Re: Radius Server
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 05 Dec 2005 15:55:55 -0800
"=?Utf-8?B?UmljTmFneQ==?=" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:86528C6B-0091-4F66-98A8-4B1DC27D7C97@xxxxxxxxxxxxx:
> Understood James thats why I used PEAP MS-Chap2 and I set it up using
> the link you provided exactly as it says.
>
> The messages I get when the client tries to connect are:
> unable to find certificate
> unable to connect to preferred network
>
> so I'm guessing the client needs the Server Certificate, can I just
> export it from the server and import it to the client. How do I go
> about this if i can ask?
>
> "James McIllece [MS]" wrote:
>
>> "=?Utf-8?B?UmljTmFneQ==?=" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
>> in news:D7371033-0F02-474D-B80D-2B081199144F@xxxxxxxxxxxxx:
>>
>> > Just set up a Radius Server at home using WPA and AES configured
>> > everything on the Server. I logged in locally to one of my clients
>> > and changed its properties. It then goes out and says validating
>> > identity. It seems there is supposed to be a certificate on the
>> > client? If this is the case is that just issued through certificate
>> > server or do I have to do some export import
>> >
>>
>> It depends on the authentication method that you deployed with your
>> remote access policy in IAS. A lot of auth methods don't use certs.
>> But if you deployed EAP-TLS, you need a server cert and a client
>> computer cert. If you deployed PEAP-MS-CHAP v2, you need a server
>> cert only, and users are authenticated with password-based
>> credentials.
>>
>> In both cases, clients must trust the CA that issued the server cert,
>> which means that the CA cert must be in the Trusted Root
>> Certification Authorities certificate store on the client computer.
>>
>> Here is more info on PEAP:
>>
>> "Step-by-Step Guide for Secure Wireless Deployment for Small
>> Office/Home Office or Small Organization Networks"
>> http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc41
>> - 4eb1-9374-44612e64f0fb&displaylang=en
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> account name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
You *don't* need the IAS server certificate on the client. What you need on
the client is the CA certificate, in the Trusted Root Certification
Authorities (TRCA) store. If the CA cert is not there, the client does not
trust the CA that issued the IAS server certificate, so the IAS server's
authentication attempt with the client fails.
To get the CA cert into that store, the easiest method is to plug the
wireless computer into the wire if it is a domain member -- then GP will
update and the CA cert will be installed automatically. Otherwise you need
to use the Certs console on a computer that does have your CA cert in the
TRCA store -- export the cert, then transfer it to the client and import it
into the TRCA store. Note that you *must* export and import rather than
drag and drop the cert, or the process fails.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: Radius Server
- From: RicNagy
- Re: Radius Server
- References:
- Re: Radius Server
- From: James McIllece [MS]
- Re: Radius Server
- Prev by Date: Re: VPN and Broadcast Name Resolution
- Next by Date: Re: unusual DHCP problem
- Previous by thread: Re: Radius Server
- Next by thread: Re: Radius Server
- Index(es):
Relevant Pages
|
