RE: PEAP based 802.1x LAN authentication

From: Neal (Neal_at_nkdavis.com)
Date: 04/06/05

  • Next message: Henry Ortega: "Checking what GPs are in effect"
    Date: Wed, 6 Apr 2005 22:21:10 +0100
    To: "Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>, "Miroslaw Slawek Chorazy" <mchorazy@depaul.edu>
    
    

    Ensure the server cert is in the Personal container in "Certificates -
    (Local Computer)" and not "Certificates - Current User" on the IAS
    server. You can easily copy and paste the cert between stores if it is
    in the wrong one. Also have you ensured the CA Cert is in the Trusted
    Root Certification Authorities store on both the IAS Server and the
    clients?

    Regards

    Neal

    -----Original Message-----
    From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
    Sent: 06 April 2005 17:49
    To: Miroslaw Slawek Chorazy
    Cc: focus-ms@securityfocus.com; rodrigob@myway.com
    Subject: Re: PEAP based 802.1x LAN authentication

    The CA cert is installed in the Trusted Root Certification Authorities.

    I installed the server cert with the "let Windows decide which
    container to install the certificate in". It ended up in Personal.

    On Apr 6, 2005 6:18 PM, Miroslaw Slawek Chorazy <mchorazy@depaul.edu>
    wrote:
    > Im not sure if you mentioned specifically or not where the certificate
    > that you had obtained ended up being installed at ?
    > Is the certificate "siting" in the right container for the PEAP to
    find
    > it?
    > Is the certificate in the Computer or User Store?
    >
    > slawek
    >
    > >>> Rodrigo Blanco <rodrigo.blanco.r@gmail.com> 4/6/2005 10:42 >>>
    > Hello list,
    >
    > I am currently trying to configure an Active Directory (w2K server)
    > both for windows auth and also as RADIUS server (IAS) for LAN 802.1x
    > authentication. I have successfully tried 802.1x with auth methods
    > such as PAP, CHAP... and now am trying to move to PEAP so I can have
    > joint AD/802.1x auth. with a single logon.
    >
    > According to
    >
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
    erverHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
    >
    > I should install MS CA and generate a certificate for the win2K server
    > acting as AD/IAS.
    >
    > I do not want to use this CA, but openssl instead (XCA, in fact). With
    > this, I have created a certificate with key usage = Server auth and
    > installed both the CA certificate and this certificate through the
    > browser.
    >
    > When I try to configure PEAP in the IAS Dial-in profile, I get an
    > error message stating: "A certificate could not be found that can be
    > used with this Extensible Authentication Protocol". I think some key
    > usage or extended key usage attributes must be missing, or that I have
    > created / installed the certificate wrong, but did not find the
    > problem.
    >
    > Any help or ideas would be more than welcome.
    >
    > Thanks in advance,
    > Rodrigo.
    >
    >
    ------------------------------------------------------------------------

    ---
    >
    ------------------------------------------------------------------------
    ---
    > 
    >
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Henry Ortega: "Checking what GPs are in effect"

    Relevant Pages

    • Re: New Event Log Errors!
      ... Somehow along those lines I'd also installed the Certificate Authority ... Did you apply the last Server Pack for SBS Server? ... Please install Windows Support Tools on the win2k3 sp1 problematic ... Microsoft is providing this information only as a convenience to you: ...
      (microsoft.public.windows.server.sbs)
    • Re: Adding EXCH2007 SP1 box to existing EXCH2003 SP2 Org
      ... Certificates - going to be using a SAN Certificate like I have many times before. ... We are making this a virtual server (someone is going on-site on Thursday to install VMWare (which will kill everything on this box) and WIN2008 Server SP1 x64 and then I will install EXCH2007 SP1. ... as mentioned - ISA was not involved in any of those eight environments.... ...
      (microsoft.public.exchange.admin)
    • RE: Installing root certificate on PDA
      ... You can export the certificate from the server: ... Trusted Root Cert Auth tab> pick your server's cert from the list & click ... Install Cert on PDA: ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS 2003 certificate problem affecting Exchange
      ... And it needs to match the FQDN of the OWA server. ... They are fairly inexpensive, I personally prefer Go Daddy, and pay for themselves the first or second time you have to an manually install the private certs on each mobile device. ... certificate error, but the phones won't. ... a cert with SAN and installing it. ...
      (microsoft.public.exchange.admin)
    • Re: Web Certificate for IIS Server on SBS Domain
      ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
      (microsoft.public.windows.server.sbs)