Re: EAP-TLS Radius problem
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 10 Jul 2008 12:26:09 -0700
It sounds like what you're trying to do is provide access to members of
both domains through the same 802.1X switch using a single IAS server that
is a member of Domain 1.
In this circumstance you have two choices to allow IAS to authenticate and
authorize the connection requests for both domains:
1. Domain 1 and Domain 2 have a two-way trust relationship.
2. The IAS server in Domain 1 forwards connection requests to a remote
RADIUS server in Domain 2 for processing when the requests come from
members of Domain 2.
In other words, if the domains do not have a two-way trust relationship,
IAS in domain 1 cannot process connection requests for members of Domain 2.
In that circumstance IAS must be configured as a proxy to forward
connection requests to another IAS server that is a Domain 2 member.
Also, even with a two way trust, ensure that the IAS server is registered
in Domain 2. (I.e. the IAS server must be a member of the RAS and IAS
Servers group in AD Users and Computers in Domain 2).
=?Utf-8?B?TWFkUEFN?= <taz.nospam@xxxxxxxxx> wrote in
news:356D66F5-4889-4516-B130-B2F3BAF5AB4B@xxxxxxxxxxxxx:
Hi,
we have an issue with Raidus and EAP-TLS which we can't seem to be
able to work out. Maybe somebody here has an idea.
We have 2 domains on 2003 standard edition running in our test
environment. Clients are running Windows XP SP3. The domain
controllers of both domains have an Enterprise Root CA installed on
them. Both issue computer certificates (standard template) via Group
Policy to all domain members as well as the cert of the root CA into
the TRCA. In Domain2 the cert of Domain1 is also distributed via GP to
the TRCA of the clients.
Domain1 runs a Radius server to do authentication for wired 802.1x.
The AuthMode for the clients is set to "machine". The certs of the
root CA for domain1 and domain2 was imported into the TRCA of the
local computer store (via GP) of the clients in domain2.
When a machine from domain1 tries to authenticate everything works
fine. When a machine from domain2 tries to authenticate we get an
error in the event log of the radius server: EventID 2, Source IAS,
Reason Code 295, A Certificate chain processed correctly, but one of
the CA certificates is not trusted by the policy provider.
We have created a separate "Connection Request Policy" for clients
from domain2 with a Find/Replace rule that replaces the subject with a
known user id from domain1 that we mapped the certificate of domain2
to (Many-to-One - trusting the issuer of the cert).
Looking at the error message it seems as if IAS gets past this
Connection Request.
Then we have a "Remote Access Policy" which checks if the user is a
member of a specific group. And this seems to be the place where it
fails (we see the Policy-Name in the error message).
For test purposes we have taken of the the "Windows-Groups" condition
on the Remote Access Policy and sure enough it goes to the next policy
(and of course fails it - works as designed).
We have checked the cert store of the local computer of the Radius
server and the service account for IAS, and it contains the root CA
cert from domain1 (which it is a member of) and domain2.
Exported and looked at from the Radius server the client cert of
domain2 checks out fine - no error messages.
So, just to reiterate, EAP-TLS authentication is working for the
"local" CA (domain1) - but not for the third-party CA (domain2).
Any help would be much appreciated!
*******************************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: EAP-TLS Radius problem
- From: MadPAM
- Re: EAP-TLS Radius problem
- Prev by Date: Re: Computer Account Attribute for RAS policy Condition
- Next by Date: problem (bug?) logging to SQL
- Previous by thread: Computer Account Attribute for RAS policy Condition
- Next by thread: Re: EAP-TLS Radius problem
- Index(es):
Relevant Pages
|
