EAP-TLS with IAS

Hello,

I have a question (problem).

We have in production a wireless network with IAS and PEAP MS-CHAPv2
authentication.
This works fine!

Now we want to move to EAP-TLS.
We have an local CA that is providing user and server certificates and that
all works fine.
EAP-TLS is working on our own domain with our own CA.

Now we want to move to a global solution were a CA in our central
headquarters is providing the User and server certificates.
I have a user and server certificate installed on my machine and a signed
certificate for the server on the IAS, but this doesn't work.

When I try to authenticate I always have this error in the event log :

User ylammens001 was denied access.
Fully-Qualified-User-Name = ulabo\mensch
NAS-IP-Address = 192.54.49.3
NAS-Identifier = Trapeze
Called-Station-Identifier = 00-0B-0E-29-48-80:global
Calling-Station-Identifier = 00-15-00-01-B5-CD
Client-Friendly-Name = wlanswitch02
Client-IP-Address = 192.54.49.3
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.




He is pulling my name out of the certificate and try to find it in our ulabo
domain but it isn't there, he don't have to search it there.

If I well understood IAS doesn't even have to search for my name but can
allow me because he has the signed server certificate.

Am I correct about this ?

How can I prevent IAS to search for my name in the domain ?


Can you help me ?

Many thanks,
Yvan

.

Relevant Pages

  • RE: EAP-TLS with IAS
    ... We have in production a wireless network with IAS and PEAP MS-CHAPv2 ... headquarters is providing the User and server certificates. ... Proxy-Policy-Name = Use Windows authentication for all users ... "The client certificate is issued by an enterprise CA or mapped to a user or ...
    (microsoft.public.internet.radius)
  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... The order the radius statements in IOS will determine the order the ... IAS servers are checked. ... RADIUS client what policy to use? ... I'm not sure what this is, but if it refers to a secure authentication ...
    (microsoft.public.windows.server.active_directory)
  • RE: check group membership in Connection Request Policy
    ... The access request does not contain a valid user password, ... Authentication is done at the VPN3000, ... So what data does the VPN3000 send to the IAS? ... a custom IAS extension would be really a solution. ...
    (microsoft.public.internet.radius)
  • Re: 802.1X/EAP authentication issue with XP client
    ... I also tried adjusting the IAS remote access policy framed MTU param ... client, same scenario, is not getting a successful authentication. ... or system event logs. ...
    (microsoft.public.internet.radius)
  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... so I simple copy the settings to another IAS server and register in AD then the new one will be a failover? ... Registering IAS with AD effectively tells AD not to accept External Authentication requests from other sources. ... You can have multiple IAS servers registered at the same time, so you can tell your Concentrator to follow a chain of servers if the first one doesn't respond. ... At the bottom of the properties window, select "Grant remote access permission" and then click OK. ...
    (microsoft.public.windows.server.active_directory)
Loading