Re: Non-domain Cert-based 802.1x using IAS

From: Jan Spooren (jspooren_at_nospam.nospam)
Date: 11/16/05 

Date: Wed, 16 Nov 2005 08:59:21 +0100

Hi Lee,

> Yet another 802.1x question... but should be an easy one.
>
> Is it possible to successfully authenticate a 802.1x supplicant with a
> computer certificate, using IAS, that is not on the same domain as the IAS
> server? Or not on a domain at all? I haven't found a way to do it yet.
>
> Thanks for any help.

It's not an easy question and I have some good and some bad news.
The good news is that it can be done! I've got a setup running with a
Belkin WiFi router as base station, IAS, Windows Server 2003 in stand-alone
mode and a Windows XP Pro client in stand-alone mode too.
The bad news is that it takes a lot of fiddling around, and I cannot give
you a good description on how to do it.

This is more or less what I did:

- On the W2K3 server I setup Microsoft Certificate Services and IAS.
- I created a Radius Client for the Belkin WiFi Router in IAS
(Client-Vendor: Radius Standard)
- Created a remote access policy with EAP method PEAP and MS-CHAP2.
- Created a certificate for the client computer and installed on the client
computer.
- On the client computer, at one point in time I had to select the
certificate but also provide credentials of a W2K3 server user account.

Then the whole thing did not work when using TKIP encryption. When as a
last resort (after days of fiddling around) I changed the encryption to EAS
(which -to my surprise- was supported by the Belkin WiFi router) it suddenly
worked. What the encryption had to do with it, is beyond my understanding.

So there you are: It can be done, but the plethoria of settings and
options, both on the server, theWiFi router and the client computer make it
hell to configure and when it works, I anyway had no clue why it actually
did. :-)

Good luck!
   Jan.

Relevant Pages

  • Aironet 1200/MS Radius Help - Yet Again
    ... Your collective help thus far has made me understand more about wireless ... RADIUS/IAS Server. ... I also got a certificate from verisign to install on one of the two IAS ... there are communications between the client and access ...
    (microsoft.public.internet.radius)
  • Re: IAS as RADIUS
    ... i thought the client in 802.1x was the supplicant? ... you can do this with IAS in Windows Server 2003. ... EAP-TLS requires a server certificate on the IAS server and client ...
    (microsoft.public.windows.server.networking)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)