Re: Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 06 Dec 2005 13:41:25 -0800
"Jim Sanders" <jim.c.sanders@xxxxxxxxx> wrote in
news:1133884104.202909.50500@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:
> No matter what
> combination of settings we have tried, we always get stumped at the
> client insisting that they could not connect because a valid
> certificate could not be found.
Hi Jim --
About this comment from your post: "No matter what
combination of settings we have tried, we always get stumped at the
client insisting that they could not connect because a valid
certificate could not be found."
I assume you are using PEAP-MS-CHAP v2 as the authentication method. (If
this is not correct, please let me know.) There are two separate issues
here -- one is understanding how PEAP-MS-CHAP v2 works, and the other is
understanding how to allow guests access to your network.
If this is the case, this auth method provides mutual authentication,
meaning that tha client computer attempts to authenticate the IAS server.
The client receives the IAS server certificate and performs a variety of
checks, including whether the client trusts the CA that issued the server
certficate.
If the client trusts the CA that issued the IAS server cert, and if other
checks pass correctly, the client successfully authenticates the IAS
server. If the client does not trust the CA that issued the IAS server
cert, authentication fails -- the client rejects the connection attempt,
because it does not trust the CA that issued the IAS server cert.
How do you cause the client to trust the CA that issued the IAS server
cert? You place the CA's cert on the client in the Trusted Root
Certification Authorities certificate store. Because you set up your own
CA, which is unknown and untrusted by all non-domain member clients, guests
do not trust your CA. The workaround for this issue that many people use is
to purchase their IAS server certificate from a CA that Windows clients
trust by default. For example, they purchase a server certificate from
Verisign.
As for allowing network access to visitors. This is different than using
the guest account or unauthenticated access, because you are creating a
user account for each visitor, and they are using it to authenticate on
their first login. (If you would rather use guest access, see the IAS
Technical Reference for that info.)
You must create a remote access policy for visitor access. This policy
should be configured to perform authorization by groups -- so you should
create the new user accounts in AD as (for example) members of a
Contractors group, and set the remote access permission on the user account
to *Control access through Remote Access Policy*. I believe that you can
configure this policy with IP filters that restrict guest access to
specific IP addresses. It is possible that you can somehow configure this
to get your CA cert into the client TRCA store, which would then allow
users to connect using PEAP-MS-CHAP v2.
**Note: if you are using EAP-TLS, where a client cert is required (rather
than passords), visitors cannot use the Web enrollment tool to obtain a
cert because they do not have administrator permissions. From the IAS Help:
Non-domain member certificate enrollment
Certificate enrollment for computers that are not domain members cannot be
done with auto-enrollment. When a computer is joined to a domain, a trust
is established that allows auto-enrollment to occur without administrator
intervention. When a computer is not joined to a domain, trust is not
established and a certificate is not issued. Trust must be established
using one of the following methods:
-- An administrator (who is, by definition, trusted) must request a
computer or user certificate using the CA Web enrollment tool.
-- An administrator must save a computer or user certificate to a floppy
disk and install it on the non-domain member computer. Or, when the
computer is not accessible to the administrator (for example, a home
computer connecting to an organization network with an L2TP/IPSec VPN
connection), a domain user whom the administrator trusts can install the
certificate.
More info:
Help topic "Network access authentication and certificates" in Windows
Server 2003 IAS or VPN Help, or on the web at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx.
"Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-
CHAP v2 Wireless Authentication" at
http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-
408d-bd97-139afc60996b&DisplayLang=en
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- From: Jim Sanders
- Re: Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- References:
- Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- From: Jim Sanders
- Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- Prev by Date: Re: Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- Next by Date: Re: IAS WPS Extension DLL With EAP-TLV URI AVP Using Guest Authentication
- Previous by thread: Re: Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- Next by thread: Re: Enabling guest wi-fi access w/ IAS & Cisco APs ... ?
- Index(es):
Relevant Pages
|
