IAS PEAP Wireless - Stand Alone CA

Discussion in 'Wireless Networking' started by tweaked540@gmail.com, Feb 16, 2007.

  1. Guest

    Is it possible to have a stand alone win2k3 CA produce certificates
    for the IAS server to use for PEAP? When we try to authenticate to
    the WAP, we get these errors on our IAS box: (It looks as if the
    certificates are no good)

    Event Type: Error
    Event Source: IAS
    Event Category: None
    Event ID: 20168
    Date: 2/15/2007
    Time: 10:08:45 AM
    User: N/A
    Computer: Computer
    Description:
    Could not retrieve the Remote Access Server's certificate due to the
    following error: No credentials are available in the security package

    Event Type: Error
    Event Source: IAS
    Event Category: None
    Event ID: 3
    Date: 2/15/2007
    Time: 10:08:43 AM
    User: N/A
    Computer: Computer
    Description:
    Access request for user was discarded.
    Fully-Qualified-User-Name = test
    NAS-IP-Address = 192.168.21.9
    NAS-Identifier = WAP
    Called-Station-Identifier = 0003.45f7.3210
    Calling-Station-Identifier = 0555.5056.55b5
    Client-Friendly-Name = WAP
    Client-IP-Address = 192.168.21.9
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 267
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Reason-Code = 300
    Reason = No credentials are available in the security package
     
    , Feb 16, 2007
    #1
    1. Advertising

  2. Hi,

    It looks like there is a problem with your certificate.

    Make sure all the following are true:

    For the computer certificates installed on the IAS servers, the following
    must be true:
    . They must be installed in the Local Computer certificate store.

    . They must have a corresponding private key. When you view the
    properties of the certificate with the Certificate snap-in, you should see
    the text You have a private key that corresponds to this certificate on the
    General tab.

    . The cryptographic service provider for the certificates supports
    SChannel. If not, the IAS server cannot use the certificate and it is not
    selectable from the properties of the Smart Card or Other Certificate EAP
    type from the Authentication tab on the properties of a profile for a remote
    access policy.

    . They must contain the Server Authentication certificate purpose
    (also known as an Enhanced Key Usage [EKU]). An EKU is identified using an
    object identifier (OID). The OID for Server Authentication is
    "1.3.6.1.5.5.7.3.1".

    . They must contain the fully qualified domain name (FQDN) of the
    computer account of the IAS server computer in the Subject Alternative Name
    property.


    Additionally, the root CA certificates of the CAs that issued the wireless
    client computer and user certificates must be installed in the Certificates
    (Local Computer)\Trusted Root Certification Authorities\Certificates folder.

    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

    I hope this helps.

    --
    Greg Lindsay [MSFT]

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.

    <> wrote in message
    news:...
    > Is it possible to have a stand alone win2k3 CA produce certificates
    > for the IAS server to use for PEAP? When we try to authenticate to
    > the WAP, we get these errors on our IAS box: (It looks as if the
    > certificates are no good)
    >
    > Event Type: Error
    > Event Source: IAS
    > Event Category: None
    > Event ID: 20168
    > Date: 2/15/2007
    > Time: 10:08:45 AM
    > User: N/A
    > Computer: Computer
    > Description:
    > Could not retrieve the Remote Access Server's certificate due to the
    > following error: No credentials are available in the security package
    >
    > Event Type: Error
    > Event Source: IAS
    > Event Category: None
    > Event ID: 3
    > Date: 2/15/2007
    > Time: 10:08:43 AM
    > User: N/A
    > Computer: Computer
    > Description:
    > Access request for user was discarded.
    > Fully-Qualified-User-Name = test
    > NAS-IP-Address = 192.168.21.9
    > NAS-Identifier = WAP
    > Called-Station-Identifier = 0003.45f7.3210
    > Calling-Station-Identifier = 0555.5056.55b5
    > Client-Friendly-Name = WAP
    > Client-IP-Address = 192.168.21.9
    > NAS-Port-Type = Wireless - IEEE 802.11
    > NAS-Port = 267
    > Proxy-Policy-Name = Use Windows authentication for all users
    > Authentication-Provider = Windows
    > Authentication-Server = <undetermined>
    > Reason-Code = 300
    > Reason = No credentials are available in the security package
    >
     
    Greg Lindsay [MSFT], Feb 16, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Harrison Midkiff

    IAS fails with certs from Stand Alone CA

    Harrison Midkiff, Jul 20, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    20,503
    Patrick Sears [MSFT]
    Jul 22, 2004
  2. maTT

    PEAP and IAS and Standalone CA

    maTT, Jun 6, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    716
    kapil [MSFT]
    Jun 6, 2005
  3. jester
    Replies:
    1
    Views:
    1,790
    Vivek
    Dec 20, 2005
  4. crs
    Replies:
    4
    Views:
    724
  5. =?Utf-8?B?RGVsb24=?=

    How to uninstall Cisco PEAP supplicant to use XP default PEAP

    =?Utf-8?B?RGVsb24=?=, May 25, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    935
    =?Utf-8?B?RGVsb24=?=
    May 25, 2007
Loading...

Share This Page