EAP-TLS & Windows XP SP2 ?

Discussion in 'Wireless Networking' started by Al Blake, Sep 30, 2004.

  1. Al Blake

    Al Blake Guest

    I am setting up EAP-TLS authentication, using certificates automatically
    issued by our CA. The WXPSP2 machine is authenticating just fine....but when
    I come to authenticate the user I get strange results.

    CA is a Windows 2003 Enterprise Server and issues PKI certificates to users
    and machines as required.
    AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
    (radius) server.

    Radius is working fine, however when I log into the XPSP2 computer as
    *usera* after the box has tried to authenticate for a while I get a message
    'Windows was unable to find a certificate to log you on to the network XYZ'.
    *but*
    if I look in the certificate mmc there *IS* a certificate for this user
    installed (it was created by auto-enroll), it's valid and is for Client
    authentification,EFS and email.
    So why cant WXP see the certificate and use it?

    If I log on as *userb* who also has a certificate in their store...it all
    wokrs fine!
    Needless to say both users are in the same OU in AD and in the same user
    groups to ensure they get the same GPOs applied.

    Any ideas?
    Al Blake, Canberra, Australia
     
    Al Blake, Sep 30, 2004
    #1
    1. Advertising

  2. Al Blake

    Jeff Durham Guest

    In your remote access policy, are both users part of the permitted group?
    Also, for both users, do you have the remote access determined by policy
    rather than just enabled or disabled? I am not at my server right now so I
    do not remember the exact name of that string. Also, did the certificate
    for usera get created and installed the same way as for userb? I have a
    similar setup except that I am not using auto-enrollment for anything but
    computer certificates. Lastly, is the machine part included into the group
    for the remote access policy?

    Jeff


    "Al Blake" <> wrote in message
    news:%...
    >I am setting up EAP-TLS authentication, using certificates automatically
    >issued by our CA. The WXPSP2 machine is authenticating just fine....but
    >when I come to authenticate the user I get strange results.
    >
    > CA is a Windows 2003 Enterprise Server and issues PKI certificates to
    > users and machines as required.
    > AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
    > (radius) server.
    >
    > Radius is working fine, however when I log into the XPSP2 computer as
    > *usera* after the box has tried to authenticate for a while I get a
    > message 'Windows was unable to find a certificate to log you on to the
    > network XYZ'.
    > *but*
    > if I look in the certificate mmc there *IS* a certificate for this user
    > installed (it was created by auto-enroll), it's valid and is for Client
    > authentification,EFS and email.
    > So why cant WXP see the certificate and use it?
    >
    > If I log on as *userb* who also has a certificate in their store...it all
    > wokrs fine!
    > Needless to say both users are in the same OU in AD and in the same user
    > groups to ensure they get the same GPOs applied.
    >
    > Any ideas?
    > Al Blake, Canberra, Australia
    >
     
    Jeff Durham, Sep 30, 2004
    #2
    1. Advertising

  3. Al Blake

    Wayne Tilton Guest

    "Al Blake" <> wrote in
    news:#:

    > I am setting up EAP-TLS authentication, using certificates
    > automatically issued by our CA. The WXPSP2 machine is authenticating
    > just fine....but when I come to authenticate the user I get strange
    > results.
    >
    > CA is a Windows 2003 Enterprise Server and issues PKI certificates to
    > users and machines as required.
    > AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
    > (radius) server.
    >
    > Radius is working fine, however when I log into the XPSP2 computer as
    > *usera* after the box has tried to authenticate for a while I get a
    > message 'Windows was unable to find a certificate to log you on to the
    > network XYZ'. *but*
    > if I look in the certificate mmc there *IS* a certificate for this
    > user installed (it was created by auto-enroll), it's valid and is for
    > Client authentification,EFS and email.
    > So why cant WXP see the certificate and use it?
    >
    > If I log on as *userb* who also has a certificate in their store...it
    > all wokrs fine!
    > Needless to say both users are in the same OU in AD and in the same
    > user groups to ensure they get the same GPOs applied.
    >
    > Any ideas?
    > Al Blake, Canberra, Australia
    >
    >


    Al,

    Does the client certificate contain the users userPrincipalName in the
    SubjectAlternateName? That is a requirement for EAP-TLS. Also, does the
    CA's cert exist in the Trusted Root Authority list? Either of those will
    generate the error you're seeing.

    Hope that helps,

    Wayne

    --
    Standard Disclaimer: I said it, they didn't, so blame me, not them!
    Spam Avoidance: My reply address is invalid to confuse the spambots.
    You can reach me at 'Wayne_Tilton at yahoo dot com'
     
    Wayne Tilton, Sep 30, 2004
    #3
  4. Al Blake

    Al Blake Guest

    Thanks for the replies guys. I'll check those things (again) although I
    think they're ok.
    One question Jeff:

    Why are you only using certificates for machine accounts and not for users?
    I'd like to know the philosophy for this as we are just about to roll out a
    'real' wireless LAN with 400+ machines (as opposed to a few machines using
    WEP :( )
    As this will be a campus wide WLAN with 60+ APs we have to ensure we are
    ensure we are securing it as best we can whilst keeping the maintenance
    overhead down (adding WEP or WPA keys to every machine is not on).

    So we decided on EAP-TLS.......but I thought we had to authenticate both the
    computer *AND* the user to do this. Are you saying we dont? Cos if we dont
    this would make things a *lot* easier. Can you explain your approach?

    Regards Al.



    "Jeff Durham" <> wrote in message
    news:%...
    > In your remote access policy, are both users part of the permitted group?
    > Also, for both users, do you have the remote access determined by policy
    > rather than just enabled or disabled? I am not at my server right now so
    > I do not remember the exact name of that string. Also, did the
    > certificate for usera get created and installed the same way as for userb?
    > I have a similar setup except that I am not using auto-enrollment for
    > anything but computer certificates. Lastly, is the machine part included
    > into the group for the remote access policy?
    >
    > Jeff
    >
    >
    > "Al Blake" <> wrote in message
    > news:%...
    >>I am setting up EAP-TLS authentication, using certificates automatically
    >>issued by our CA. The WXPSP2 machine is authenticating just fine....but
    >>when I come to authenticate the user I get strange results.
    >>
    >> CA is a Windows 2003 Enterprise Server and issues PKI certificates to
    >> users and machines as required.
    >> AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
    >> (radius) server.
    >>
    >> Radius is working fine, however when I log into the XPSP2 computer as
    >> *usera* after the box has tried to authenticate for a while I get a
    >> message 'Windows was unable to find a certificate to log you on to the
    >> network XYZ'.
    >> *but*
    >> if I look in the certificate mmc there *IS* a certificate for this user
    >> installed (it was created by auto-enroll), it's valid and is for Client
    >> authentification,EFS and email.
    >> So why cant WXP see the certificate and use it?
    >>
    >> If I log on as *userb* who also has a certificate in their store...it all
    >> wokrs fine!
    >> Needless to say both users are in the same OU in AD and in the same user
    >> groups to ensure they get the same GPOs applied.
    >>
    >> Any ideas?
    >> Al Blake, Canberra, Australia
    >>

    >
    >
     
    Al Blake, Oct 4, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Robert Irwin

    Does EAP-TLS *NEED* Windows 2003 server?

    Robert Irwin, Jul 7, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    5,204
    Wayne Tilton
    Jul 12, 2004
  2. jr

    Problems with EAP-TLS with smart cards

    jr, Jul 26, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,764
    drewbono
    Jun 23, 2006
  3. Tony
    Replies:
    1
    Views:
    907
  4. wooying
    Replies:
    1
    Views:
    1,368
    www.BradReese.Com
    Jan 16, 2007
  5. Dallas512

    EAP-TLS for Non-Windows Clients

    Dallas512, Aug 4, 2008, in forum: Wireless Networking
    Replies:
    0
    Views:
    659
    Dallas512
    Aug 4, 2008
Loading...

Share This Page