RE: EAP-TLS with IAS

Hello Yvan,

"Yvan" wrote:

Hello,

I have a question (problem).

We have in production a wireless network with IAS and PEAP MS-CHAPv2
authentication.
This works fine!

Now we want to move to EAP-TLS.
We have an local CA that is providing user and server certificates and that
all works fine.
EAP-TLS is working on our own domain with our own CA.

Now we want to move to a global solution were a CA in our central
headquarters is providing the User and server certificates.
I have a user and server certificate installed on my machine and a signed
certificate for the server on the IAS, but this doesn't work.

When I try to authenticate I always have this error in the event log :

User ylammens001 was denied access.
Fully-Qualified-User-Name = ulabo\mensch
NAS-IP-Address = 192.54.49.3
NAS-Identifier = Trapeze
Called-Station-Identifier = 00-0B-0E-29-48-80:global
Calling-Station-Identifier = 00-15-00-01-B5-CD
Client-Friendly-Name = wlanswitch02
Client-IP-Address = 192.54.49.3
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.




He is pulling my name out of the certificate and try to find it in our ulabo
domain but it isn't there, he don't have to search it there.

If I well understood IAS doesn't even have to search for my name but can
allow me because he has the signed server certificate.

Am I correct about this ?

How can I prevent IAS to search for my name in the domain ?


Can you help me ?

I'm citing the "Network access authentication and certificates" technet
article
regarding client certificate requirements:

"The client certificate is issued by an enterprise CA or mapped to a user or
computer account in Active Directory."

Sebastian
.

Relevant Pages

  • EAP-TLS with IAS
    ... We have in production a wireless network with IAS and PEAP MS-CHAPv2 ... headquarters is providing the User and server certificates. ... Proxy-Policy-Name = Use Windows authentication for all users ... Reason-Code = 8 ...
    (microsoft.public.internet.radius)
  • RE: EAP-TLS with IAS
    ... headquarters is providing the User and server certificates. ... I have a user and server certificate installed on my machine and a signed ... Proxy-Policy-Name = Use Windows authentication for all users ... "The client certificate is issued by an enterprise CA or mapped to a user or ...
    (microsoft.public.internet.radius)
  • RE: EAP-TLS with IAS
    ... You might search for "certificate mapping" if that is what you want. ... headquarters is providing the User and server certificates. ... Proxy-Policy-Name = Use Windows authentication for all users ... "The client certificate is issued by an enterprise CA or mapped to a user or ...
    (microsoft.public.internet.radius)
  • RE: EAP-TLS with IAS
    ... I looked into the "certificate mapping" but now I have another problem: ... headquarters is providing the User and server certificates. ... Proxy-Policy-Name = Use Windows authentication for all users ... "The client certificate is issued by an enterprise CA or mapped to a user or ...
    (microsoft.public.internet.radius)
  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... The order the radius statements in IOS will determine the order the ... IAS servers are checked. ... RADIUS client what policy to use? ... I'm not sure what this is, but if it refers to a secure authentication ...
    (microsoft.public.windows.server.active_directory)
Loading