Re: Does WINDOWS 2003 IAS require Certificate services

From: Mark Gamache (mark.gamache_at_css-security.com.nospam)
Date: 03/01/05 

Date: Mon, 28 Feb 2005 16:03:20 -0800

For PEAP, a server certificate is required. To see what cert you are using
on the IAS server, go to the console and from the command prompt use
"certutil -store my" That will show you the machine certs.

By default, you desktops are using MS-CHAP v2 inside a tunnel, that is why
they don't need certs. As for your PPC, it is either misconfigured or
malfunctioning. Only the vendor can help you. Different vendors offer
slightly different configs of the PPC. The issue is on the client side not
the server.

Cheers, 

-- 
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"David" <David@discussions.microsoft.com> wrote in message 
news:E21B782E-C82C-41DE-ACFD-B2A7A29D4C8C@microsoft.com...
> The other thing is, why do laptops and PC's not need Certificates to 
> connect,
> but a Handheld with mobile 2003 does. Is this because autoenrollment. Any
> supporting documentation.
>
> Thanks
>
> "Thomas K" wrote:
>
>> PEAP _requires_ a server certificate on the IAS server.
>>
>> Maybe certificate service is installed in the forest & the IAS computer 
>> just
>> autoenrolled a computer certificate ... just look at the PKI store on the
>> IAS computer. There has to be a computer certificate available on the IAS
>> server.
>>
>> /T
>>
>> "David" <David@discussions.microsoft.com> wrote in message
>> news:AFCF8777-F3CD-4D5B-8C8B-EE4281085624@microsoft.com...
>> > So basically, you are saying that if PEAP is implemented, then it uses 
>> > a
>> > server based Certificate. I have to be honest with you, I am an MCSE, 
>> > and
>> > have been doing this a while, you may have missunderstood my post. I 
>> > did
>> not,
>> > at any point install certificate services. However, I installed an IAS
>> server
>> > and configured to use PEAP and authorized for active directory. I mean, 
>> > I
>> am
>> > unaware of any certificate on a DC being generated without 
>> > notification. I
>> > need documentation that states you need certificate services to use 
>> > PEAP
>> or
>> > IAS for that matter. I can not find any documentation and I have looked
>> > pretty good.
>> >
>> > Thanks for the help in advance.
>> >
>> > "FenderAxe" wrote:
>> >
>> > > "=?Utf-8?B?RGF2aWQ=?=" <David@discussions.microsoft.com> wrote in
>> > > news:51FFB272-69E6-4A29-9A9B-533139DED394@microsoft.com:
>> > >
>> > > > I have the current situation:
>> > > >
>> > > > 1. I implemented IAS Radius authentication for my WLAN using
>> > > > PEAP-MSCHAPv2. I had Laptops connecting fine using 802.1x PEAP
>> > > > authentication with no issue, and Certificate services where not
>> > > > installed. 2. I purchased an IPAQ 5550 with Windows MObile 2003
>> > > > installed, which I find after extensive research requires 
>> > > > Certificate
>> > > > services to authenticate to the server using 802.1x. This makes no
>> > > > sense to me being it supports PEAP on the HP device.
>> > > >
>> > > > I need to know the following:
>> > > >
>> > > > 1. What is the exact authentication requirements and process when 
>> > > > IAS
>> > > > is implemented using PEAP-MSCHAPv2.
>> > > > 2.IS certificate services required when implementing IAS, and are
>> > > > there any supporting documents.
>> > > > 3. IF it is required, why did I not have an issue connecting with
>> > > > Laptops with no CA implemented.
>> > > >
>> > > > Thanks in advance.
>> > > >
>> > >
>> > > IAS has the ability to use many different authentication methods --  
>> > > some
>> > > are cert-based and some aren't. PEAP w/MSCHAPv2 uses a server cert on
>> the
>> > > IAS server and password-based credentials from users. If you were 
>> > > using
>> > > PEAP and didn't configure a cert on the IAS server, you probably only
>> > > thought you were using PEAP but accomplished something else instead. 
>> > > I
>> have
>> > > no idea what the something else might be.
>> > >
>> > > MS has tons of documentation on this -- look on the IAS Tech Ctr web
>> site
>> > > for whitepapers. There's plenty of info on the box, too -- open IAS
>> window
>> > > and hit F1.
>> > >
>> > > FA
>> > >
>> > >
>> > > x--   100 Proof News - http://www.100ProofNews.com
>> > > x--   3,500+ Binary NewsGroups, and over 90,000 other groups
>> > > x--   Access to over 1 Terabyte per Day - $8.95/Month
>> > > x--   UNLIMITED DOWNLOAD
>> > >
>> > >
>>
>>
>>

Relevant Pages

  • Re: 802.1x Authentication Question
    ... That means that the server will use PEAP for this policy. ... If the IAS isn´t a domain member you can set up all the user directly ... client certificates, but PEAP is a bit easier to set up. ...
    (microsoft.public.internet.radius)
  • Re: Remote access policy
    ... certificate and server certificate .I want to connect the wireless XP ... There is a Help topic in IAS Help that tells the minimum server cert ... This is correct -- the Help topic is "Network access authentication and ...
    (microsoft.public.internet.radius)
  • Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
    ... user certificates deployed with Certificate Server. ... Enterprise root and subordinate certificate servers, built the IAS ... The problem we are running into is trying to setup the guest access ...
    (microsoft.public.internet.radius)
  • RE: PEAP based 802.1x LAN authentication
    ... Authentication, EAP Methods. ... Do you have PEAP added here? ... edit and make sure the certificate that you want to use is selected. ... the server certificate is now stored in "Personal " ...
    (Focus-Microsoft)
  • Re: IAS with PEAP and Airespace (now Cisco 1000)
    ... For what it's worth, we also tried using EAP-TLS (I changed the IAS, created ... >> I've gone over our configuration many times, ... > or they do not trust the CA that issued the server certificate to the IAS ...
    (microsoft.public.internet.radius)