Re: IAS with WorkGroup machines

Which is CA Cert (root CA or IAS CA) that I need to export and then import to
wifi client?

Thanks,

Khuyen.

"FenderAxe" wrote:

=?Utf-8?B?SGFyaW5kcmEwMDA=?= <Harindra000@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in news:21753608-2D29-4888-A7C5-6EFF5FD27F2A@xxxxxxxxxxxxx:

I'm using EAP-MSCHAP V2 for WiFi Access using 3Com managed switch as
RADIUS Client. Setup includs In house CA. AD, IIS, CA and IAS in a
single ProLient server.

My IAS works all fine for domain computers with AD user accounts.

But, whenever non-domain (Work Group) system tries to connect to my
internal network by using domain credentals; IAS denies it.

Event viewer contains event id 5052 (There is no domain controller
available for domain ...) and 3 (Access request for user domain\ADUser
is discarded; the user account domain can not be accessed) from source
IAS.

How can I grant access for my mobile access clients without connecting
them to my domain? (Many of them are vista\xp home)


Your comments are highly appriciated.



When you deployed your own CA, domain member computers automatically
received the CA's certificate, which was stored in the certificate stores
for the Local Computer and Current User, in the Trusted Root Certification
Authorities store.

Because domain member computers have that certificate in the cert store,
they trust certificates that are issued by your CA.

To deploy PEAP-MS-CHAPv2 for wireless clients, you must issue server
certificates to IAS servers; after you have done that, the server uses the
certificate during authentication to prove its identity to client
computers. In turn, users provide credentials (user name and password) to
prove their identities to IAS.

When the client computers receive the IAS server certificate, they check
their Trusted Root Certification Authorities cert store to find out if they
trust the CA that issued the server certfiicate. Your domain member
computers can do this successfully, however any non-domain member computer
that tries to connect cannot accomplish this, because they don't have the
CA certificate in the Trusted Root Certification Authorities cert store.

The solution is to export the CA cert to removable media and then import
the cert into the TRCA store for the Local Computer and Current User on
non-domain member computers.

See the IAS Help topic "Network access authentication and certificates" for
more info.

.

Relevant Pages

  • Re: Authorizing a EAP-TLS client
    ... Windows 2003 IAS online help documents the requirements for the client ... IAS should be able to find mapped certs within its own forest (a forest can ... > Given that a client has a certificate that contains specific information ... > Could I create a 'user' account in Active Directory for the 'serial ...
    (microsoft.public.internet.radius)
  • Re: IAS with WorkGroup machines
    ... My IAS works all fine for domain computers with AD user accounts. ... received the CA's certificate, which was stored in the certificate stores ... To deploy PEAP-MS-CHAPv2 for wireless clients, you must issue server ...
    (microsoft.public.internet.radius)
  • Re: IAS as RADIUS
    ... i thought the client in 802.1x was the supplicant? ... you can do this with IAS in Windows Server 2003. ... EAP-TLS requires a server certificate on the IAS server and client ...
    (microsoft.public.windows.server.networking)
  • Re: Non-domain Cert-based 802.1x using IAS
    ... > computer certificate, using IAS, that is not on the same domain as the IAS ... Belkin WiFi router as base station, IAS, Windows Server 2003 in stand-alone ... I created a Radius Client for the Belkin WiFi Router in IAS ...
    (microsoft.public.security)
  • Authorizing a EAP-TLS client
    ... again to WPA EAP-TLS authentication using IAS. ... Given that a client has a certificate that contains specific information ...
    (microsoft.public.internet.radius)
Quantcast