Re: EAP-TLS with windows CE

Thanks for the quick response. That second paragraph you wrote makes sense
with the little I had already known about TLS.
I'm still a little unclear about something, though. From my understanding,
the conversation starts with a Eap Request/Identity from the AP to the
client. Windows CE then prompts the wireless user for the
UserName/DomainName. The client then responds with an EAP response/Identity
to the AP which gets passed on to an authentication server (RADIUS or
otherwise). This response contains the username/domainName the wireless user
entered in the prompt.

My question is, what exactly is this identity response used for at the
authentication server? I thought the authentication was provided by the
certificate information, so why is a user or machine name used in the
response/identity packet? The problem I'm having is this prompt keeps
reappearing, suggesting that something in the response/Identity is incorrect.
Unfortunately, I can't give you more information about the actual EAP message
exchange since I don't have access to the network where this is occurring.

Thanks again for your response,
Jon Hiley

"Paul G. Tobey [eMVP]" wrote:

What you want is the user name and password that the authentication server
that your access point is directing the EAP packets to is expecting. It has
nothing to do with the contents of the certificate at all. That will be
used by the device to verify that the server is who it says that it is and
that it should be trusted, and to encrypt the data. The server that's doing
the verification decides what users and passwords are need, though. If it
doesn't work, I'd suspect that the problem is there.

No, there's no description anywhere that I've ever seen of how EAP-TLS works
at all, let alone specifically on Windows CE. As I recall it, basically
what happens is that Windows CE calls up the access point. The AP looks at
how it's configured and sees that EAP-TLS is set, so it creates a virtual
connection to the server with which it's supposed to communicate, commonly a
RADIUS server, for the Windows CE device. The AP is configured with
suitable authentication information so that it can connect to the server in
this way. The server sees that someone is trying to connect and requests
credentials, giving a list of ways that they can be provided, and some
certificate identification information. The Windows CE device looks at the
server information and verifies that the server's certificate was issued by
a trusted authority (this is why you might need to install a certificate on
the Windows CE device, to trust an authority other than those standard
authorities). Via some back and forth, a secure connection is established.
Once that's taken care of, Windows CE either asks you who you are or looks
up the default credentials in the registry and sends them to the server via
the negotiated protocol. If the server agrees that you are authenticated,
it assigns you an IP address and tells the access point to allow you access
to the entire network.

Paul T.

"hileyj" <hileyj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D16B6792-29C7-400D-8E49-58913988C1A2@xxxxxxxxxxxxxxxx
Hi,

I was wondering how EAP-TLS authentication is performed with windows ce
5.0.
I have loaded the necessary private key and certificates (they work with
other devices such as laptops) onto my device and they appear to be going
to
the correct stores. When I go to connect to an EAP-TLS enabled network, I
get a prompt for a User Name and Domain Name. What exactly is it looking
for
here? The Active Directory user name that the certificate was issued to?
Or
the subject name as on the certificate?
After entering the user name and the domain, the username dialog goes away
but then authentication fails and it reappears. What are possible causes
of
this authentication failure?

Also, is there a good description somewhere out there about how EAP-TLS
works with Windows CE5.0? I'd really like to be able to troubleshoot
these
types of problems...

Thanks,
Jon



.

Relevant Pages

  • Re: Need help configuring Wireless Connection profile
    ... and I can only use the intel OR windows utility, not both at the same time. ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless WPA2 ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Cannot sync Windows mobile with sbs2003 server
    ... Windows Mobile OS to the SBS2003 server at work so that he can read e-mails. ... What certificate do Microsoft recommend here, and where can this be bought? ...
    (microsoft.public.pocketpc)
  • Re: Need help configuring Wireless Connection profile
    ... Now life is good in the Windows wireless world. ... now have a secure wireless setup within my small business server environment. ... "point" the info of the Radius authentication to your current Radius server. ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)
  • Re: Userenv Errors All Of A Sudden - Help
    ... Because my initial post got no response I worded it differently and reposted it as "Problems Logging In As Administrator" on the 1st of April in this newsgroup. ... Henrik Arenblad responded to that and later posted your response to it which I responded to you via email thanking you and explaining as I am now that I had been able to fix the issue by logging directly into the server and doing effectively a repair of the AVG File Server software and a re-boot. ... Error message when you try to log on to a Windows Server 2003-based ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: EAP-TLS with windows CE
    ... credentials at the login prompt for Windows Server 2003 on the server ... The certificate is a public thing, ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)