EAP-TLS & Windows XP SP2 ?

I am setting up EAP-TLS authentication, using certificates automatically
issued by our CA. The WXPSP2 machine is authenticating just fine....but when
I come to authenticate the user I get strange results.

CA is a Windows 2003 Enterprise Server and issues PKI certificates to users
and machines as required.
AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
(radius) server.

Radius is working fine, however when I log into the XPSP2 computer as
*usera* after the box has tried to authenticate for a while I get a message
'Windows was unable to find a certificate to log you on to the network XYZ'.
*but*
if I look in the certificate mmc there *IS* a certificate for this user
installed (it was created by auto-enroll), it's valid and is for Client
authentification,EFS and email.
So why cant WXP see the certificate and use it?

If I log on as *userb* who also has a certificate in their store...it all
wokrs fine!
Needless to say both users are in the same OU in AD and in the same user
groups to ensure they get the same GPOs applied.

Any ideas?
Al Blake, Canberra, Australia

Al Blake

In your remote access policy, are both users part of the permitted group?
Also, for both users, do you have the remote access determined by policy
rather than just enabled or disabled? I am not at my server right now so I
do not remember the exact name of that string. Also, did the certificate
for usera get created and installed the same way as for userb? I have a
similar setup except that I am not using auto-enrollment for anything but
computer certificates. Lastly, is the machine part included into the group
for the remote access policy?

Jeff


"Al Blake" <> wrote in message
news:%...
>I am setting up EAP-TLS authentication, using certificates automatically
>issued by our CA. The WXPSP2 machine is authenticating just fine....but
>when I come to authenticate the user I get strange results.
>
> CA is a Windows 2003 Enterprise Server and issues PKI certificates to
> users and machines as required.
> AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
> (radius) server.
>
> Radius is working fine, however when I log into the XPSP2 computer as
> *usera* after the box has tried to authenticate for a while I get a
> message 'Windows was unable to find a certificate to log you on to the
> network XYZ'.
> *but*
> if I look in the certificate mmc there *IS* a certificate for this user
> installed (it was created by auto-enroll), it's valid and is for Client
> authentification,EFS and email.
> So why cant WXP see the certificate and use it?
>
> If I log on as *userb* who also has a certificate in their store...it all
> wokrs fine!
> Needless to say both users are in the same OU in AD and in the same user
> groups to ensure they get the same GPOs applied.
>
> Any ideas?
> Al Blake, Canberra, Australia
>

Jeff Durham

"Al Blake" <> wrote in
news:#:

> I am setting up EAP-TLS authentication, using certificates
> automatically issued by our CA. The WXPSP2 machine is authenticating
> just fine....but when I come to authenticate the user I get strange
> results.
>
> CA is a Windows 2003 Enterprise Server and issues PKI certificates to
> users and machines as required.
> AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
> (radius) server.
>
> Radius is working fine, however when I log into the XPSP2 computer as
> *usera* after the box has tried to authenticate for a while I get a
> message 'Windows was unable to find a certificate to log you on to the
> network XYZ'. *but*
> if I look in the certificate mmc there *IS* a certificate for this
> user installed (it was created by auto-enroll), it's valid and is for
> Client authentification,EFS and email.
> So why cant WXP see the certificate and use it?
>
> If I log on as *userb* who also has a certificate in their store...it
> all wokrs fine!
> Needless to say both users are in the same OU in AD and in the same
> user groups to ensure they get the same GPOs applied.
>
> Any ideas?
> Al Blake, Canberra, Australia
>
>

Al,

Does the client certificate contain the users userPrincipalName in the
SubjectAlternateName? That is a requirement for EAP-TLS. Also, does the
CA's cert exist in the Trusted Root Authority list? Either of those will
generate the error you're seeing.

Hope that helps,

Wayne

--
Standard Disclaimer: I said it, they didn't, so blame me, not them!
Spam Avoidance: My reply address is invalid to confuse the spambots.
You can reach me at 'Wayne_Tilton at yahoo dot com'

Wayne Tilton

Thanks for the replies guys. I'll check those things (again) although I
think they're ok.
One question Jeff:

Why are you only using certificates for machine accounts and not for users?
I'd like to know the philosophy for this as we are just about to roll out a
'real' wireless LAN with 400+ machines (as opposed to a few machines using
WEP )
As this will be a campus wide WLAN with 60+ APs we have to ensure we are
ensure we are securing it as best we can whilst keeping the maintenance
overhead down (adding WEP or WPA keys to every machine is not on).

So we decided on EAP-TLS.......but I thought we had to authenticate both the
computer *AND* the user to do this. Are you saying we dont? Cos if we dont
this would make things a *lot* easier. Can you explain your approach?

Regards Al.



"Jeff Durham" <> wrote in message
news:%...
> In your remote access policy, are both users part of the permitted group?
> Also, for both users, do you have the remote access determined by policy
> rather than just enabled or disabled? I am not at my server right now so
> I do not remember the exact name of that string. Also, did the
> certificate for usera get created and installed the same way as for userb?
> I have a similar setup except that I am not using auto-enrollment for
> anything but computer certificates. Lastly, is the machine part included
> into the group for the remote access policy?
>
> Jeff
>
>
> "Al Blake" <> wrote in message
> news:%...
>>I am setting up EAP-TLS authentication, using certificates automatically
>>issued by our CA. The WXPSP2 machine is authenticating just fine....but
>>when I come to authenticate the user I get strange results.
>>
>> CA is a Windows 2003 Enterprise Server and issues PKI certificates to
>> users and machines as required.
>> AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
>> (radius) server.
>>
>> Radius is working fine, however when I log into the XPSP2 computer as
>> *usera* after the box has tried to authenticate for a while I get a
>> message 'Windows was unable to find a certificate to log you on to the
>> network XYZ'.
>> *but*
>> if I look in the certificate mmc there *IS* a certificate for this user
>> installed (it was created by auto-enroll), it's valid and is for Client
>> authentification,EFS and email.
>> So why cant WXP see the certificate and use it?
>>
>> If I log on as *userb* who also has a certificate in their store...it all
>> wokrs fine!
>> Needless to say both users are in the same OU in AD and in the same user
>> groups to ensure they get the same GPOs applied.
>>
>> Any ideas?
>> Al Blake, Canberra, Australia
>>
>
>

Al Blake