Enterprise CA and RADIUS authentication

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

I need to authenticate wireless clients through RADIUS which I have setup on
a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our domain
(in native mode) is running wit 2 DCs (one win2K and the other Win 2K3). I
have installed RADIUS on the Win2K DC. When I install an Enterprse CA on
Win2K server, does that all comunications with the Win2K3 server require
certificates as well? All want is ONLY to autehnticate the wireless clients.

TIA

Patrick
3 answers Last reply
More about enterprise radius authentication
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    First off if you can install an Enterprise CA on a Windows 2003 Enterprise
    edition of server, then you can take advantage of version 2 certificate
    templates and autoenrollment for both user and computer certificates for XP
    Pro/2003 clients.

    When you use IAS/radius for wireless 802.1X authentication, the IAS/radius
    server will need a computer certificate and the computer and user clients
    will need certificates only if using EAP-TLS or if using smart
    card/certificate user authentication. If using PEAP for the clients they do
    not require certificates. The first link below is a great lab exercise on
    802.1X wireless and goes into details on PKI/certificates. --- Steve

    http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
    http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp

    "Patrick" <Patrick@discussions.microsoft.com> wrote in message
    news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
    > Hi All,
    >
    > I need to authenticate wireless clients through RADIUS which I have setup
    > on
    > a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
    > domain
    > (in native mode) is running wit 2 DCs (one win2K and the other Win 2K3). I
    > have installed RADIUS on the Win2K DC. When I install an Enterprse CA on
    > Win2K server, does that all comunications with the Win2K3 server require
    > certificates as well? All want is ONLY to autehnticate the wireless
    > clients.
    >
    > TIA
    >
    > Patrick
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Steven,

    First of all Thank You for your post.

    My Wi2K3 server runs Exchnage 2K3 - therefore I do not wish to add any
    other services on to it. However since I am planning use https with OWA it
    probably make sence to install Enterprise CA on the Win2K# server and keep
    RADIUS on Win 2K server - Isn't it?

    Anyway, I looked at the lab exercise you pointed at and it is aimed at
    Win2K3 implementation - at this moment I am not planning for issuing
    certificates for IIS and Exchange side of things running on Win2K3 server.

    ALL I need is to authenticate the wireless clients ONLY. I do not see
    EAP-TLS as an option in Windows XP - it is either PEAP or SmartCard.

    What I have done is this - I have configured my test Wireless Client (a
    notebook computer) with "Open" network Authentication and with WEP (and I
    have keyed in the network key rather than ticking "The key is provided for me
    automatically" checkbox.

    When I try to authenticate with Window AD credentials (username and
    password), I can see the following in the server Eevent Log:
    "Because no certificate has been configured for clients dialing in with
    EAP-TLS, a default certificate is being sent to user ad-micrrh\administrator.
    Please go to the user's Remote Access Policy and configure the Extensible
    Authentication Protocol (EAP)."

    and then followed by the Event:
    "Could not retrieve the Remote Access Server's certificate due to the
    following error: Cannot find object or property."

    TIA

    Patrick



    "Steven L Umbach" wrote:

    > First off if you can install an Enterprise CA on a Windows 2003 Enterprise
    > edition of server, then you can take advantage of version 2 certificate
    > templates and autoenrollment for both user and computer certificates for XP
    > Pro/2003 clients.
    >
    > When you use IAS/radius for wireless 802.1X authentication, the IAS/radius
    > server will need a computer certificate and the computer and user clients
    > will need certificates only if using EAP-TLS or if using smart
    > card/certificate user authentication. If using PEAP for the clients they do
    > not require certificates. The first link below is a great lab exercise on
    > 802.1X wireless and goes into details on PKI/certificates. --- Steve
    >
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
    > http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp
    >
    > "Patrick" <Patrick@discussions.microsoft.com> wrote in message
    > news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
    > > Hi All,
    > >
    > > I need to authenticate wireless clients through RADIUS which I have setup
    > > on
    > > a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
    > > domain
    > > (in native mode) is running wit 2 DCs (one win2K and the other Win 2K3). I
    > > have installed RADIUS on the Win2K DC. When I install an Enterprse CA on
    > > Win2K server, does that all comunications with the Win2K3 server require
    > > certificates as well? All want is ONLY to autehnticate the wireless
    > > clients.
    > >
    > > TIA
    > >
    > > Patrick
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    The Lab exercise would be very similar for Windows 2000 except that Windows
    2000 CA can not use autoenrollment for user certificates which you may not
    need at this time anyhow. As far as where to put the CA and IAS, that
    depends on your needs and how you want to balance services but I can see
    your point on putting it on the Windows 2000 Server if you do not need user
    autoenrollment or delta CRL.

    When you configure 802.1X on XP you will see the option for "EAP type" where
    you could select EAP-TLS if you wanted to use it. The crux of your problem
    however seems to be that your Remote Access Policy on your IAS server is
    expecting the clients to use EAP-TLS. You need to modify that Remote Access
    Policy to accept PEAP. Open the Remote Access Policy via IAS Management
    Console you are using and select "edit profile" . Then go to authentication,
    make sure EAP is selected, and then in the drop down box select PEAP. Keep
    in mind that if you are using more than one Remote Access Policy, the first
    one that the conditions apply to for the incoming connection will
    pply. --- Steve


    "Patrick" <Patrick@discussions.microsoft.com> wrote in message
    news:35E71367-255B-4D96-B7D0-909DE8B942BE@microsoft.com...
    > Hi Steven,
    >
    > First of all Thank You for your post.
    >
    > My Wi2K3 server runs Exchnage 2K3 - therefore I do not wish to add any
    > other services on to it. However since I am planning use https with OWA it
    > probably make sence to install Enterprise CA on the Win2K# server and keep
    > RADIUS on Win 2K server - Isn't it?
    >
    > Anyway, I looked at the lab exercise you pointed at and it is aimed at
    > Win2K3 implementation - at this moment I am not planning for issuing
    > certificates for IIS and Exchange side of things running on Win2K3 server.
    >
    > ALL I need is to authenticate the wireless clients ONLY. I do not see
    > EAP-TLS as an option in Windows XP - it is either PEAP or SmartCard.
    >
    > What I have done is this - I have configured my test Wireless Client (a
    > notebook computer) with "Open" network Authentication and with WEP (and I
    > have keyed in the network key rather than ticking "The key is provided for
    > me
    > automatically" checkbox.
    >
    > When I try to authenticate with Window AD credentials (username and
    > password), I can see the following in the server Eevent Log:
    > "Because no certificate has been configured for clients dialing in with
    > EAP-TLS, a default certificate is being sent to user
    > ad-micrrh\administrator.
    > Please go to the user's Remote Access Policy and configure the Extensible
    > Authentication Protocol (EAP)."
    >
    > and then followed by the Event:
    > "Could not retrieve the Remote Access Server's certificate due to the
    > following error: Cannot find object or property."
    >
    > TIA
    >
    > Patrick
    >
    >
    >
    >
    > "Steven L Umbach" wrote:
    >
    >> First off if you can install an Enterprise CA on a Windows 2003
    >> Enterprise
    >> edition of server, then you can take advantage of version 2 certificate
    >> templates and autoenrollment for both user and computer certificates for
    >> XP
    >> Pro/2003 clients.
    >>
    >> When you use IAS/radius for wireless 802.1X authentication, the
    >> IAS/radius
    >> server will need a computer certificate and the computer and user clients
    >> will need certificates only if using EAP-TLS or if using smart
    >> card/certificate user authentication. If using PEAP for the clients they
    >> do
    >> not require certificates. The first link below is a great lab exercise on
    >> 802.1X wireless and goes into details on PKI/certificates. --- Steve
    >>
    >> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
    >> http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp
    >>
    >> "Patrick" <Patrick@discussions.microsoft.com> wrote in message
    >> news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
    >> > Hi All,
    >> >
    >> > I need to authenticate wireless clients through RADIUS which I have
    >> > setup
    >> > on
    >> > a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
    >> > domain
    >> > (in native mode) is running wit 2 DCs (one win2K and the other Win
    >> > 2K3). I
    >> > have installed RADIUS on the Win2K DC. When I install an Enterprse CA
    >> > on
    >> > Win2K server, does that all comunications with the Win2K3 server
    >> > require
    >> > certificates as well? All want is ONLY to autehnticate the wireless
    >> > clients.
    >> >
    >> > TIA
    >> >
    >> > Patrick
    >>
    >>
    >>
Ask a new question

Read More

Wireless Authentication Enterprise Windows