Re: EAP-TLS CA Authentication issue

From: FenderAxe <fa@xxxxxxx>
Date: 03 May 2007 00:39:57 GMT

=?Utf-8?B?TWF0dC1TbWl0aA==?= <Matt-Smith@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in news:D1DEF00A-31BE-4375-A662-62D564D261F8@xxxxxxxxxxxxx:

We are trying to develope a pilot EAP-TLS authenticate 802.11 network.
I have a 2003 IAS server running on a system with a 2003 standalone
CA installed. I have installed certificates on both the IAS server
and a client using the same standalone CA. I have checked the Client
CA snapin and see the Cert in the local machine personal certs store
and I also see the user cert in the user cert store as well. When I
try to authenticate the IAS server reports the following error:

4/24/2007 3:12:36 PM IAS Warning None 2 N/A
MDTARADIUS1 User arcserve@xxxxxxxxxxxxxxxxxxxx was denied access.
Fully-Qualified-User-Name = MDTA\arcserve
NAS-IP-Address = 10.93.76.68
NAS-Identifier = 10.93.76.68
Called-Station-Identifier = 000B8641BBE0
Calling-Station-Identifier = 0012F08D4497
Client-Friendly-Name = mdta-fskpol-wswt1
Client-IP-Address = 10.93.76.68
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = MdTA-TLS
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.

How can the IAS server not trust a Cert issued by the same CA that
issued its own installed server cert?

Sounds like the certificate templates are not configured correctly -- they
have to meet the minimum cert requirements described in the IAS Help.

FA
.

Follow-Ups:
- Re: EAP-TLS CA Authentication issue
  - From: Matt-Smith

Prev by Date: Re: EAP-TLS machine authentication for non-domain systems
Next by Date: Re: IAS, Cert & Wireless Problem (just started)
Previous by thread: Re: EAP-TLS machine authentication for non-domain systems
Next by thread: Re: EAP-TLS CA Authentication issue
Index(es):
- Date
- Thread

Relevant Pages

Re: EAP-TLS CA Authentication issue
... enterprise CA you need to register it with the AD domain as a trusted root ... I have a 2003 IAS server running on a system with a 2003 standalone ... I have installed certificates on both the IAS server ... CA snapin and see the Cert in the local machine personal certs store ...
(microsoft.public.internet.radius)
Re: PKI and Relying Parties
... > If you're trying to use a cert to authenticate a high-value extranet ... > peer, and you don't want to run your own CA, the safest approach is to ... only" certificates ... ...
(comp.security.misc)
Re: PKI and Relying Parties
... > If you're trying to use a cert to authenticate a high-value extranet ... > peer, and you don't want to run your own CA, the safest approach is to ... only" certificates ... ...
(comp.security.ssh)
Re: SSL and Client Authentication
... First I go on my client and I do a browser request from a CA, ... After issuing a cert. ... install (where I verify that this certification was installed ... > It definitely does not sound like the right way to do client certificates. ...
(microsoft.public.inetserver.iis.security)
Re: Its Either Gonna Be
... Nope, stupid certificates like the Microsoft certifications, PMI, ... I worked for Oracle as a senior DBA consultant for four years. ... with a cert. ... She's working as a manager of program managers and managers about 15 to ...
(rec.sport.football.college)