RE: EAP-TLS with IAS
- From: rt-seb <rtseb@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 15 Feb 2007 07:10:53 -0800
"Yvan" wrote:
Sebastian,It looks like your root certificate is not trusted (not contained
I looked into the "certificate mapping" but now I have another problem :
I Replaced the username in the certificate in a username known by AD but
know I have following error :
User lammensy was denied access.
Reason = A certificate chain processed, but terminated in a root
certificate which is not trusted by the trust provider.
Do you know where I can start my search for a solution ?
in the trusted root certificate store). For a short test you might
try to import your root cert manually using the cert mmc snap-in.
Sebastian
"rt-seb" wrote:.
"Yvan" wrote:
Sebastian,Yes, the IAS always seems to perform an AD lookup for user/machine accounts.
so what you say is that the user for who the certificate is created must be
in Active Directory ?
You might search for "certificate mapping" if that is what you want.
many thanks,
Yvan
"rt-seb" wrote:
Hello Yvan,
"Yvan" wrote:
Hello,I'm citing the "Network access authentication and certificates" technet
I have a question (problem).
We have in production a wireless network with IAS and PEAP MS-CHAPv2
authentication.
This works fine!
Now we want to move to EAP-TLS.
We have an local CA that is providing user and server certificates and that
all works fine.
EAP-TLS is working on our own domain with our own CA.
Now we want to move to a global solution were a CA in our central
headquarters is providing the User and server certificates.
I have a user and server certificate installed on my machine and a signed
certificate for the server on the IAS, but this doesn't work.
When I try to authenticate I always have this error in the event log :
User ylammens001 was denied access.
Fully-Qualified-User-Name = ulabo\mensch
NAS-IP-Address = 192.54.49.3
NAS-Identifier = Trapeze
Called-Station-Identifier = 00-0B-0E-29-48-80:global
Calling-Station-Identifier = 00-15-00-01-B5-CD
Client-Friendly-Name = wlanswitch02
Client-IP-Address = 192.54.49.3
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
He is pulling my name out of the certificate and try to find it in our ulabo
domain but it isn't there, he don't have to search it there.
If I well understood IAS doesn't even have to search for my name but can
allow me because he has the signed server certificate.
Am I correct about this ?
How can I prevent IAS to search for my name in the domain ?
Can you help me ?
article
regarding client certificate requirements:
"The client certificate is issued by an enterprise CA or mapped to a user or
computer account in Active Directory."
Sebastian
- Follow-Ups:
- RE: EAP-TLS with IAS
- From: Yvan
- RE: EAP-TLS with IAS
- References:
- EAP-TLS with IAS
- From: Yvan
- RE: EAP-TLS with IAS
- From: rt-seb
- RE: EAP-TLS with IAS
- From: Yvan
- RE: EAP-TLS with IAS
- From: rt-seb
- RE: EAP-TLS with IAS
- From: Yvan
- EAP-TLS with IAS
- Prev by Date: RE: EAP-TLS with IAS
- Next by Date: RE: EAP-TLS with IAS
- Previous by thread: RE: EAP-TLS with IAS
- Next by thread: RE: EAP-TLS with IAS
- Index(es):
Relevant Pages
|
Loading
