Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Wireless Networking > EAP-TLS & Windows XP SP2 ?

Reply
Thread Tools

EAP-TLS & Windows XP SP2 ?

 
 
Al Blake
Guest
Posts: n/a
 
      09-30-2004
I am setting up EAP-TLS authentication, using certificates automatically
issued by our CA. The WXPSP2 machine is authenticating just fine....but when
I come to authenticate the user I get strange results.

CA is a Windows 2003 Enterprise Server and issues PKI certificates to users
and machines as required.
AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
(radius) server.

Radius is working fine, however when I log into the XPSP2 computer as
*usera* after the box has tried to authenticate for a while I get a message
'Windows was unable to find a certificate to log you on to the network XYZ'.
*but*
if I look in the certificate mmc there *IS* a certificate for this user
installed (it was created by auto-enroll), it's valid and is for Client
authentification,EFS and email.
So why cant WXP see the certificate and use it?

If I log on as *userb* who also has a certificate in their store...it all
wokrs fine!
Needless to say both users are in the same OU in AD and in the same user
groups to ensure they get the same GPOs applied.

Any ideas?
Al Blake, Canberra, Australia


 
Reply With Quote
 
 
 
 
Jeff Durham
Guest
Posts: n/a
 
      09-30-2004
In your remote access policy, are both users part of the permitted group?
Also, for both users, do you have the remote access determined by policy
rather than just enabled or disabled? I am not at my server right now so I
do not remember the exact name of that string. Also, did the certificate
for usera get created and installed the same way as for userb? I have a
similar setup except that I am not using auto-enrollment for anything but
computer certificates. Lastly, is the machine part included into the group
for the remote access policy?

Jeff


"Al Blake" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
>I am setting up EAP-TLS authentication, using certificates automatically
>issued by our CA. The WXPSP2 machine is authenticating just fine....but
>when I come to authenticate the user I get strange results.
>
> CA is a Windows 2003 Enterprise Server and issues PKI certificates to
> users and machines as required.
> AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
> (radius) server.
>
> Radius is working fine, however when I log into the XPSP2 computer as
> *usera* after the box has tried to authenticate for a while I get a
> message 'Windows was unable to find a certificate to log you on to the
> network XYZ'.
> *but*
> if I look in the certificate mmc there *IS* a certificate for this user
> installed (it was created by auto-enroll), it's valid and is for Client
> authentification,EFS and email.
> So why cant WXP see the certificate and use it?
>
> If I log on as *userb* who also has a certificate in their store...it all
> wokrs fine!
> Needless to say both users are in the same OU in AD and in the same user
> groups to ensure they get the same GPOs applied.
>
> Any ideas?
> Al Blake, Canberra, Australia
>



 
Reply With Quote
 
 
 
 
Wayne Tilton
Guest
Posts: n/a
 
      09-30-2004
"Al Blake" <(E-Mail Removed)> wrote in
news:#(E-Mail Removed):

> I am setting up EAP-TLS authentication, using certificates
> automatically issued by our CA. The WXPSP2 machine is authenticating
> just fine....but when I come to authenticate the user I get strange
> results.
>
> CA is a Windows 2003 Enterprise Server and issues PKI certificates to
> users and machines as required.
> AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
> (radius) server.
>
> Radius is working fine, however when I log into the XPSP2 computer as
> *usera* after the box has tried to authenticate for a while I get a
> message 'Windows was unable to find a certificate to log you on to the
> network XYZ'. *but*
> if I look in the certificate mmc there *IS* a certificate for this
> user installed (it was created by auto-enroll), it's valid and is for
> Client authentification,EFS and email.
> So why cant WXP see the certificate and use it?
>
> If I log on as *userb* who also has a certificate in their store...it
> all wokrs fine!
> Needless to say both users are in the same OU in AD and in the same
> user groups to ensure they get the same GPOs applied.
>
> Any ideas?
> Al Blake, Canberra, Australia
>
>


Al,

Does the client certificate contain the users userPrincipalName in the
SubjectAlternateName? That is a requirement for EAP-TLS. Also, does the
CA's cert exist in the Trusted Root Authority list? Either of those will
generate the error you're seeing.

Hope that helps,

Wayne

--
Standard Disclaimer: I said it, they didn't, so blame me, not them!
Spam Avoidance: My reply address is invalid to confuse the spambots.
You can reach me at 'Wayne_Tilton at yahoo dot com'
 
Reply With Quote
 
Al Blake
Guest
Posts: n/a
 
      10-03-2004
Thanks for the replies guys. I'll check those things (again) although I
think they're ok.
One question Jeff:

Why are you only using certificates for machine accounts and not for users?
I'd like to know the philosophy for this as we are just about to roll out a
'real' wireless LAN with 400+ machines (as opposed to a few machines using
WEP )
As this will be a campus wide WLAN with 60+ APs we have to ensure we are
ensure we are securing it as best we can whilst keeping the maintenance
overhead down (adding WEP or WPA keys to every machine is not on).

So we decided on EAP-TLS.......but I thought we had to authenticate both the
computer *AND* the user to do this. Are you saying we dont? Cos if we dont
this would make things a *lot* easier. Can you explain your approach?

Regards Al.



"Jeff Durham" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> In your remote access policy, are both users part of the permitted group?
> Also, for both users, do you have the remote access determined by policy
> rather than just enabled or disabled? I am not at my server right now so
> I do not remember the exact name of that string. Also, did the
> certificate for usera get created and installed the same way as for userb?
> I have a similar setup except that I am not using auto-enrollment for
> anything but computer certificates. Lastly, is the machine part included
> into the group for the remote access policy?
>
> Jeff
>
>
> "Al Blake" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>>I am setting up EAP-TLS authentication, using certificates automatically
>>issued by our CA. The WXPSP2 machine is authenticating just fine....but
>>when I come to authenticate the user I get strange results.
>>
>> CA is a Windows 2003 Enterprise Server and issues PKI certificates to
>> users and machines as required.
>> AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
>> (radius) server.
>>
>> Radius is working fine, however when I log into the XPSP2 computer as
>> *usera* after the box has tried to authenticate for a while I get a
>> message 'Windows was unable to find a certificate to log you on to the
>> network XYZ'.
>> *but*
>> if I look in the certificate mmc there *IS* a certificate for this user
>> installed (it was created by auto-enroll), it's valid and is for Client
>> authentification,EFS and email.
>> So why cant WXP see the certificate and use it?
>>
>> If I log on as *userb* who also has a certificate in their store...it all
>> wokrs fine!
>> Needless to say both users are in the same OU in AD and in the same user
>> groups to ensure they get the same GPOs applied.
>>
>> Any ideas?
>> Al Blake, Canberra, Australia
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Adminpak SP2 , Windows Server x64 SP2 =?Utf-8?B?QmrDuHJu?= Windows 64bit 2 09-03-2007 12:54 PM
MDAC 2.8 SP2 for W2K3 R2 x64 SP2 =?Utf-8?B?SmFja04=?= Windows 64bit 2 06-07-2007 12:00 AM
Novell Client 4.92 SP2 and Windows XP SP2 Yogi Computer Support 1 07-22-2005 01:33 AM
WIN XP SP2 ERROR: Can not read from or write to the data base. SP2 installation did not complete Father Jack Hackett Computer Support 5 01-26-2005 06:08 PM
Re: IE 6.0 with SP2 and Windows XP SP2 and Adobe Acrobat & Reader 6.0 George ASP .Net 5 08-24-2004 12:11 PM



Advertisments