Re: IAS certificate needs reloaded on DC every day

These are a few of the documents I've been trying to follow to get IAS
working with wireless clients. Most of them contain the steps for
creating/installing the cert on the IAS server.

http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://articles.techrepublic.com.com/5100-10878_11-6148560.html
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml#inst2003
Securing Wireless LANs with PEAP and Passwords (pdf) file downloaded and
extracted from MS site.

Basically, I logged on the DC as the domain admin;
Opened MMC and Add Snap-In Certificates -> Local Computer
Expanded Personal -> Certificates (there are 2 certs already there, but
neither are recognized in IAS as ones that can be used);
Right click -> All Tasks -> Request New Certificate;
Complete the wizard using the Domain Controller template;
Certificate request completed, certificate issued from CA and installed in
Personal Ceritificates store - valid until August 2009.
Save and exit.
IAS configuration can use this certificate with PEAP configuration.

Note that Group Policy -> Default Domain Policy was configured for
AutoEnrollment and the CA is listed in the Trusted Root Cert Authorities.
Verified that this is in the Trusted Root Certificates Authority of the DC
while having the Certificates MMC open. Valid until 2012.

Come back in tomorrow;
Open IAS. Drill back down through the config again, but when editing PEAP
get an error box saying there is no matching certificate.
Close all this.
Open MMC -> Certificates (previously saved)
The Personal -> Certificates store lists only the original 2 certificates.
The newly created/issued cert is not there.
Click on import and pull it in again (have exported the .cer file from the
CA into a network folder)
Save and close.
Repeat each step the next day.

Rick

"James McIllece [MS]" wrote:

=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
<LibrarySysadmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:66E5A10F-6A35-4A4D-9EFE-3CCFCDBC1CDC@xxxxxxxxxxxxx:

Windows 2003 R2 x64 SP2 servers.
IAS installed on 2 DCs; CA installed on another member server.

I'm setting up IAS to authenticate wireless devices and not having
much success, so far.

Following serveral pieces of documentation, while logged in as the
domain admin on the DCs, I requested a certificate from the CA,
installing it into the Personal Certificates store. I then used this
cert with IAS in the Remote Access Policy I've configured, with the
PEAP authentication configuration.

As I've been trying to get the whole RADIUS authentication process to
work, I keep rechecking configurations and I have found that every day
I have to reload the certificate on the DCs.

The certificate is valid and doesn't expire until August, 2009. It
displays on the CA as an Issued Certificate. I've already tried
revoking one and creating a second one and using that in the IAS
config, but the same thing is happening.

How do you get the cert installed without having to reload it every
day?

TIA
Rick

Hi Rick --

I'm curious about what docs you used to create your certs and enroll them
to IAS servers/DCs -- can you provide links to the docs or, if they're Help
topics, topic titles?

I also don't think I understand the situation -- are you saying that after
you have issued server certificates to the IAS servers, the certificates
are then deleted the next day from the Personal certificate store for both
the Local Computer and the Current User on the IAS servers? Or are you
saying the certs are there but they won't work?

You say that you requested a certificate for the IAS servers -- I am
assuming you did this using the certificates snap-in, is that correct? If
so, the certificate isn't going to work for IAS authentication purposes --
you must configure a certificate template and then enroll the cert to
servers. Did you configure a certificate template (in the Certificate
Templates MMC on the CA) based on the minimum server certificate
requirements detailed in the IAS Help?


*******
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: IAS with PEAP and Airespace (now Cisco 1000)
    ... For what it's worth, we also tried using EAP-TLS (I changed the IAS, created ... >> I've gone over our configuration many times, ... > or they do not trust the CA that issued the server certificate to the IAS ...
    (microsoft.public.internet.radius)
  • Re: IAS certificate needs reloaded on DC every day
    ... I changed the CA and added the RAS and IAS template so it could be issued. ... I've changed the IAS configuration for the wireless client Remote Access ... The problem is that you need to configure the correct certificate template ...
    (microsoft.public.internet.radius)
  • Re: EAP-TLS on PocketPC problems
    ... I imported my user certificate from my desktop into the Pocket PC to use ... When I write no domain name, the IAS receives no authentication ... When I write the username and domain name, ... no authentication attempts, so I guest the PPC is not sending them. ...
    (microsoft.public.pocketpc.wireless)
  • Re: IAS with WorkGroup machines
    ... Which is CA Cert (root CA or IAS CA) that I need to export and then import to ... RADIUS Client. ... My IAS works all fine for domain computers with AD user accounts. ... received the CA's certificate, which was stored in the certificate stores ...
    (microsoft.public.internet.radius)
  • Re: IAS Certificate Error
    ... > I have bought a VERISGN certificate and installed it on the IAS ... Can you see the server certificate in the IAS UI? ... click Edit Profile, then Authentication tab, then EAP ...
    (microsoft.public.internet.radius)
Loading