Archived from groups: microsoft.public.win2000.security (
More info?)
The Lab exercise would be very similar for Windows 2000 except that Windows
2000 CA can not use autoenrollment for user certificates which you may not
need at this time anyhow. As far as where to put the CA and IAS, that
depends on your needs and how you want to balance services but I can see
your point on putting it on the Windows 2000 Server if you do not need user
autoenrollment or delta CRL.
When you configure 802.1X on XP you will see the option for "EAP type" where
you could select EAP-TLS if you wanted to use it. The crux of your problem
however seems to be that your Remote Access Policy on your IAS server is
expecting the clients to use EAP-TLS. You need to modify that Remote Access
Policy to accept PEAP. Open the Remote Access Policy via IAS Management
Console you are using and select "edit profile" . Then go to authentication,
make sure EAP is selected, and then in the drop down box select PEAP. Keep
in mind that if you are using more than one Remote Access Policy, the first
one that the conditions apply to for the incoming connection will
pply. --- Steve
"Patrick" <Patrick@discussions.microsoft.com> wrote in message
news:35E71367-255B-4D96-B7D0-909DE8B942BE@microsoft.com...
> Hi Steven,
>
> First of all Thank You for your post.
>
> My Wi2K3 server runs Exchnage 2K3 - therefore I do not wish to add any
> other services on to it. However since I am planning use https with OWA it
> probably make sence to install Enterprise CA on the Win2K# server and keep
> RADIUS on Win 2K server - Isn't it?
>
> Anyway, I looked at the lab exercise you pointed at and it is aimed at
> Win2K3 implementation - at this moment I am not planning for issuing
> certificates for IIS and Exchange side of things running on Win2K3 server.
>
> ALL I need is to authenticate the wireless clients ONLY. I do not see
> EAP-TLS as an option in Windows XP - it is either PEAP or SmartCard.
>
> What I have done is this - I have configured my test Wireless Client (a
> notebook computer) with "Open" network Authentication and with WEP (and I
> have keyed in the network key rather than ticking "The key is provided for
> me
> automatically" checkbox.
>
> When I try to authenticate with Window AD credentials (username and
> password), I can see the following in the server Eevent Log:
> "Because no certificate has been configured for clients dialing in with
> EAP-TLS, a default certificate is being sent to user
> ad-micrrh\administrator.
> Please go to the user's Remote Access Policy and configure the Extensible
> Authentication Protocol (EAP)."
>
> and then followed by the Event:
> "Could not retrieve the Remote Access Server's certificate due to the
> following error: Cannot find object or property."
>
> TIA
>
> Patrick
>
>
>
>
> "Steven L Umbach" wrote:
>
>> First off if you can install an Enterprise CA on a Windows 2003
>> Enterprise
>> edition of server, then you can take advantage of version 2 certificate
>> templates and autoenrollment for both user and computer certificates for
>> XP
>> Pro/2003 clients.
>>
>> When you use IAS/radius for wireless 802.1X authentication, the
>> IAS/radius
>> server will need a computer certificate and the computer and user clients
>> will need certificates only if using EAP-TLS or if using smart
>> card/certificate user authentication. If using PEAP for the clients they
>> do
>> not require certificates. The first link below is a great lab exercise on
>> 802.1X wireless and goes into details on PKI/certificates. --- Steve
>>
>>
http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>>
http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/8021xclient.asp
>>
>> "Patrick" <Patrick@discussions.microsoft.com> wrote in message
>> news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
>> > Hi All,
>> >
>> > I need to authenticate wireless clients through RADIUS which I have
>> > setup
>> > on
>> > a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
>> > domain
>> > (in native mode) is running wit 2 DCs (one win2K and the other Win
>> > 2K3). I
>> > have installed RADIUS on the Win2K DC. When I install an Enterprse CA
>> > on
>> > Win2K server, does that all comunications with the Win2K3 server
>> > require
>> > certificates as well? All want is ONLY to autehnticate the wireless
>> > clients.
>> >
>> > TIA
>> >
>> > Patrick
>>
>>
>>