Re: IAS with WorkGroup machines

=?Utf-8?B?SGFyaW5kcmEwMDA=?= <Harindra000@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in news:21753608-2D29-4888-A7C5-6EFF5FD27F2A@xxxxxxxxxxxxx:

I'm using EAP-MSCHAP V2 for WiFi Access using 3Com managed switch as
RADIUS Client. Setup includs In house CA. AD, IIS, CA and IAS in a
single ProLient server.

My IAS works all fine for domain computers with AD user accounts.

But, whenever non-domain (Work Group) system tries to connect to my
internal network by using domain credentals; IAS denies it.

Event viewer contains event id 5052 (There is no domain controller
available for domain ...) and 3 (Access request for user domain\ADUser
is discarded; the user account domain can not be accessed) from source
IAS.

How can I grant access for my mobile access clients without connecting
them to my domain? (Many of them are vista\xp home)


Your comments are highly appriciated.



When you deployed your own CA, domain member computers automatically
received the CA's certificate, which was stored in the certificate stores
for the Local Computer and Current User, in the Trusted Root Certification
Authorities store.

Because domain member computers have that certificate in the cert store,
they trust certificates that are issued by your CA.

To deploy PEAP-MS-CHAPv2 for wireless clients, you must issue server
certificates to IAS servers; after you have done that, the server uses the
certificate during authentication to prove its identity to client
computers. In turn, users provide credentials (user name and password) to
prove their identities to IAS.

When the client computers receive the IAS server certificate, they check
their Trusted Root Certification Authorities cert store to find out if they
trust the CA that issued the server certfiicate. Your domain member
computers can do this successfully, however any non-domain member computer
that tries to connect cannot accomplish this, because they don't have the
CA certificate in the Trusted Root Certification Authorities cert store.

The solution is to export the CA cert to removable media and then import
the cert into the TRCA store for the Local Computer and Current User on
non-domain member computers.

See the IAS Help topic "Network access authentication and certificates" for
more info.
.

Relevant Pages

  • Re: Does WINDOWS 2003 IAS require Certificate services
    ... For PEAP, a server certificate is required. ... >>> PEAP _requires_ a server certificate on the IAS server. ...
    (microsoft.public.internet.radius)
  • Re: Remote access policy
    ... certificate and server certificate .I want to connect the wireless XP ... There is a Help topic in IAS Help that tells the minimum server cert ... This is correct -- the Help topic is "Network access authentication and ...
    (microsoft.public.internet.radius)
  • Re: IAS with WorkGroup machines
    ... Which is CA Cert (root CA or IAS CA) that I need to export and then import to ... RADIUS Client. ... My IAS works all fine for domain computers with AD user accounts. ... received the CA's certificate, which was stored in the certificate stores ...
    (microsoft.public.internet.radius)
  • Re: RPC over HTTP only works with remote computers attached to the domain
    ... > I have an interesting problem with RPC over HTTP. ... > for computers that have been joined to the domain. ... but did you change the Exchange server service ... > Enterprise Certificate Server, Windows SharePoint Services, Internet ...
    (microsoft.public.exchange2000.connectivity)
  • Re: SCCM Client Certificate question..
    ... The cleint will check the certs with the server so it should be ok. ... Also don't i need to import the SCCM Server's Web server certificate to clients? ... If you read my question and business requirements you will see that mixed mode is not for me. ... "The computers that are all over the country are not member of any domain. ...
    (microsoft.public.sms.admin)