Creating 802.1X Workstation Authentication Certificates for NON-domain XP/W2KSP4 clients...

From: Shaun Ryan (msforums_at_email.shaunryan.com)
Date: 10/12/04 

Date: Tue, 12 Oct 2004 16:34:12 +0100

Hi all,

Our infrastructure performs "wired" 802.1X machine authentication for
Windows XP domain-based clients via IAS. We are using a Windows Server
2003 environment with an Enterprise Online Issuing CA issuing V2
Workstation Authentication certificates to clients via autoenrollment.

In the above scenario, all is fine.

However, we also want to perform machine-based authentication using the
same infrastructure for non-domain based Windows XP and W2K (SP4)
clients. Obviously, they are unable to take part in the autoenrollment
process, nor do they have accounts in Active Directory for assignment to
IAS RADIUS Policies or Certificate Templates.

So, how is the best way to get certificates to these clients? We can't
use Web Enrollment as there is no way for the clients to authenticate to
the service using machine credentials.

The solution i am testing is:

1. Create a new V2 Machine Authentication certificate that is modified
to build the certificate from information supplied in the request, as
opposed to AD
2. Create a dummy computer account in AD. e.g., XPTest
3. Add that account to the appropriate security groups for IAS RAS
Policies and to enrol for the certificate template created above
4. Run a script on the CA that using a pre-prepared request input file,
submits and generates (using certreq) a certificate with information
that can add a Subject Alternate Name with the correct dnsHostName
(e.g., xptest.xp.com) and gives it the correct Subject Name
5. Install that certificate into the local machine store on the XPTest
client and configure the network adapter for 802.1X
7. Set the AuthMode registry setting to 2 for Machine Authentication.

Now, in theory (my theory that is :)), that should work. However, the XP
client states that it cannot find a certificate to authenticate with.
After turning on tracing, it appears that it cannot match the
certificate to the machine, even thoughm they are both called XPTest. I
have also tried many variations of these fields.

Does anyone have any ideas? Or any other pointers that would help me out!

Many thanks in advance
Shaun.

PS. I have read all applicable MS literature on the subject.

Relevant Pages

  • Re: Dummies Guide for RADIUS/Certs
    ... I have set up IAS. ... client computers impacts certificate enrollment. ... configure Group Policy for domain member wireless clients so ... Cert Templates that is now enrolled on the IAS server. ...
    (microsoft.public.internet.radius)
  • Re: Creating 802.1X Workstation Authentication Certificates for NON-domain XP/W2KSP4 clients...
    ... > Workstation Authentication certificates to clients via autoenrollment. ... > IAS RADIUS Policies or Certificate Templates. ...
    (microsoft.public.internet.radius)
  • Re: AD required to use IAS?
    ... >> I want to set up wireless users to authenticate via IAS ... >need to purchase a server authentication certificate from ... >and then enroll certs to clients, ... >Verisign whitepaper, ...
    (microsoft.public.internet.radius)
  • Re: IAS Certificate
    ... is the standalone CA installed as a trusted root on the clients and server? ... > installed a standalone Certification Authority and IAS. ... > eveything works fine until the IAS server tries to send its certificate to ...
    (microsoft.public.security)
  • Re: SMS 2003 SP1 Client Install Problem or Policy Retreival Problem?
    ... > Failed to find running shell process ... >> It is possible that the crypto store has somehow been corrupted. ... >>> The MP is setup and thousands of other clients have access. ... >>> Failed to find the certificate in the store, ...
    (microsoft.public.sms.admin)