Re: PEAP Authentication Issues
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 21 Jul 2005 17:14:49 -0700
"=?Utf-8?B?U2Vhbg==?=" <user@xxxxxxxx> wrote in
news:8079682D-097C-4D12-B166-DC704DB466A7@xxxxxxxxxxxxx:
>
> I have setup a wireless security environment using PEAP, w2k3 server
> (RADIUS/IAS and MS Cert Service) with WPA on Cisco 1200 APs.
>
> Everything works great.... IF the wireless device has already had a
> user authenticate via ethernet (basically established cached
> credentials on the workstaion).
> ex.)
> If a user attempts to login to a device that they have never logged
> into before, wireless-ly they will see the error msg "Domain not
> available". If they hook up to the ethernet, login, establish their
> profile/cached credentials, log out, unplug ethernet; they can then
> log in fine and connect up to wireless -- and will be fine from that
> point on.
>
> Is there an easy way to correct this? Is turning on the guest account
> a good idea?
>
> Thx for any feedback!!
>
> -Sean
>
>
>
>
>
The main issue is that you deployed a server certificate for the IAS server
that clients do not trust. A client that has not been plugged into the LAN
does not have the CA certificate in the Trusted Root Certification
Authorities store, and therefore does not trust the CA or the IAS server,
so server cert validation by the client fails.
When you are plugging the clients into the Ethernet network, the clients
are receiving certs -- the CA cert is automatically enrolled in the Trusted
Root Certification Authorities store on client computers. Once that occurs,
the clients trust the CA -- but until it does, they do not. Because you
deployed your own PKI (as opposed to buying an IAS server cert from a
trusted public CA like Verisign), you have to configure the clients so that
they trust your CA. The easiest way to do this is the way you are doing it.
(You can also do this using a floppy or USB flash drive).
Turning on the guest account is not a good idea, as it creates a large and
easily exploited security hole - which defeats the whole purpose of
deploying PEAP. The only exception to this is if you create a guest VLAN,
but that is fairly complex, and you would need a specific purpose for doing
so (such as providing visitors with Internet access but no access to the
rest of the organization LAN).
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- PEAP Authentication Issues
- From: Sean
- PEAP Authentication Issues
- Prev by Date: Re: PEAP Authentication Fails
- Next by Date: Re: Radius for Wirelesss help
- Previous by thread: Re: PEAP Authentication Issues
- Next by thread: Saving EventViewer-Logfiles onto another server
- Index(es):
Relevant Pages
|
