Re: Certificate Services

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 05/20/05


Date: Thu, 19 May 2005 19:55:45 -0500

Does your IAS server have a certificate? The client may not necessarily be
prompted for a certificate if it trusts the certificate that the IAS server
has. You can use the mmc snapin for certificates for computer to view
certificates on a computer. The link below has more details. The IAS
certificate is used to create the secure TLS connection in a way very
similar to when you visit a secure website. --- Steve

http://www.microsoft.com/technet/community/columns/cableguy/cg0702.mspx

PEAP with MS-CHAP v2 requires certificates on the IAS servers but not on the
wireless clients. IAS servers must have a certificate installed in their
Local Computer certificate store. Instead of deploying a PKI, you can
purchase individual certificates from a third-party CA to install on your
IAS servers. To ensure that wireless clients can validate the IAS server
certificate chain, the root CA certificate of the CA that issued the IAS
server certificates must be installed on each wireless client.

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:3FA384C0-B00F-4CC4-A02B-68A73104D718@microsoft.com...
> Well, thats funny. I did my setup on a test environment using a Win2K
> Server
> running DNS. DHCP, IAS and also installed Microsoft server CA. Another
> machine running Win2K Server running Microsoft ISA Server 2000. A
> wireless
> AP using WPA-RADIUS using PEAP-MS-CHAPV2. Then I use a Win2K Pro laptop
> and
> connect wirelessly via the AP using PEAP-MS-CHAPV2. No prompt to ask me
> for
> certification, just username and password. I'm in.
> As far as I understood, if I use EAP-TLS, that is when I need certificates
> because TLS requires machine authentication.
>
> "Steven L Umbach" wrote:
>
>> Yes. For PEAP only the IAS/radius server needs a certificate and the
>> client
>> computers need to trust the CA that issued the certificate. If you have
>> not
>> seen the link below yet it is a pretty good read on 802.1X that takes you
>> step by step through setting it up in a test lab. --- Steve
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:FC3CD3BA-6EA5-4795-8AF7-1348C7E5E302@microsoft.com...
>> > Let me get this right.....only the IAS/RADIUS server requires the
>> > certificate
>> > but not the wireless AP, user or other computer correct?
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> PEAP still requires that the IAS/radius server have a certificate,
>> >> though
>> >> you could buy one from a third party if you want. --- Steve
>> >>
>> >>
>> >> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> >> news:B4D34D1A-09C8-4B68-9B45-B9FC1CB93346@microsoft.com...
>> >> > Implementing WPA with RADIUS doesn't mean you HAVE TO install
>> >> > Certificate
>> >> > services, unless you are implementing EAP-TLS. You can always use
>> >> > PEAP-MS-CHAPV2 which will require username and password instead.
>> >> >
>> >> > "Dan" wrote:
>> >> >
>> >> >> Hi all,
>> >> >>
>> >> >> I plan to implement WPA using a RADIUS server. To do this I must
>> >> >> install
>> >> >> certificate services on a server. Is there an "outside" security
>> >> >> risk
>> >> >> by
>> >> >> doing this? If so what are the best steps of precaution when
>> >> >> installing
>> >> >> certificate services on Windows Server 2003?
>> >> >> --
>> >> >> Thanks,
>> >> >>
>> >> >> Dan
>> >>
>> >>
>> >>
>>
>>
>>