How to implement PEAP-EAP-TLD authentication?

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
authentication.

I already have a two-tier CA infrastructure, an my clients all have
certificates for workstation, user and IPSec authentication. No Smart Cards
yet.

How do I go about getting the IAS/RADIUS server to recognize my workstation
on my client? Right now it rejects the request; only MSCHAPv2 works. How
do I make use of my existing certificates for WLAN authentication?

Thanks in advance.

Ed
4 answers Last reply
More about implement peap authentication
  1. Archived from groups: microsoft.public.windows.networking.wireless (More info?)

    http://www.microsoft.com/wifi has some info

    http://www.microsoft.com/vpn may be helpful too.

    Basically, it's the same as PEAP except:

    1. each user must have a valid certificate for user auth
    2. each machine must have a valid certificate for machine auth
    3. you must enable EAP-TLS in the IAS policy
    4. you must set the client to use EAP-TLS
    5. the IAS server must have valid certs (server certs)

    By "valid" I mean that the certs chain properly and that the CA certs needed
    for validation are present. EAP-TLS is cert-based, so properly deploying it
    is more of a PKI-thing.

    If your certs are standard issue from a Windows-based CA, it should be
    usable for wireless and it should all work smoothly - same as PEAP.
    Certificates are best for domain-joined machines - if you have machines in
    other domains or workgroup machines you'll probably still want to use PEAP.

    If you can be more specific about what happens when the request is rejected,
    I can give you more specific solutions. Does IAS just deny authentication or
    does it drop the packets or something?

    There is also a microsoft.public.internet.radius newsgroup that might help
    you answer IAS questions.

    --
    Standard Disclaimers -
    This posting is provided "AS IS" with no warranties,
    and confers no rights. Please do not send e-mail directly
    to this alias. This alias is for newsgroup purposes only.


    "Edward W. Ray" <edward_ray@hotmail.com> wrote in message
    news:u5TICmgUFHA.612@TK2MSFTNGP12.phx.gbl...
    >I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
    >authentication.
    >
    > I already have a two-tier CA infrastructure, an my clients all have
    > certificates for workstation, user and IPSec authentication. No Smart
    > Cards yet.
    >
    > How do I go about getting the IAS/RADIUS server to recognize my
    > workstation on my client? Right now it rejects the request; only MSCHAPv2
    > works. How do I make use of my existing certificates for WLAN
    > authentication?
    >
    > Thanks in advance.
    >
    > Ed
    >
  2. Archived from groups: microsoft.public.windows.networking.wireless (More info?)

    I have a valid workstation certificate, as well as a user certificate issued
    by an Windows 2003 enterprise subordinate CA. I verified this on my client
    via mmc->certificates->personal.

    from windump packet logs, it rejects the request when I set up for
    PEAP-EAP-TLS. On both XP wireless setup and IAS, the server certificate
    used is the enterprise sub CA. Since my IPSec works with certificate
    authentication, I know my certificates are valid. Autoenrollment is set for
    Workstation, Computer, and User certificates in GPO.

    Ed


    "Carl DaVault [MSFT]" <carlda@online.microsoft.com> wrote in message
    news:%23hRfWKnUFHA.2616@TK2MSFTNGP14.phx.gbl...
    > http://www.microsoft.com/wifi has some info
    >
    > http://www.microsoft.com/vpn may be helpful too.
    >
    > Basically, it's the same as PEAP except:
    >
    > 1. each user must have a valid certificate for user auth
    > 2. each machine must have a valid certificate for machine auth
    > 3. you must enable EAP-TLS in the IAS policy
    > 4. you must set the client to use EAP-TLS
    > 5. the IAS server must have valid certs (server certs)
    >
    > By "valid" I mean that the certs chain properly and that the CA certs
    > needed for validation are present. EAP-TLS is cert-based, so properly
    > deploying it is more of a PKI-thing.
    >
    > If your certs are standard issue from a Windows-based CA, it should be
    > usable for wireless and it should all work smoothly - same as PEAP.
    > Certificates are best for domain-joined machines - if you have machines in
    > other domains or workgroup machines you'll probably still want to use
    > PEAP.
    >
    > If you can be more specific about what happens when the request is
    > rejected, I can give you more specific solutions. Does IAS just deny
    > authentication or does it drop the packets or something?
    >
    > There is also a microsoft.public.internet.radius newsgroup that might help
    > you answer IAS questions.
    >
    > --
    > Standard Disclaimers -
    > This posting is provided "AS IS" with no warranties,
    > and confers no rights. Please do not send e-mail directly
    > to this alias. This alias is for newsgroup purposes only.
    >
    >
    > "Edward W. Ray" <edward_ray@hotmail.com> wrote in message
    > news:u5TICmgUFHA.612@TK2MSFTNGP12.phx.gbl...
    >>I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
    >>authentication.
    >>
    >> I already have a two-tier CA infrastructure, an my clients all have
    >> certificates for workstation, user and IPSec authentication. No Smart
    >> Cards yet.
    >>
    >> How do I go about getting the IAS/RADIUS server to recognize my
    >> workstation on my client? Right now it rejects the request; only
    >> MSCHAPv2 works. How do I make use of my existing certificates for WLAN
    >> authentication?
    >>
    >> Thanks in advance.
    >>
    >> Ed
    >>
    >
    >
  3. Archived from groups: microsoft.public.windows.networking.wireless (More info?)

    My computer authetication request via cert worked fine, but user auth
    failed, see below:

    __________________________________________________________________________________________________________________________

    Event Type: Information
    Event Source: IAS
    Event Category: None
    Event ID: 1
    Date: 5/6/2005
    Time: 2:02:59 PM
    User: N/A
    Computer: BLACKDOG
    Description:
    User host/eraylap.mmicmanhomenet.local was granted access.
    Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/ERAYLAP
    NAS-IP-Address = 192.168.1.254
    NAS-Identifier = 0012177af760
    Client-Friendly-Name = hunglikethor
    Client-IP-Address = 192.168.1.254
    Calling-Station-Identifier = 0012173570c2
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 7
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Computers
    Authentication-Type = PEAP
    EAP-Type = Smart Card or other certificate

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....


    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 5/6/2005
    Time: 1:57:48 PM
    User: N/A
    Computer: BLACKDOG
    Description:
    User ewray0967@mmicmanhomenet.local was denied access.
    Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/Edward
    W. Ray
    NAS-IP-Address = 192.168.1.254
    NAS-Identifier = 0012177af760
    Called-Station-Identifier = 0012177af760
    Calling-Station-Identifier = 0012173570c2
    Client-Friendly-Name = hunglikethor
    Client-IP-Address = 192.168.1.254
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 7
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Users
    Authentication-Type = PEAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 73
    Reason = The user attempted to authenticate using a certificate with an
    Extended Key Usage or Issuance Policy that is not allowed by the matching
    remote access policy.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....
    ______________________________________________________________________________________________________________________________________________

    I deleted then restablished my Wireless User policy, and the link was
    established. Strange....

    Thanks for your help!

    Edward W. Ray
    CISSP, MCSE 2003+Security, P.E., SANS GCIA, SANS GCIH
  4. Archived from groups: microsoft.public.windows.networking.wireless (More info?)

    Were you able to get this to work? Does IAS have to go on a 2003 DC?


    "Edward W. Ray" <edward_ray@hotmail.com> wrote in message
    news:O4ispDoUFHA.628@TK2MSFTNGP09.phx.gbl...
    > My computer authetication request via cert worked fine, but user auth
    > failed, see below:
    >
    > __________________________________________________________________________________________________________________________
    >
    > Event Type: Information
    > Event Source: IAS
    > Event Category: None
    > Event ID: 1
    > Date: 5/6/2005
    > Time: 2:02:59 PM
    > User: N/A
    > Computer: BLACKDOG
    > Description:
    > User host/eraylap.mmicmanhomenet.local was granted access.
    > Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP
    > Laptops/ERAYLAP
    > NAS-IP-Address = 192.168.1.254
    > NAS-Identifier = 0012177af760
    > Client-Friendly-Name = hunglikethor
    > Client-IP-Address = 192.168.1.254
    > Calling-Station-Identifier = 0012173570c2
    > NAS-Port-Type = Wireless - IEEE 802.11
    > NAS-Port = 7
    > Proxy-Policy-Name = Use Windows authentication for all users
    > Authentication-Provider = Windows
    > Authentication-Server = <undetermined>
    > Policy-Name = Wireless Computers
    > Authentication-Type = PEAP
    > EAP-Type = Smart Card or other certificate
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    > Data:
    > 0000: 00 00 00 00 ....
    >
    >
    >
    > Event Type: Warning
    > Event Source: IAS
    > Event Category: None
    > Event ID: 2
    > Date: 5/6/2005
    > Time: 1:57:48 PM
    > User: N/A
    > Computer: BLACKDOG
    > Description:
    > User ewray0967@mmicmanhomenet.local was denied access.
    > Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/Edward
    > W. Ray
    > NAS-IP-Address = 192.168.1.254
    > NAS-Identifier = 0012177af760
    > Called-Station-Identifier = 0012177af760
    > Calling-Station-Identifier = 0012173570c2
    > Client-Friendly-Name = hunglikethor
    > Client-IP-Address = 192.168.1.254
    > NAS-Port-Type = Wireless - IEEE 802.11
    > NAS-Port = 7
    > Proxy-Policy-Name = Use Windows authentication for all users
    > Authentication-Provider = Windows
    > Authentication-Server = <undetermined>
    > Policy-Name = Wireless Users
    > Authentication-Type = PEAP
    > EAP-Type = Smart Card or other certificate
    > Reason-Code = 73
    > Reason = The user attempted to authenticate using a certificate with an
    > Extended Key Usage or Issuance Policy that is not allowed by the matching
    > remote access policy.
    >
    > For more information, see Help and Support Center at
    > http://go.microsoft.com/fwlink/events.asp.
    > Data:
    > 0000: 00 00 00 00 ....
    > ______________________________________________________________________________________________________________________________________________
    >
    > I deleted then restablished my Wireless User policy, and the link was
    > established. Strange....
    >
    > Thanks for your help!
    >
    > Edward W. Ray
    > CISSP, MCSE 2003+Security, P.E., SANS GCIA, SANS GCIH
    >
    >
Ask a new question

Read More

Wireless Authentication Workstations Wireless Networking