Re: Authenticate a machine to radius?
From: FenderAxe (fa_at_axe.com)
Date: 03/09/05
- Next message: FenderAxe: "Re: authenticate proxy requests with AD computer accounts"
- Previous message: FenderAxe: "Re: Authenticate and Billing."
- In reply to: Harold: "Authenticate a machine to radius?"
- Messages sorted by: [ date ] [ thread ]
Date: 9 Mar 2005 07:17:26 GMT
"Harold" <reply@togroup.com> wrote in
news:#YuppuzIFHA.2656@TK2MSFTNGP09.phx.gbl:
> I have setup PEAP for my wireless users and works well. Now, I have
> to setup a multihomed computer in a confernce room. This machine will
> be wired to Novell for one group of people, and use wireless to access
> Microsoft AD for another group of people.
>
> I cannot get the USB network adapter to connect to the domain because
> the USB device/computer/radius is not setup correctly. I think I want
> the computer to authenticate to the domain in order to allow any AD
> user to login just as in the wired world. I am thinking that I need
> a machine cert instead of a user cert. How do I create a
> machine/computer cert? When I goto http://domain/certsrv I am only
> given the option to create a user certificate.
>
> I get this in event log.
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 3/7/2005
> Time: 8:45:32 AM
> User: N/A
> Computer: YA01-AD
> Description:
> User host/fwy4d01.yacorp.com was denied access.
> Fully-Qualified-User-Name = yacorp.com/Computers/FWY4D01
> NAS-IP-Address = 10.22.3.3
> NAS-Identifier = ya-ap
> Called-Station-Identifier = 0012.44b0.7690
> Calling-Station-Identifier = 0090.4b8a.d133
> Client-Friendly-Name = cisco-ap
> Client-IP-Address = 10.22.3.3
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 113327
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Wireless
> Authentication-Type = PEAP
> EAP-Type = <undetermined>
> Reason-Code = 262
> Reason = The supplied message is incomplete. The signature was not
> verified.
>
>
> Thanks so much,
> HB
>
>
>
Installing a wireless network card in the PC makes it a wireless client,
not a RADIUS server, RADIUS proxy, or wireless AP/RADIUS client.
RADIUS is used only between RADIUS clients (like Access Points, VPN
servers, and dial-up servers) and RADIUS servers (like IAS).
So RADIUS in relationship to this multihomed computer is not relevant.
PEAP can be deployed with certs (PEAP-TLS) or without certs (PEAP-MS-
CHAPv2) on the clients -- it sounds like you have deployed the password-
based auth type. In this case you don't need a cert on this multihomed
computer.
Is there an AP within range of the conference room to which the multihomed
PC can connect? Have you configured WEP or WPA between the AP and the
client? Make sure you did that correctly.
Then at the AP -- make sure it is configured as a RADIUS client at the IAS
server. Make sure the shared secrets on the AP and the IAS server match.
If your IAS server is successfully authenticating clients connecting via
other APs, the IAS server is configured properly, except for the
possibility that this AP is not configured at the IAS server.
Also make sure the wireless client/multihomed PC is configured to
authenticate with machine auth when available for this network connection
(network connection properties).
Other than those suggestions the best idea is to step through a wireless
whtiepaper to make sure you have everything configured properly.
x-- 100 Proof News - http://www.100ProofNews.com
x-- 3,500+ Binary NewsGroups, and over 90,000 other groups
x-- Access to over 1 Terabyte per Day - $8.95/Month
x-- UNLIMITED DOWNLOAD
- Next message: FenderAxe: "Re: authenticate proxy requests with AD computer accounts"
- Previous message: FenderAxe: "Re: Authenticate and Billing."
- In reply to: Harold: "Authenticate a machine to radius?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
