Re: SBS Wireless policy
- From: "Andy" <ajj3085@xxxxxxxxxxxx>
- Date: 8 Dec 2006 03:53:40 -0800
Dave Nickason [SBS MVP] wrote:
You need to make changes in the ISA RPC settings to allow certificate
enrollment on the client PC (laptop). Also, auto-enrollment needs to happen
when the client PC is connected to the wired network. The laptop obviously
needs the correct certificate installed before it can connect successfully
over wireless, and your laptop appears not to have the cert. This alone
will prevent a successful connection. Auto-enrollment should log a success
shortly after you connect to the wired network and log in.
I'm not using ISA at all. That's optional, correct? I was getting
different problems, and when I thought to check the certificates on
both the laptop and server, I saw there was no computer certificate for
the laptop. I disabled the wireless, connected the wired and rebooted
again. After waiting a little, I did finally see the laptops
certificate on the servers certificates. I also did check the RPC
settings on the laptop, and those are fine (they must be, since a
certifcate was created, correct?)
Your EAP type should not be "undetermined," it should be "Smart Card or
other certificate." I'm not sure if this is because the connection is
failing, or if it's a configuration thing in your IAS Remote Access Policy.
Again, verify your settings against the document - this setting is in the
entry you created under "Remote Access Policy" in IAS.
Hmm... I wonder why EAP is undetermined. I'll look into that.
I'm not sure why you're getting an error referring to the user account
settings. With Owen's method, it's the client PC that is authenticating to
IAS - it'll actually connect even if you just start the computer without
ever attempting to log into a user account. Still, I'd go into AD Users and
Computers and check the remote (dial-in) settings for the laptop, the user
account, and the SBS. All should be set to "Control access through Remote
Access Policy."
Understood. I followed the document like a checklist, and still no joy.
Although I can't find any remote settings for the computer accounts
anywhere in AD Users and computers.. they just appear on Users.
I'm not sure you're going to be able to use WPA and AES. This would be a
question for Owen, but anyway it only works if WPA with AES is supported
throughout all your hardware and software. If all else fails, I would try
WPA and TKIP to see if that changes anything. You'll have to change this in
both the WAP and in the wireless GPO, plus possibly somewhere else I'm
forgetting. I tried to use WPA with AES and ran into failed connection
issues that I believe were caused by my WAP not supporting that exact
configuration (I believe the WPA standard technically calls for TKIP, and
that WPA2 is required for AES, but that some access points support it either
way. Mine apparently does not).
Well, both my WAP and wireless card support WPA and AES; the WAP is a
Dlink DI-634M, and the wireless card is a DWL-G650. Both have AES
listed as an ecryption option, but I guess I'll give it a shot with
TKIP (or whatever that setting is).
If you get the certificate to enroll properly and still can't connect after
that and verifying the settings in AD, please go through the document
carefully and verify that all your settings match. Post back with anything
you have questions about.
I have. There only odd thing is that when selecting the server
certificate created in the document, it shows up twice on the server.
I've even compared the thumbprints, and they are identical.
Andy
.
- Follow-Ups:
- Re: SBS Wireless policy
- From: Dave Nickason [SBS MVP]
- Re: SBS Wireless policy
- References:
- SBS Wireless policy
- From: Andy
- Re: SBS Wireless policy
- From: Dave Nickason [SBS MVP]
- SBS Wireless policy
- Prev by Date: Re: ISA server (second post)
- Next by Date: RE: ISA server (second post)
- Previous by thread: Re: SBS Wireless policy
- Next by thread: Re: SBS Wireless policy
- Index(es):
Relevant Pages
|
