RE: PEAP based 802.1x LAN authentication

From: Neal (Neal_at_nkdavis.com)
Date: 04/06/05

  • Next message: Henry Ortega: "Checking what GPs are in effect"
    Date: Wed, 6 Apr 2005 22:21:10 +0100
    To: "Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>, "Miroslaw Slawek Chorazy" <mchorazy@depaul.edu>
    
    

    Ensure the server cert is in the Personal container in "Certificates -
    (Local Computer)" and not "Certificates - Current User" on the IAS
    server. You can easily copy and paste the cert between stores if it is
    in the wrong one. Also have you ensured the CA Cert is in the Trusted
    Root Certification Authorities store on both the IAS Server and the
    clients?

    Regards

    Neal

    -----Original Message-----
    From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
    Sent: 06 April 2005 17:49
    To: Miroslaw Slawek Chorazy
    Cc: focus-ms@securityfocus.com; rodrigob@myway.com
    Subject: Re: PEAP based 802.1x LAN authentication

    The CA cert is installed in the Trusted Root Certification Authorities.

    I installed the server cert with the "let Windows decide which
    container to install the certificate in". It ended up in Personal.

    On Apr 6, 2005 6:18 PM, Miroslaw Slawek Chorazy <mchorazy@depaul.edu>
    wrote:
    > Im not sure if you mentioned specifically or not where the certificate
    > that you had obtained ended up being installed at ?
    > Is the certificate "siting" in the right container for the PEAP to
    find
    > it?
    > Is the certificate in the Computer or User Store?
    >
    > slawek
    >
    > >>> Rodrigo Blanco <rodrigo.blanco.r@gmail.com> 4/6/2005 10:42 >>>
    > Hello list,
    >
    > I am currently trying to configure an Active Directory (w2K server)
    > both for windows auth and also as RADIUS server (IAS) for LAN 802.1x
    > authentication. I have successfully tried 802.1x with auth methods
    > such as PAP, CHAP... and now am trying to move to PEAP so I can have
    > joint AD/802.1x auth. with a single logon.
    >
    > According to
    >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
    erverHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
    >
    > I should install MS CA and generate a certificate for the win2K server
    > acting as AD/IAS.
    >
    > I do not want to use this CA, but openssl instead (XCA, in fact). With
    > this, I have created a certificate with key usage = Server auth and
    > installed both the CA certificate and this certificate through the
    > browser.
    >
    > When I try to configure PEAP in the IAS Dial-in profile, I get an
    > error message stating: "A certificate could not be found that can be
    > used with this Extensible Authentication Protocol". I think some key
    > usage or extended key usage attributes must be missing, or that I have
    > created / installed the certificate wrong, but did not find the
    > problem.
    >
    > Any help or ideas would be more than welcome.
    >
    > Thanks in advance,
    > Rodrigo.
    >
    >
    ------------------------------------------------------------------------

    ---
    >
    ------------------------------------------------------------------------
    ---
    > 
    >
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Henry Ortega: "Checking what GPs are in effect"