Sign in with
Sign up | Sign in
Your question

Enterprise CA and RADIUS authentication

Last response: in Windows 2000/NT
Share
Anonymous
a b F Wireless
April 25, 2005 12:29:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi All,

I need to authenticate wireless clients through RADIUS which I have setup on
a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our domain
(in native mode) is running wit 2 DCs (one win2K and the other Win 2K3). I
have installed RADIUS on the Win2K DC. When I install an Enterprse CA on
Win2K server, does that all comunications with the Win2K3 server require
certificates as well? All want is ONLY to autehnticate the wireless clients.

TIA

Patrick
Anonymous
a b F Wireless
April 25, 2005 3:10:51 AM

Archived from groups: microsoft.public.win2000.security (More info?)

First off if you can install an Enterprise CA on a Windows 2003 Enterprise
edition of server, then you can take advantage of version 2 certificate
templates and autoenrollment for both user and computer certificates for XP
Pro/2003 clients.

When you use IAS/radius for wireless 802.1X authentication, the IAS/radius
server will need a computer certificate and the computer and user clients
will need certificates only if using EAP-TLS or if using smart
card/certificate user authentication. If using PEAP for the clients they do
not require certificates. The first link below is a great lab exercise on
802.1X wireless and goes into details on PKI/certificates. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyI...
http://www.microsoft.com/windows2000/server/evaluation/...

"Patrick" <Patrick@discussions.microsoft.com> wrote in message
news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
> Hi All,
>
> I need to authenticate wireless clients through RADIUS which I have setup
> on
> a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
> domain
> (in native mode) is running wit 2 DCs (one win2K and the other Win 2K3). I
> have installed RADIUS on the Win2K DC. When I install an Enterprse CA on
> Win2K server, does that all comunications with the Win2K3 server require
> certificates as well? All want is ONLY to autehnticate the wireless
> clients.
>
> TIA
>
> Patrick
Anonymous
a b F Wireless
April 25, 2005 6:30:03 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Steven,

First of all Thank You for your post.

My Wi2K3 server runs Exchnage 2K3 - therefore I do not wish to add any
other services on to it. However since I am planning use https with OWA it
probably make sence to install Enterprise CA on the Win2K# server and keep
RADIUS on Win 2K server - Isn't it?

Anyway, I looked at the lab exercise you pointed at and it is aimed at
Win2K3 implementation - at this moment I am not planning for issuing
certificates for IIS and Exchange side of things running on Win2K3 server.

ALL I need is to authenticate the wireless clients ONLY. I do not see
EAP-TLS as an option in Windows XP - it is either PEAP or SmartCard.

What I have done is this - I have configured my test Wireless Client (a
notebook computer) with "Open" network Authentication and with WEP (and I
have keyed in the network key rather than ticking "The key is provided for me
automatically" checkbox.

When I try to authenticate with Window AD credentials (username and
password), I can see the following in the server Eevent Log:
"Because no certificate has been configured for clients dialing in with
EAP-TLS, a default certificate is being sent to user ad-micrrh\administrator.
Please go to the user's Remote Access Policy and configure the Extensible
Authentication Protocol (EAP)."

and then followed by the Event:
"Could not retrieve the Remote Access Server's certificate due to the
following error: Cannot find object or property."

TIA

Patrick




"Steven L Umbach" wrote:

> First off if you can install an Enterprise CA on a Windows 2003 Enterprise
> edition of server, then you can take advantage of version 2 certificate
> templates and autoenrollment for both user and computer certificates for XP
> Pro/2003 clients.
>
> When you use IAS/radius for wireless 802.1X authentication, the IAS/radius
> server will need a computer certificate and the computer and user clients
> will need certificates only if using EAP-TLS or if using smart
> card/certificate user authentication. If using PEAP for the clients they do
> not require certificates. The first link below is a great lab exercise on
> 802.1X wireless and goes into details on PKI/certificates. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
> http://www.microsoft.com/windows2000/server/evaluation/...
>
> "Patrick" <Patrick@discussions.microsoft.com> wrote in message
> news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
> > Hi All,
> >
> > I need to authenticate wireless clients through RADIUS which I have setup
> > on
> > a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
> > domain
> > (in native mode) is running wit 2 DCs (one win2K and the other Win 2K3). I
> > have installed RADIUS on the Win2K DC. When I install an Enterprse CA on
> > Win2K server, does that all comunications with the Win2K3 server require
> > certificates as well? All want is ONLY to autehnticate the wireless
> > clients.
> >
> > TIA
> >
> > Patrick
>
>
>
Anonymous
a b F Wireless
April 26, 2005 12:49:23 AM

Archived from groups: microsoft.public.win2000.security (More info?)

The Lab exercise would be very similar for Windows 2000 except that Windows
2000 CA can not use autoenrollment for user certificates which you may not
need at this time anyhow. As far as where to put the CA and IAS, that
depends on your needs and how you want to balance services but I can see
your point on putting it on the Windows 2000 Server if you do not need user
autoenrollment or delta CRL.

When you configure 802.1X on XP you will see the option for "EAP type" where
you could select EAP-TLS if you wanted to use it. The crux of your problem
however seems to be that your Remote Access Policy on your IAS server is
expecting the clients to use EAP-TLS. You need to modify that Remote Access
Policy to accept PEAP. Open the Remote Access Policy via IAS Management
Console you are using and select "edit profile" . Then go to authentication,
make sure EAP is selected, and then in the drop down box select PEAP. Keep
in mind that if you are using more than one Remote Access Policy, the first
one that the conditions apply to for the incoming connection will
pply. --- Steve


"Patrick" <Patrick@discussions.microsoft.com> wrote in message
news:35E71367-255B-4D96-B7D0-909DE8B942BE@microsoft.com...
> Hi Steven,
>
> First of all Thank You for your post.
>
> My Wi2K3 server runs Exchnage 2K3 - therefore I do not wish to add any
> other services on to it. However since I am planning use https with OWA it
> probably make sence to install Enterprise CA on the Win2K# server and keep
> RADIUS on Win 2K server - Isn't it?
>
> Anyway, I looked at the lab exercise you pointed at and it is aimed at
> Win2K3 implementation - at this moment I am not planning for issuing
> certificates for IIS and Exchange side of things running on Win2K3 server.
>
> ALL I need is to authenticate the wireless clients ONLY. I do not see
> EAP-TLS as an option in Windows XP - it is either PEAP or SmartCard.
>
> What I have done is this - I have configured my test Wireless Client (a
> notebook computer) with "Open" network Authentication and with WEP (and I
> have keyed in the network key rather than ticking "The key is provided for
> me
> automatically" checkbox.
>
> When I try to authenticate with Window AD credentials (username and
> password), I can see the following in the server Eevent Log:
> "Because no certificate has been configured for clients dialing in with
> EAP-TLS, a default certificate is being sent to user
> ad-micrrh\administrator.
> Please go to the user's Remote Access Policy and configure the Extensible
> Authentication Protocol (EAP)."
>
> and then followed by the Event:
> "Could not retrieve the Remote Access Server's certificate due to the
> following error: Cannot find object or property."
>
> TIA
>
> Patrick
>
>
>
>
> "Steven L Umbach" wrote:
>
>> First off if you can install an Enterprise CA on a Windows 2003
>> Enterprise
>> edition of server, then you can take advantage of version 2 certificate
>> templates and autoenrollment for both user and computer certificates for
>> XP
>> Pro/2003 clients.
>>
>> When you use IAS/radius for wireless 802.1X authentication, the
>> IAS/radius
>> server will need a computer certificate and the computer and user clients
>> will need certificates only if using EAP-TLS or if using smart
>> card/certificate user authentication. If using PEAP for the clients they
>> do
>> not require certificates. The first link below is a great lab exercise on
>> 802.1X wireless and goes into details on PKI/certificates. --- Steve
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>> http://www.microsoft.com/windows2000/server/evaluation/...
>>
>> "Patrick" <Patrick@discussions.microsoft.com> wrote in message
>> news:19192E08-1D58-4BF0-BCF0-738D93DC348D@microsoft.com...
>> > Hi All,
>> >
>> > I need to authenticate wireless clients through RADIUS which I have
>> > setup
>> > on
>> > a Win2K (with SP4). I guess I need to setup a CA for this purpose. Our
>> > domain
>> > (in native mode) is running wit 2 DCs (one win2K and the other Win
>> > 2K3). I
>> > have installed RADIUS on the Win2K DC. When I install an Enterprse CA
>> > on
>> > Win2K server, does that all comunications with the Win2K3 server
>> > require
>> > certificates as well? All want is ONLY to autehnticate the wireless
>> > clients.
>> >
>> > TIA
>> >
>> > Patrick
>>
>>
>>
!