Re: IAS EAP (PEAP)

"Michael" <mcooper@xxxxxxxxxx> wrote in
news:v8sce.32276$h6.2928@xxxxxxxxxxxxxxxxxxxx:

> Hey Guys,
>
> I created a cert for my domain to authorize users to use
> wireless
> on my network. I created the certs and now when I goto Remote Access
> Policy in IAS to configure the EAP (PEAP) It tells me that it can't
> find the cert. Anyone got any IDeas why this might be happening? My
> IAS is registered with AD so I am okay there.
>
>
> Thanks

If you create the server cert using the information below, the cert will
meet the minimum cert requirements.

Configure server certificates

Use this procedure to configure IAS server certificates for use with PEAP
and EAP.

With PEAP-MS-CHAP v2, PEAP-TLS, and EAP-TLS, servers display a list of all
installed certificates in the computer's certificate store, with the
following exceptions:

-- Certificates that do not contain the Server Authentication purpose in
EKU extensions are not displayed.
-- Certificates that do not contain a Subject name are not displayed.
-- Servers do not display registry-based and smart card-logon certificates.

If you are running an enterprise certification authority (CA) on a computer
running Windows Server 2003, Standard Edition, you can use the Computer
certificate template for server certificates.

If you are running an enterprise certification authority (CA) on a computer
running Windows Server 2003, Enterprise Edition, Windows Server 2003,
Datacenter Edition, the 64-bit version of Windows Server 2003, Enterprise
Edition, or the 64-bit version of Windows Server 2003, Datacenter Edition,
you can use the RAS and IAS Server template for server certificates.
When you configure client computer certificates using this procedure, they
meet the minimum client certificate requirements for PEAP-TLS and EAP-TLS.
In some cases, the values indicated in this procedure are already selected
in the template and you will not have to change settings when configuring
the template.

Administrative credentials

To complete this procedure, you must be a member of the Domain Admins or
Enterprise Admins group.

To configure server certificates using the Windows interface
1. On the computer running Certificate Services, click Start, click Run,
type mmc, and then click OK.

2. On the File menu, click Add/Remove Snap-in, and then click Add.

3. In Available StandaloneSnap-ins, double-click Certificate Templates,
click Close, and then click OK.

4. Click Certificate Templates. In the Certificate Templates details
pane, right-click the Computer or RAS and IAS Server certificate template,
and then click Duplicate Template.

5. In Properties of New Template, on the General tab, in Template
Display Name, type a name for the template.

6. Select a Validity period and a Renewal period, or keep the defaults.
7. Click the Subject Name tab, and then verify that Build from this
Active Directory information is selected.

8. In Subject name format, select a value other than None.

9. For server certificates, the Subject Alternative Name
(SubjectAltName) extension in the certificate, if used, must contain the
server's fully qualified domain name (FQDN), which is also called the DNS
name. In Include this information in alternate subject name, select DNS
name.

10. The server certificate must be configured with a required
cryptographic service provider (CSP) value of Microsoft RSA SChannel
Cryptographic Provider. To configure the CSP value, click the Request
Handling tab, and then click CSPs.

11. In CSP Selection, select Requests must use one of the following CSPs.

12. In CSPs, select the Microsoft RSA SChannel Cryptographic Provider
checkbox. Clear all other checkboxes in CSPs.

13. Use Certificate Services Help to learn how to configure
autoenrollment of the server computer certificate to domain member server
computers.

14. Use the CA Web Enrollment tool Help to learn how to manually enroll
certificates to non-domain member server computers, if applicable to your
deployment.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages