Re: WM6 + PEAP/MSCHAPv2

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Okay, that's interesting. Here's the details of the IAS policy we use
successfully with all other devices, though for the record we do not
use user certs at all, just domain credentials.

Policy conditions:
1) NAS-Port-Type matches "Wireless - Other OR Wireless - IEEE 802.11"
2) Windows-Group matches "domain\Domain Users;domain\Domain Computers"
3) Authentication-Type matches "EAP OR MS-CHAP v2"

Under authentication profile options, we only have MS-CHAP v2
checked. In the third condition I think EAP is only picked as an
experiment; all successful IAS events list the authentication type as
MS-CHAP v2. I think everything else in the policy is set to default
options for a new IAS policy, but I can give you any other details you
think relevant.

This works fine with just domain credentials on:
- Domain-joined XP/Vista machines using integrated windows credentials
- Non-domain-joined XP/Vista machines when we specify credentials in
the wireless network's setup
- Mac OS X laptops once the RADIUS server's cert is imported into the
X.509 Anchors store
- Windows Mobile 2003 & Windows Mobile 5 devices using numerous
wireless clients

So I don't see how the IAS policy could be the issue. Hopefully I'm
wrong though :)

On Mar 19, 3:00 pm, "Eric Hicks [MVP]" <i...@xxxxxxxxxxx> wrote:
No that's not true, even if you didn't have a root cert installed or had an
issue you would still get something in the event log. In this case the
error you have indicates the root cert is fine. Can you post details of the
radius policy that the client authenticates against? FWIW I took a device
and connected it to the wireless and at first WM defaulted to PEAP, after
entering my information it then tried to authenticate. It failed with the
same error that you posted but the device came back and asked me to
authenticate via a user certificate which was then accepted.

--
--
Eric Hicks [That_Kid] (MS-MVP Mobile Devices)
.

Relevant Pages

  • Re: Wireless Radius Clients
    ... It uses the computer cert and the user ... set it as a Radius Client. ... I have a computer cert on the IAS ... Did you create an IAS policy to allow 802.1? ...
    (microsoft.public.windows.server.networking)
  • Re: Cisco VPN 3005 concentrator and MS IAS
    ... Check the "Authentication" tab in IAS policy ... and make sure that the clients are using one of the configured methods. ... > we have Cisco VPN concentrator and Cisco VPN clients coming in and ...
    (microsoft.public.internet.radius)
  • Re: How to utilize IAS for cisco router/switch AAA?
    ... I have figured out the problem, I use ethereal to sniffer the radius ... packet when authentication, acturally, the radius ... so the ias policy reject the cisco device's request.It works ...
    (microsoft.public.internet.radius)