RE: PEAP based 802.1x LAN authentication
From: Menicucci, Dan (dan0_at_pitt.edu)
Date: 04/07/05
- Previous message: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
- Maybe in reply to: Rodrigo Blanco: "PEAP based 802.1x LAN authentication"
- Next in thread: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
- Reply: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 7 Apr 2005 07:54:47 -0400 To: "Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>
Check this next.
In the IAS snapin, under Remote Access Policies click on the Policy you
created to authenticate your users via PEAP. Hit Edit Profile,
Authentication, EAP Methods. Do you have PEAP added here? If so, hit
edit and make sure the certificate that you want to use is selected.
Thanks,
Dan
-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Thursday, April 07, 2005 5:30 AM
To: Menicucci, Dan
Cc: focus-ms@securityfocus.com
Subject: Re: PEAP based 802.1x LAN authentication
Hello again,
I have checked:
- that the RSA key is 1024 bits long : OK
- that the usage "Server auth" : OK
- the server certificate is now stored in "Personal (Local Computer)"
(it has a corresponding private key) and the CA certificate is installed
on "Trusted Root CAs (Local Computer)". : OK
It still does give the same error message. :-/
In
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.msp
x?pf=true,
I have read that server certificates from a non-MS CA must accomplish:
- "They must contain the fully qualified domain name (FQDN) of the
computer account of the IAS server computer in the Subject Alternative
Name property.".
I have created the certificate so that this property is DNS:<FQDN of the
server> this is correctly interpreted on Windows cert. repository.
- "The cryptographic service provider for the certificates supports
SChannel."
I have no idea what this means (it is something related to the
schannel.dll) and how it affects to the certificate creation. Any clues
on this? I really see no other errors in the configuration.
Thanks again and best regards,
Rodrigo.
On Apr 7, 2005 1:27 AM, Menicucci, Dan <dan0@pitt.edu> wrote:
> Hi Rob,
>
> We do it wih a Verisign certificate. The trusted root needs to be on
> the client machines and the certificate needs to be installed under
> the Personal folder of the Computer section of the certificate snapin.
>
> Thanks,
> Dan
>
> -----Original Message-----
> From: Won, Henry # PHX [mailto:henry.won@ndchealth.com]
> Sent: Wednesday, April 06, 2005 3:13 PM
> To: Rodrigo Blanco; focus-ms@securityfocus.com
> Cc: rodrigob@myway.com
> Subject: RE: PEAP based 802.1x LAN authentication
>
> We are using MS CA with IAS and only enhanced key usage listed is
> server authentication. If I remember correctly the RSA key size had to
> be 1024 bits long. If it is bigger, try generating a new certificate
> with 1024 bits instead.
>
> -----Original Message-----
> From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> Sent: Wednesday, April 06, 2005 8:42 AM
> To: focus-ms@securityfocus.com
> Cc: rodrigob@myway.com
> Subject: PEAP based 802.1x LAN authentication
>
> Hello list,
>
> I am currently trying to configure an Active Directory (w2K server)
> both for windows auth and also as RADIUS server (IAS) for LAN 802.1x
> authentication. I have successfully tried 802.1x with auth methods
> such as PAP, CHAP... and now am trying to move to PEAP so I can have
> joint AD/802.1x auth. with a single logon.
>
> According to
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library
> /S erverHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
> I should install MS CA and generate a certificate for the win2K server
> acting as AD/IAS.
>
> I do not want to use this CA, but openssl instead (XCA, in fact). With
> this, I have created a certificate with key usage = Server auth and
> installed both the CA certificate and this certificate through the
> browser.
>
> When I try to configure PEAP in the IAS Dial-in profile, I get an
> error message stating: "A certificate could not be found that can be
> used with this Extensible Authentication Protocol". I think some key
> usage or extended key usage attributes must be missing, or that I have
> created / installed the certificate wrong, but did not find the
problem.
>
> Any help or ideas would be more than welcome.
>
> Thanks in advance,
> Rodrigo.
>
> ----------------------------------------------------------------------
> --
> ---
> ----------------------------------------------------------------------
> --
> ---
>
> This E-mail message is for the sole use of the intended recipient(s)
> and may contain confidential and privileged information. Any
> unauthorized review, use, disclosure or distribution is prohibited.
> If you are not the intended recipient, please contact the sender by
> reply E-mail, and destroy all copies of the original message.
>
> ----------------------------------------------------------------------
> --
> ---
> ----------------------------------------------------------------------
> --
> ---
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
- Maybe in reply to: Rodrigo Blanco: "PEAP based 802.1x LAN authentication"
- Next in thread: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
- Reply: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
