Re: Need help with 802.1x peap authentication

From: Stuart Mackie [MCP, MSP] (newsgroups_at_--REMOVE_THIS-NO_SPAM--stu.uk.com)
Date: 01/21/05 

Date: Fri, 21 Jan 2005 10:29:00 -0000

Hi Chris.

Is your current CA installation Stand-alone or Enterprise ? It needs to be
installed as an Enterprise root CA.

If your installation is correct go ahead and request a new certificate as
described and try and select it in IAS. The old one can be left for the
time being and deleted later on to avoid any confusion.

Let me know how you get on. 

-- 
Hth,
Stuart Mackie [MCP, MSP]
www.stu.uk.com
"Chris" <Chris@discussions.microsoft.com> wrote in message 
news:4215A1BD-9A12-41A7-A541-92CF4ADBD31F@microsoft.com...
> Stuart,
>
> I've tried installing both Certificate servers as stand alone CA and
> enterprise CA.  I get the same error message.  I've tried what you are
> suggesting in the past and still the system doesn't think I have a
> Certificate server.  I don't remember what the error message was.  I will 
> try
> again and let you know.  Should I delete the current certificate in my
> personal folder a request a new certificate or just leave the existing one
> and request another certificate?
>
> To answer your question about installing the certificate on the server.  I
> didn't install an certificates.  When I installed and configure 
> certificate
> server, a certicate was automatically installed.
>
> Thanks,
> Chris
>
> "Stuart Mackie [MCP, MSP]" wrote:
>
>> Hi Chris.  It appears you have an incorrect certificate type which is why
>> you are getting that error.  The certificate has to contain both public 
>> and
>> private key for the server.
>>
>> How did you go about requesting and installing the certificate on your
>> server ?
>>
>> When you installed your Certificate Authority, did you install it as a
>> Standalone CA or an Enterprise CA ?
>>
>> It is also possible your certificate template is incorrectly configured 
>> but
>> unless you have made any alterations to the templates it is unlikely.
>>
>> Follow the instructions (taken from previous reply) and request a new
>> certificate
>>
>> - Open an mmc console on your server and add  the Certificate snap-in for
>> the 'Computer Account' then 'Local Computer'.
>> - Expand the Certificates root and right click on the Personal folder,
>> select All Tasks then Request New Certificate.
>> - Click next then select Computer Certificate, enable the Advanced option 
>> at
>> the bottom then click next.  Microsoft RSA SChannel Provider should be
>> select with 1024 bit key, select next.  Click next again enter a name for
>> the certificate click next and then finish.
>> -If you now open IAS and edit your wireless Remote Access Policy, select
>> Edit Profile, click the Authentication tab followed by EAP Methods. 
>> Select
>> PEAP followed by Edit and you should be able to select your new server
>> certificate.
>>
>>
>> The link below explains in more detail the certificate requirements for 
>> PEAP
>> etc.
>>
>> http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_VPN_und15.asp.
>>
>>
>> Correct - you don't need auto entrollment of certificates for PEAP unless
>> you require them for another reason.
>>
>> --
>> Hth,
>> Stuart Mackie [MCP, MSP]
>> www.stu.uk.com
>>
>>
>> "Chris" <Chris@discussions.microsoft.com> wrote in message
>> news:DBC8EC9B-3B4D-4DE7-8B55-D8ED2ACD7038@microsoft.com...
>> > Stuart,
>> >
>> > I do see the certificate in my personal folder in the mmc console but 
>> > when
>> > I
>> > select PEAP followed by the Configure button, I get an error message
>> > stating
>> > "A certificate could not be found that can be used with this Extensible
>> > Authentication Protocol."
>> >
>> > Yes, I did configure certificate auto enrollment in my group policies.
>> > Guess I don't need that if I'm using PEAP right?
>> >
>> > Chris
>> >
>> > "Stuart Mackie [MCP, MSP]" wrote:
>> >
>> >> Hi Chris.  It sounds like your nearly there but are having a problem 
>> >> with
>> >> your Server certificate.  If you open an mmc console on the server and
>> >> add
>> >> the Certificate snap-in for the 'Computer Account' then 'Local 
>> >> Computer',
>> >> do
>> >> you have an appropriate Certificate for the server available in the
>> >> 'Personal' folder ?  If not, to create a server certificate right 
>> >> click
>> >> on
>> >> the Personal folder, select All Tasks then Request New Certificate.
>> >> Click
>> >> next then select Computer Certificate then click next.  Enter a name 
>> >> for
>> >> the
>> >> certificate click next and then finish.  If you now open IAS and edit
>> >> your
>> >> wireless Remote Access Policy, select Edit Profile, click the
>> >> Authentication
>> >> tab followed by EAP Methods.  Select PEAP followed by Edit and you 
>> >> should
>> >> be
>> >> able to select your server certificate.
>> >>
>> >> Did you configure Auto Enrolment for computers and users ?  If you are
>> >> using
>> >> PEAP you will not require certificates for the computers or users, 
>> >> only
>> >> the
>> >> server will require a certificate.
>> >>
>> >> I'm not sure what features the Dell Wireless Utility provide but one
>> >> issue
>> >> which tends to arise with 3rd party wireless utilities is support for
>> >> Wireless connection pre-logon.  If you have a workstation which uses
>> >> roaming
>> >> profiles etc, if the wireless connection is not available before logon
>> >> you
>> >> will get logon errors.  The MS Zero Configuration accommodates this by
>> >> first
>> >> processing the wireless authentication allowing the connection to be 
>> >> made
>> >> before continuing.  Most 3rd party utilities now support this but not
>> >> all.
>> >>
>> >> The link below is an MS Test Lab walk through for configuring secure
>> >> wireless access using IAS etc.  It covers the exact layout you are 
>> >> trying
>> >> to
>> >> achieve.  From what you've listed so far your configuration is correct
>> >> apart
>> >> from a problem with your certificate, but it may be worth a scan 
>> >> through
>> >> if
>> >> you want to double check any of your settings.
>> >>
>> >> http://wireless.dweezle.org/Docs/IAS2003config.pdf
>> >>
>> >> -- 
>> >> Hth,
>> >> Stuart Mackie [MCP, MSP]
>> >> www.stu.uk.com
>> >>
>> >>
>> >> "Chris" <Chris@discussions.microsoft.com> wrote in message
>> >> news:238CBC05-713F-4F59-A744-AAAE4FF16BAC@microsoft.com...
>> >> > Sure.  I set up the client namely the Cisco AP 1200 and a remote 
>> >> > access
>> >> > policy with NAS-Port-Type and Windows-Groups.  In the authentication
>> >> > tab,
>> >> > I
>> >> > have Extensible Authentication Protocol checked with Protected
>> >> > EAP(PEAP)
>> >> > selected but when I click on Configure I get an error message 
>> >> > stating
>> >> > that
>> >> > "a
>> >> > certificate could not be found that can be used with this EAP". 
>> >> > Under
>> >> > the
>> >> > advanced tab, I selected the Ignore-User-Dialin-Properties(Value is
>> >> > True)
>> >> > and
>> >> > Service-Type(value is Framed).
>> >> >
>> >> > On the Cisco 1200 AP, I had set Radius configuration pointing to 
>> >> > this
>> >> > IAS
>> >> > server using EAP Authentication.
>> >> >
>> >> > On my wireless client, I tried using both Dell Wireless Utility and 
>> >> > MS
>> >> > Zero
>> >> > Configuration.  Network Authentication is 802.1x, Data Encryption is
>> >> > WEP.
>> >> > In
>> >> > the Authencation tab, I have PEAP as the EAP Method and under 
>> >> > Tunnelled
>> >> > Authenication Protocol, I have MS-CHAPv2 selected.
>> >> >
>> >> > I have a MS Enterprise Certificate server set up that automatically
>> >> > issues
>> >> > certificates upon trying to authenticate.
>> >> >
>> >> > Thanks,
>> >> > Chris
>> >> >
>> >> > "Stuart Mackie [MCP, MSP]" wrote:
>> >> >
>> >> >> Hi Chris.  Can you just run through what you have configured so far
>> >> >> with
>> >> >> IAS, your Cisco 1200 AP and your wireless client ?
>> >> >>
>> >> >> If you are using EAP-PEAP then only a certificate is required on 
>> >> >> the
>> >> >> Server.
>> >> >> If your were to use EAP-TLS or EAP-TTLS then you would require a
>> >> >> certificate
>> >> >> on both the Workstation and the Server.
>> >> >>
>> >> >> --
>> >> >> Hth,
>> >> >> Stuart Mackie [MCP, MSP]
>> >> >> www.stu.uk.com
>> >> >>
>> >> >>
>> >> >> "Chris" <Chris@discussions.microsoft.com> wrote in message
>> >> >> news:8BE10CF3-C39D-4979-921C-6FFA44DEA48A@microsoft.com...
>> >> >> > This is what is logged in the event viewer when I try to
>> >> >> > authenticate.
>> >> >> > Is
>> >> >> > there a way to authenticate without having a certificate on the
>> >> >> > client
>> >> >> > machine.  Thanks for the help.  This is my second posting.  Can
>> >> >> > anyone
>> >> >> > help
>> >> >> > with this?
>> >> >> >
>> >> >> > Event Type: Error
>> >> >> > Event Source: IAS
>> >> >> > Event Category: None
>> >> >> > Event ID: 3
>> >> >> > Date: 12/22/2004
>> >> >> > Time: 1:25:23 PM
>> >> >> > User: N/A
>> >> >> > Computer: hostname
>> >> >> > Description:
>> >> >> > Access request for user clai was discarded.
>> >> >> > Fully-Qualified-User-Name = <undetermined>
>> >> >> > NAS-IP-Address = x.x.x.x
>> >> >> > NAS-Identifier = Cisco_1200_SantaClara
>> >> >> > Called-Station-Identifier = 0011.5c97.6350
>> >> >> > Calling-Station-Identifier = 0090.4b69.295c
>> >> >> > Client-Friendly-Name = Cisco 1200
>> >> >> > Client-IP-Address = x.x.x.x
>> >> >> > NAS-Port-Type = 19
>> >> >> > NAS-Port = 497
>> >> >> > Reason-Code = 1
>> >> >> > Reason = An internal error occurred. Check the event log for
>> >> >> > additional
>> >> >> > information on what might have caused this error.
>> >> >> >
>> >> >> > Event Type: Error
>> >> >> > Event Source: IAS
>> >> >> > Event Category: None
>> >> >> > Event ID: 20168
>> >> >> > Date: 12/22/2004
>> >> >> > Time: 1:25:23 PM
>> >> >> > User: N/A
>> >> >> > Computer: hostname
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>