Re: Can this be done? Wireless Access w/o the use if CERTs

"Robert R Kircher, Jr." <rkircher@xxxxxxxxxxxxxxxx> wrote in
news:uuevYDAxGHA.3392@xxxxxxxxxxxxxxxxxxxx:

Server OS: Win 2k3
Clinet OS: Win XP
RADIUS: IAS
Directory Service: Active Directory

I'm using a Netgear WAG102 AP

I get the following 3 messages in the system log when someone trys to
access the network

Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 20190
Date: 8/14/2006
Time: 12:47:15 PM
User: N/A
Computer: CEOHDC3
Description:
Because no certificate has been configured for clients dialing in with
EAP-TLS, a default certificate is being sent to user
ceoh\administrator. Please go to the user's Remote Access Policy and
configure the Extensible Authentication Protocol (EAP).

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 20168
Date: 8/14/2006
Time: 12:47:15 PM
User: N/A
Computer: CEOHDC3
Description:
Could not retrieve the Remote Access Server's certificate due to the
following error: Cannot find object or property.


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 20 09 80 . .?

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 8/14/2006
Time: 12:47:15 PM
User: N/A
Computer: CEOHDC3
Description:
Access request for user administrator was discarded.
Fully-Qualified-User-Name = CEOH.COM/CEOH/System
Administration/Administrator
NAS-IP-Address = 192.168.87.250
NAS-Identifier = netgearf154ce
Called-Station-Identifier = 00146CF154CF:NETGEAR_11g - 0
Calling-Station-Identifier = 000E3515834E
Client-Friendly-Name = Netgear WAP
Client-IP-Address = 192.168.87.250
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client
configuration.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 20 09 80 . .?



I am not sure I understand the deployment you are attempting, but from
these messages it appears that you have configured a remote access policy
to use EAP-TLS but you don't have a server certificate.

EAP-TLS requires certificates on clients and on the IAS server.

PEAP-MS-CHAP v2 only requires a server certficate, while users provide
password-based credentials, plus this auth method provides strong security.

If you don't want to use PEAP I think there is a good scenario in this
wireless whitepaper that is designed for a workgroup environment:

"Step-by-Step Guide for Secure Wireless Deployment for Small Office/Home
Office or Small Organization Networks" at
http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc41-
4eb1-9374-44612e64f0fb&displaylang=en

If that is not pertinent to your circumstances please let me know and I
will query the wireless team for other ideas on your behalf.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • RE: 802.1x Authentication Fails
    ... Reason = The authentication request was not processed because the ... a default certificate is being sent to ... I queried the product team about this and they feel the server certificate ... which is causing the problem that the clients cannot ...
    (microsoft.public.internet.radius)
  • Re: trouble using SSL on WSUS
    ... clients according to the deployment guide. ... I configured the client to use the WSUS server through https. ... Schemes used: ... I've read on serveral sites that the server certificate has to be imported ...
    (Focus-Microsoft)
  • PEAP auth with Verisign
    ... I purchased a Verisign Class 3 WLAN server certificate ... The requests are reaching the IAS server but the ... Could not retrieve the Remote Access Server's certificate ...
    (microsoft.public.internet.radius)
  • Re: Basic WEP/RADIUS/802.11 (Cisco/MS) question
    ... but I am interested in this whole Radius ... > I see that I can pull a Radius server out of the Microsoft Windows ... Cisco 1200 APs would be the RADIUS clients. ... a third party CA for your server certificate that your clients already ...
    (microsoft.public.internet.radius)
  • Re: subtext search in encrypted text
    ... > * clients access the system by communication with a application server ... both a client certificate and a server certificate. ... How secure is the memory of the phone? ...
    (sci.crypt)