Re: PEAP based 802.1x LAN authentication

• Previous message: Menicucci, Dan: "RE: PEAP based 802.1x LAN authentication"
• Maybe in reply to: Rodrigo Blanco: "PEAP based 802.1x LAN authentication"
• Next in thread: Menicucci, Dan: "RE: PEAP based 802.1x LAN authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 7 Apr 2005 12:26:11 +0200
To: focus-ms@securityfocus.com

Regarding schannel and CSP, I have found out that it corresponds to
the attribute 1.3.6.1.4.1.311.17.1. Is this to be included in the
certificate creation / request? Does it appear in the properties of
the certificates which are working with IAS?

Regards,
Rodrigo.

On Apr 7, 2005 11:30 AM, Rodrigo Blanco <rodrigo.blanco.r@gmail.com> wrote:
> Hello again,
>
> I have checked:
>
> - that the RSA key is 1024 bits long : OK
> - that the usage "Server auth" : OK
> - the server certificate is now stored in "Personal (Local Computer)"
> (it has a corresponding private key) and the CA certificate is
> installed on "Trusted Root CAs (Local Computer)". : OK
>
> It still does give the same error message. :-/
>
> In http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx?pf=true,
> I have read that server certificates from a non-MS CA must accomplish:
>
> - "They must contain the fully qualified domain name (FQDN) of the
> computer account of the IAS server computer in the Subject Alternative
> Name property.".
>
> I have created the certificate so that this property is DNS:<FQDN of
> the server> this is correctly interpreted on Windows cert. repository.
>
> - "The cryptographic service provider for the certificates supports SChannel."
>
> I have no idea what this means (it is something related to the
> schannel.dll) and how it affects to the certificate creation. Any
> clues on this? I really see no other errors in the configuration.
>
> Thanks again and best regards,
>
> Rodrigo.
>
> On Apr 7, 2005 1:27 AM, Menicucci, Dan <dan0@pitt.edu> wrote:
> > Hi Rob,
> >
> > We do it wih a Verisign certificate. The trusted root needs to be on
> > the client machines and the certificate needs to be installed under the
> > Personal folder of the Computer section of the certificate snapin.
> >
> > Thanks,
> > Dan
> >
> > -----Original Message-----
> > From: Won, Henry # PHX [mailto:henry.won@ndchealth.com]
> > Sent: Wednesday, April 06, 2005 3:13 PM
> > To: Rodrigo Blanco; focus-ms@securityfocus.com
> > Cc: rodrigob@myway.com
> > Subject: RE: PEAP based 802.1x LAN authentication
> >
> > We are using MS CA with IAS and only enhanced key usage listed is server
> > authentication. If I remember correctly the RSA key size had to be 1024
> > bits long. If it is bigger, try generating a new certificate with 1024
> > bits instead.
> >
> > -----Original Message-----
> > From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> > Sent: Wednesday, April 06, 2005 8:42 AM
> > To: focus-ms@securityfocus.com
> > Cc: rodrigob@myway.com
> > Subject: PEAP based 802.1x LAN authentication
> >
> > Hello list,
> >
> > I am currently trying to configure an Active Directory (w2K server) both
> > for windows auth and also as RADIUS server (IAS) for LAN 802.1x
> > authentication. I have successfully tried 802.1x with auth methods such
> > as PAP, CHAP... and now am trying to move to PEAP so I can have joint
> > AD/802.1x auth. with a single logon.
> >
> > According to
> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
> > erverHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
> > I should install MS CA and generate a certificate for the win2K server
> > acting as AD/IAS.
> >
> > I do not want to use this CA, but openssl instead (XCA, in fact). With
> > this, I have created a certificate with key usage = Server auth and
> > installed both the CA certificate and this certificate through the
> > browser.
> >
> > When I try to configure PEAP in the IAS Dial-in profile, I get an error
> > message stating: "A certificate could not be found that can be used with
> > this Extensible Authentication Protocol". I think some key usage or
> > extended key usage attributes must be missing, or that I have created /
> > installed the certificate wrong, but did not find the problem.
> >
> > Any help or ideas would be more than welcome.
> >
> > Thanks in advance,
> > Rodrigo.
> >
> > ------------------------------------------------------------------------
> > ---
> > ------------------------------------------------------------------------
> > ---
> >
> > This E-mail message is for the sole use of the intended recipient(s) and
> > may contain confidential and privileged information. Any unauthorized
> > review, use, disclosure or distribution is prohibited. If you are not
> > the intended recipient, please contact the sender by reply E-mail, and
> > destroy all copies of the original message.
> >
> > ------------------------------------------------------------------------
> > ---
> > ------------------------------------------------------------------------
> > ---
> >
> >
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Menicucci, Dan: "RE: PEAP based 802.1x LAN authentication"
• Maybe in reply to: Rodrigo Blanco: "PEAP based 802.1x LAN authentication"
• Next in thread: Menicucci, Dan: "RE: PEAP based 802.1x LAN authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]