Re: PEAP based 802.1x LAN authentication

• Previous message: Rui Francisco: "Re: PEAP based 802.1x LAN authentication"
• In reply to: Menicucci, Dan: "RE: PEAP based 802.1x LAN authentication"
• Next in thread: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
• Reply: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 7 Apr 2005 11:30:08 +0200
To: "Menicucci, Dan" <dan0@pitt.edu>

Hello again,

I have checked:

- that the RSA key is 1024 bits long : OK
- that the usage "Server auth" : OK
- the server certificate is now stored in "Personal (Local Computer)"
(it has a corresponding private key) and the CA certificate is
installed on "Trusted Root CAs (Local Computer)". : OK

It still does give the same error message. :-/

In http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx?pf=true,
I have read that server certificates from a non-MS CA must accomplish:

- "They must contain the fully qualified domain name (FQDN) of the
computer account of the IAS server computer in the Subject Alternative
Name property.".

I have created the certificate so that this property is DNS:<FQDN of
the server> this is correctly interpreted on Windows cert. repository.

- "The cryptographic service provider for the certificates supports SChannel."

I have no idea what this means (it is something related to the
schannel.dll) and how it affects to the certificate creation. Any
clues on this? I really see no other errors in the configuration.

Thanks again and best regards,

Rodrigo.

On Apr 7, 2005 1:27 AM, Menicucci, Dan <dan0@pitt.edu> wrote:
> Hi Rob,
>
> We do it wih a Verisign certificate. The trusted root needs to be on
> the client machines and the certificate needs to be installed under the
> Personal folder of the Computer section of the certificate snapin.
>
> Thanks,
> Dan
>
> -----Original Message-----
> From: Won, Henry # PHX [mailto:henry.won@ndchealth.com]
> Sent: Wednesday, April 06, 2005 3:13 PM
> To: Rodrigo Blanco; focus-ms@securityfocus.com
> Cc: rodrigob@myway.com
> Subject: RE: PEAP based 802.1x LAN authentication
>
> We are using MS CA with IAS and only enhanced key usage listed is server
> authentication. If I remember correctly the RSA key size had to be 1024
> bits long. If it is bigger, try generating a new certificate with 1024
> bits instead.
>
> -----Original Message-----
> From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> Sent: Wednesday, April 06, 2005 8:42 AM
> To: focus-ms@securityfocus.com
> Cc: rodrigob@myway.com
> Subject: PEAP based 802.1x LAN authentication
>
> Hello list,
>
> I am currently trying to configure an Active Directory (w2K server) both
> for windows auth and also as RADIUS server (IAS) for LAN 802.1x
> authentication. I have successfully tried 802.1x with auth methods such
> as PAP, CHAP... and now am trying to move to PEAP so I can have joint
> AD/802.1x auth. with a single logon.
>
> According to
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
> erverHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
> I should install MS CA and generate a certificate for the win2K server
> acting as AD/IAS.
>
> I do not want to use this CA, but openssl instead (XCA, in fact). With
> this, I have created a certificate with key usage = Server auth and
> installed both the CA certificate and this certificate through the
> browser.
>
> When I try to configure PEAP in the IAS Dial-in profile, I get an error
> message stating: "A certificate could not be found that can be used with
> this Extensible Authentication Protocol". I think some key usage or
> extended key usage attributes must be missing, or that I have created /
> installed the certificate wrong, but did not find the problem.
>
> Any help or ideas would be more than welcome.
>
> Thanks in advance,
> Rodrigo.
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
> This E-mail message is for the sole use of the intended recipient(s) and
> may contain confidential and privileged information. Any unauthorized
> review, use, disclosure or distribution is prohibited. If you are not
> the intended recipient, please contact the sender by reply E-mail, and
> destroy all copies of the original message.
>
> ------------------------------------------------------------------------
> ---
> ------------------------------------------------------------------------
> ---
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Rui Francisco: "Re: PEAP based 802.1x LAN authentication"
• In reply to: Menicucci, Dan: "RE: PEAP based 802.1x LAN authentication"
• Next in thread: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
• Reply: Rodrigo Blanco: "Re: PEAP based 802.1x LAN authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]