Re: Enterprise CA and RADIUS authentication

From: Patrick (Patrick_at_discussions.microsoft.com)
Date: 04/25/05 

Date: Mon, 25 Apr 2005 02:30:03 -0700

Hi Steven,

First of all Thank You for your post.

My Wi2K3 server runs Exchnage 2K3 - therefore I do not wish to add any
other services on to it. However since I am planning use https with OWA it
probably make sence to install Enterprise CA on the Win2K# server and keep
RADIUS on Win 2K server - Isn't it?

Anyway, I looked at the lab exercise you pointed at and it is aimed at
Win2K3 implementation - at this moment I am not planning for issuing
certificates for IIS and Exchange side of things running on Win2K3 server.

ALL I need is to authenticate the wireless clients ONLY. I do not see
EAP-TLS as an option in Windows XP - it is either PEAP or SmartCard.

What I have done is this - I have configured my test Wireless Client (a
notebook computer) with "Open" network Authentication and with WEP (and I
have keyed in the network key rather than ticking "The key is provided for me
automatically" checkbox.

When I try to authenticate with Window AD credentials (username and
password), I can see the following in the server Eevent Log:
"Because no certificate has been configured for clients dialing in with
EAP-TLS, a default certificate is being sent to user ad-micrrh\administrator.
Please go to the user's Remote Access Policy and configure the Extensible
Authentication Protocol (EAP)."

and then followed by the Event:
"Could not retrieve the Remote Access Server's certificate due to the
following error: Cannot find object or property."

TIA

Patrick
 

"Steven L Umbach" wrote:

> First off if you can install an Enterprise CA on a Windows 2003 Enterprise
> edition of server, then you can take advantage of version 2 certificate
> templates and autoenrollment for both user and computer certificates for XP
> Pro/2003 clients.
>
> When you use IAS/radius for wireless 802.1X authentication, the IAS/radius
> server will need a computer certificate and the computer and user clients
> will need certificates only if using EAP-TLS or if using smart
> card/certificate user authentication. If using PEAP for the clients they do
> not require certificates. The first link below is a great lab exercise on
> 802.1X wireless and goes into details on PKI/certificates. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
> http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp
>
> "Patrick" <Patrick@discussions.microsoft.com> wrote in message
> news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
> > Hi All,
> >
> > I need to authenticate wireless clients through RADIUS which I have setup
> > on
> > a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
> > domain
> > (in native mode) is running wit 2 DCs (one win2K and the other Win 2K3). I
> > have installed RADIUS on the Win2K DC. When I install an Enterprse CA on
> > Win2K server, does that all comunications with the Win2K3 server require
> > certificates as well? All want is ONLY to autehnticate the wireless
> > clients.
> >
> > TIA
> >
> > Patrick
>
>
>

Relevant Pages

  • Re: OS Authentication with winXP client Linux Server
    ... OS Authentication does actually work on clients aswell. ... SQLNET.AUTHENTICATION_SERVICES= on both the server and the ... authentication from Windows clients and it works quite well. ... it's no wonder "Windows clients authenticate without issue": ...
    (comp.databases.oracle.server)
  • Re: Certificate Services - What is it?
    ... Are you looking to get strong authentication of the clients or just protect ... SSL does require certificates, ... authenticate the server to the user and to authenticate the user to the ...
    (microsoft.public.security)
  • Re: SMTP using usernames & passwords.
    ... How can I stop non authenticated smtp access to the sever. ... clients accessing over pop to authenticate when they send email no ... You configure this on the client (by default the SMTP virtuel server ... the internet and local clients get a fail message when attempting to ...
    (microsoft.public.exchange.setup)
  • Re: Another additional DC question
    ... Clients use VPN, why not have them log on to the domain that Site A hosts. ... I recommend that if you authenticate over the WAN that you increase the size ... install a server at the remote site for authentication (I do this all the ... firewall like and ASA5505 or ASA5510 at the remote site. ...
    (microsoft.public.cert.exam.mcse)
  • Re: Certificate Services - What is it?
    ... So for uncontrolled crowd e.g. clients it makes sense to use a commercial CA ... Two thing to be awaare of: hand-made certificates offer exactly the same ... > authenticate the server to the user and to authenticate the user to the ...
    (microsoft.public.security)