RE: 802.1x, Computers, Wired Security

Just to be clear....PEAP-MSCHAPvs and EAP-TLS both work for user auth. I want
to get EAP-TLS to work with computer auth. See my answers below....



"Miles Li [MSFT]" wrote:


Hello,

As the User authentication using PEAP/MSCHAPv2 is working, the 802.1X wired
service on the Windows XP SP3 should functions properly. However, because
the TLS with certificates needs the certificate that enrolled from the CA.
Please verify the certificates on the client machine that connect to 802.1x
wired network as I mentioned in my previous post.

814394 Certificate requirements when you use EAP-TLS or
PEAP with EAP-TLS
http://support.microsoft.com/kb/814394

Client side:

1. Is there a computer certificate that enrolled from the domain CA?


YES


2. Does computer certificate on the client chain to a trusted root? Can you
verify the certificate path successfully?
- You can select the trusted root certification authorities in the
Network Connection--->properties--->authentication tab--->PEAP settings
(PEAP properties).


I'M NOT USING PEAP


3. Do you select the Smart card or other certificate (you used to use
MSCHAPv2) as the Authentication method for PEAP?

YES I SELECT SMART CARD OR OTHER CERTIFICATE FOR EAP-TLS


4. Does the computer certificate have the Client Authentication purpose?



YES


Server side:

1. Does the option "validate server certificate" is chosen on the client?
If yes, please verify the IAS
Server's computer certificate for Server Authentication purpose and its
certificate path .

YES


Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.

Relevant Pages

  • RE: IAS Event ID 2: reason code 23: Unknown - Clients cant authticate
    ... The client will not authenticate when a certificate is ... I CAN connect ok if i dont specify a certificate in the ... I have installed root certificate on client machines in Trusted Root ... EAP type: PEAP ...
    (microsoft.public.windows.server.networking)
  • Multiple EAP-Types at WinXP clients
    ... something´s wrong with the client certificate. ... policy using PEAP which puts the PC into a special support-vlan. ... First using EAP-TLS and if that fails using PEAP. ... How can i manage this on the client. ...
    (microsoft.public.internet.radius)
  • EAP-TLS Certificate Validation
    ... issued by the same PKI chain in order for EAP-TLS ... The EAP-TLS Server has a server certificate with the ...
    (microsoft.public.internet.radius)
  • Re: Wired 802.1x Questions
    ... IAS allows EAP-TLS clients to connect even when it does ... not perform or cannot complete a revocation check of the client's ... certificate chain. ...
    (microsoft.public.windows.server.security)
  • Re: PEAP-TLS vs EAP-TLS
    ... When using PEAP (either MSCHAPv2 or digital ... When using PEAP-MSCHAPv2 the only certificate required on the client is the ... authentication and tunnels another authentication protocol inside the TLS ...
    (microsoft.public.windows.server.security)