Re: Explaination required for using RRAS / L2TP/IPSEC and certficates for VPN connection

From: Danny (d_codling_at_hotmail.com)
Date: 06/09/04 

Date: 9 Jun 2004 08:03:19 -0700

Thank You, the information you have provided is very beneficial, and
also very thorough, thanks again for your time!

Regards

Danny

"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message news:<Xns95029934A4537jamesmcionlinemicros@207.46.248.16>...
> d_codling@hotmail.com (Danny) wrote in
> news:b3587fea.0406070652.55e09f57@posting.google.com:
>
> > Hi all,
> >
> > I'm trying without success to configure RRAS in win2k to use
> > certificates for authentication. I've seen many docs around the
> > Internet explaining various elements of this, but I'm still stumped.
> >
> > What type of certificate should I request from my stand-alone CA?
> >
> > When I install the certificate after issuing it, where does it go?
> >
> > I've tried creating Server Authentication / client authentication
> > certificates but whenever I go into RRAS, edit profile for my policy,
> > select authentication I get the 798 error, no certifications for EAP.
> >
> > I'm sure I'm missing something so obvious here, can anyone explain
> > things a little more
> >
> > Thanks
> >
>
> Hi Danny --
>
> It is most likely that the certificates as you configured them on the CA do
> not meet the minimum certificate requirements for a cert used for server
> authentication. When your RRAS server has a cert that meets the minimum
> requirements, it is automatically selected by RRAS/remote access policy
> (RAP). (In other words, when there is a valid cert on the machine, RAP
> selects that cert by default.)
>
> Certificates are kept in the "certificate store" of the machine. ("Store"
> as in "storage area.") You can view the certificates (and their properties)
> on the machine by opening the Microsoft Management Console (Start, Run,
> type "mmc" and hit enter) and adding the certificates snap-in to the
> console.
>
> There are two certificate stores on a machine -- the Current User store and
> the Local Computer store. You can add both stores to the snap-in so that
> you can view them from the same console (and then you can save the console
> for later use). For more MMC info see
> http://www.microsoft.com/windows2000/techinfo/planning/management/mmcsteps.
> asp
>
> Some tips:
>
> The server cert must be in the Local Computer cert store. Also, when you
> configure the cert templates, make sure the server cert has the server
> authentication purpose in Enhanced Key Usage extensions. Do not substitute
> the "All" purpose for the "Server Authentication" purpose or the cert is
> invalid.
>
> If possible, use the Web enrollment tool to enroll the cert on the server.
>
> If clients are domain members, you can autoenroll client computer
> certificates (but not user certs) using Group Policy. That is a little
> complicated to set up, but is much easier than manually installing certs on
> all clients. Clients must have the Client Authentication purpose in EKU
> extensions, not the "All" purpose.
>
> Some resources that are recommended:
>
> Step-by-Step Guide to Setting up a Certification Authority
> http://www.microsoft.com/windows2000/techinfo/planning/security/casetupstep
> s.asp
>
> Step-by-Step Guide to Advanced Certificate Management
> http://www.microsoft.com/windows2000/techinfo/planning/security/advcertstep
> s.asp
>
> The following topic is from Windows Server 2003 Help, and I know you are on
> W2K, but much of the information is applicable to your situation so you may
> find it helpful: "Network access authentication and certificates" in
> Windows Server 2003 IAS or VPN Help, or on the web at
> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
> proddocs/en-
> us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
> ocs/en-us/sag_VPN_und15.asp.
>
> Hope that helps...

Relevant Pages

  • RE: IIS Key pairs (how to export an IIS 4.0 self-issued Root CA a nd import into new IIS 4.0 box)
    ... it prompts the user for what client cert they want to use to connect to the ... it issues client certificates to the end users. ... Step I - Installing the New Server ... Install NT SP 3 ONLY ...
    (Focus-Microsoft)
  • Re: PEAP Authentication Issues
    ... > I have setup a wireless security environment using PEAP, ... > (RADIUS/IAS and MS Cert Service) with WPA on Cisco 1200 APs. ... The main issue is that you deployed a server certificate for the IAS server ... When you are plugging the clients into the Ethernet network, ...
    (microsoft.public.internet.radius)
  • Re: IIS website - only allow users with client cert from our CA. P
    ... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: IAS EAP (PEAP)
    ... > IAS is registered with AD so I am okay there. ... If you create the server cert using the information below, ... Use this procedure to configure IAS server certificates for use with PEAP ...
    (microsoft.public.internet.radius)
  • Re: Where are the Files after connecting to RAS
    ... "mmc" and hit enter) and adding the certificates snap-in to the console. ... The server cert must be in the Local Computer cert store. ... If clients are domain members, you can auto enroll client computer ...
    (microsoft.public.win2000.ras_routing)