by
> > reply E-mail, and destroy all copies of the original message.
> >
> > ----------------------------------------------------------------------
> > --
> > ---
> > ----------------------------------------------------------------------
> > --
> > ---
> >
> >
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Jason Gregson: "RE: Windows Server 2003 Service Pack 1"
• Maybe in reply to: Rodrigo Blanco: "PEAP based 802.1x LAN authentication"
• Next in thread: Rui Francisco: "Re: PEAP based 802.1x LAN authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]