Re: Radius Server
- From: "RicNagy" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Dec 2005 12:47:01 -0800
This is the error I am seeing on the Server.
Microsoft suggests an error with the shared secret.
How do I ensure the client has that secret which is
set during the IAS setup. If it is not present on the client
how do I get it in place.
Details
Product: Windows Operating System
Event ID: 18
Source: IAS
Version: 5.0
Symbolic Name: RADIUS_E_INVALID_SIGNATURE
Message: An Access-Request was received from client %1 with a signature
attribute that is not valid.
Explanation
This event record indicates that there is a problem with either the shared
secrets or a RADIUS proxy server.
User Action
The person with administrative rights on the computer needs to verify that
the secrets on the client network access and RADIUS servers match exactly.
There are a few rules you must follow for successful shared secrets. Shared
secrets:
Must be exactly the same on both servers.
Are case-sensitive.
Can use any standard alphanumeric and special characters. Using combinations
of uppercase and lowercase letters, numbers, and special characters will make
the shared secrets more secure.
Can be up to 255 characters long. Long shared secrets are more secure than
shorter ones.
If the shared secrets match, the problem may be with the RADIUS proxy
server. Contact the RADIUS proxy manufacturer for assistance.
"James McIllece [MS]" wrote:
> "=?Utf-8?B?UmljTmFneQ==?=" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> news:86528C6B-0091-4F66-98A8-4B1DC27D7C97@xxxxxxxxxxxxx:
>
> > Understood James thats why I used PEAP MS-Chap2 and I set it up using
> > the link you provided exactly as it says.
> >
> > The messages I get when the client tries to connect are:
> > unable to find certificate
> > unable to connect to preferred network
> >
> > so I'm guessing the client needs the Server Certificate, can I just
> > export it from the server and import it to the client. How do I go
> > about this if i can ask?
> >
> > "James McIllece [MS]" wrote:
> >
> >> "=?Utf-8?B?UmljTmFneQ==?=" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
> >> in news:D7371033-0F02-474D-B80D-2B081199144F@xxxxxxxxxxxxx:
> >>
> >> > Just set up a Radius Server at home using WPA and AES configured
> >> > everything on the Server. I logged in locally to one of my clients
> >> > and changed its properties. It then goes out and says validating
> >> > identity. It seems there is supposed to be a certificate on the
> >> > client? If this is the case is that just issued through certificate
> >> > server or do I have to do some export import
> >> >
> >>
> >> It depends on the authentication method that you deployed with your
> >> remote access policy in IAS. A lot of auth methods don't use certs.
> >> But if you deployed EAP-TLS, you need a server cert and a client
> >> computer cert. If you deployed PEAP-MS-CHAP v2, you need a server
> >> cert only, and users are authenticated with password-based
> >> credentials.
> >>
> >> In both cases, clients must trust the CA that issued the server cert,
> >> which means that the CA cert must be in the Trusted Root
> >> Certification Authorities certificate store on the client computer.
> >>
> >> Here is more info on PEAP:
> >>
> >> "Step-by-Step Guide for Secure Wireless Deployment for Small
> >> Office/Home Office or Small Organization Networks"
> >> http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-fc41
> >> - 4eb1-9374-44612e64f0fb&displaylang=en
> >>
> >> --
> >> James McIllece, Microsoft
> >>
> >> Please do not send email directly to this alias. This is my online
> >> account name for newsgroup participation only.
> >>
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
>
> You *don't* need the IAS server certificate on the client. What you need on
> the client is the CA certificate, in the Trusted Root Certification
> Authorities (TRCA) store. If the CA cert is not there, the client does not
> trust the CA that issued the IAS server certificate, so the IAS server's
> authentication attempt with the client fails.
>
> To get the CA cert into that store, the easiest method is to plug the
> wireless computer into the wire if it is a domain member -- then GP will
> update and the CA cert will be installed automatically. Otherwise you need
> to use the Certs console on a computer that does have your CA cert in the
> TRCA store -- export the cert, then transfer it to the client and import it
> into the TRCA store. Note that you *must* export and import rather than
> drag and drop the cert, or the process fails.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
.
- References:
- Re: Radius Server
- From: James McIllece [MS]
- Re: Radius Server
- From: James McIllece [MS]
- Re: Radius Server
- Prev by Date: Re: Server Disappeared
- Next by Date: Re: cannot browse to 127.0.0.1
- Previous by thread: Re: Radius Server
- Next by thread: Re: do I need domain what can I get by with workgroup question
- Index(es):
Relevant Pages
|
Loading
