Re: SBS Wireless policy
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 8 Dec 2006 14:58:59 -0500
You don't need ISA, and as far as I know, ISA 2004 settings would be the
only thing that would block certificate enrollment.
That EAP thing could be a problem, although I'm not 100% clear on what's
generating that info. I'd just make sure that the setting is correct in IAS
(Smart card or other certificate). Hopefully if it is, having the cert on
the laptop will make it show correctly.
If just having the cert installed and verifying that setting in IAS don't do
the trick, I'd try changing the encryption to TKIP just to see if it works.
After that comes Plan B, which is to try to scare up Owen, but he has some
other commitments right now and he's not around as far as I know. Oh, and
lastly, you could check for other IAS events in the logs. In the IAS
console, open the properties of the top item (Internet Auth Service) and
make sure the boxes are checked to log successful and failed logon attempts.
"Andy" <ajj3085@xxxxxxxxxxxx> wrote in message
news:1165578820.155676.32070@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Dave Nickason [SBS MVP] wrote:
You need to make changes in the ISA RPC settings to allow certificate
enrollment on the client PC (laptop). Also, auto-enrollment needs to
happen
when the client PC is connected to the wired network. The laptop
obviously
needs the correct certificate installed before it can connect
successfully
over wireless, and your laptop appears not to have the cert. This alone
will prevent a successful connection. Auto-enrollment should log a
success
shortly after you connect to the wired network and log in.
I'm not using ISA at all. That's optional, correct? I was getting
different problems, and when I thought to check the certificates on
both the laptop and server, I saw there was no computer certificate for
the laptop. I disabled the wireless, connected the wired and rebooted
again. After waiting a little, I did finally see the laptops
certificate on the servers certificates. I also did check the RPC
settings on the laptop, and those are fine (they must be, since a
certifcate was created, correct?)
Your EAP type should not be "undetermined," it should be "Smart Card or
other certificate." I'm not sure if this is because the connection is
failing, or if it's a configuration thing in your IAS Remote Access
Policy.
Again, verify your settings against the document - this setting is in the
entry you created under "Remote Access Policy" in IAS.
Hmm... I wonder why EAP is undetermined. I'll look into that.
I'm not sure why you're getting an error referring to the user account
settings. With Owen's method, it's the client PC that is authenticating
to
IAS - it'll actually connect even if you just start the computer without
ever attempting to log into a user account. Still, I'd go into AD Users
and
Computers and check the remote (dial-in) settings for the laptop, the
user
account, and the SBS. All should be set to "Control access through
Remote
Access Policy."
Understood. I followed the document like a checklist, and still no joy.
Although I can't find any remote settings for the computer accounts
anywhere in AD Users and computers.. they just appear on Users.
I'm not sure you're going to be able to use WPA and AES. This would be a
question for Owen, but anyway it only works if WPA with AES is supported
throughout all your hardware and software. If all else fails, I would
try
WPA and TKIP to see if that changes anything. You'll have to change this
in
both the WAP and in the wireless GPO, plus possibly somewhere else I'm
forgetting. I tried to use WPA with AES and ran into failed connection
issues that I believe were caused by my WAP not supporting that exact
configuration (I believe the WPA standard technically calls for TKIP, and
that WPA2 is required for AES, but that some access points support it
either
way. Mine apparently does not).
Well, both my WAP and wireless card support WPA and AES; the WAP is a
Dlink DI-634M, and the wireless card is a DWL-G650. Both have AES
listed as an ecryption option, but I guess I'll give it a shot with
TKIP (or whatever that setting is).
If you get the certificate to enroll properly and still can't connect
after
that and verifying the settings in AD, please go through the document
carefully and verify that all your settings match. Post back with
anything
you have questions about.
I have. There only odd thing is that when selecting the server
certificate created in the document, it shows up twice on the server.
I've even compared the thumbprints, and they are identical.
Andy
.
- Follow-Ups:
- Re: SBS Wireless policy
- From: Andy
- Re: SBS Wireless policy
- References:
- SBS Wireless policy
- From: Andy
- Re: SBS Wireless policy
- From: Dave Nickason [SBS MVP]
- Re: SBS Wireless policy
- From: Andy
- SBS Wireless policy
- Prev by Date: Re: volume shadow and ntbackup
- Next by Date: Re: Network Problem
- Previous by thread: Re: SBS Wireless policy
- Next by thread: Re: SBS Wireless policy
- Index(es):
Relevant Pages
|
