EAP-TLS & Windows XP SP2 ?

Discussion in 'Wireless Networking' started by Al Blake, Sep 30, 2004.

  1. Al Blake

    Al Blake Guest

    I am setting up EAP-TLS authentication, using certificates automatically
    issued by our CA. The WXPSP2 machine is authenticating just fine....but when
    I come to authenticate the user I get strange results.

    CA is a Windows 2003 Enterprise Server and issues PKI certificates to users
    and machines as required.
    AP is Cisco 1200 configured for EAP-TLS and pointing to the Win2ks IAS
    (radius) server.

    Radius is working fine, however when I log into the XPSP2 computer as
    *usera* after the box has tried to authenticate for a while I get a message
    'Windows was unable to find a certificate to log you on to the network XYZ'.
    if I look in the certificate mmc there *IS* a certificate for this user
    installed (it was created by auto-enroll), it's valid and is for Client
    authentification,EFS and email.
    So why cant WXP see the certificate and use it?

    If I log on as *userb* who also has a certificate in their store...it all
    wokrs fine!
    Needless to say both users are in the same OU in AD and in the same user
    groups to ensure they get the same GPOs applied.

    Any ideas?
    Al Blake, Canberra, Australia
    Al Blake, Sep 30, 2004
    1. Advertisements

  2. Al Blake

    Jeff Durham Guest

    In your remote access policy, are both users part of the permitted group?
    Also, for both users, do you have the remote access determined by policy
    rather than just enabled or disabled? I am not at my server right now so I
    do not remember the exact name of that string. Also, did the certificate
    for usera get created and installed the same way as for userb? I have a
    similar setup except that I am not using auto-enrollment for anything but
    computer certificates. Lastly, is the machine part included into the group
    for the remote access policy?

    Jeff Durham, Sep 30, 2004
    1. Advertisements

  3. Al Blake

    Wayne Tilton Guest


    Does the client certificate contain the users userPrincipalName in the
    SubjectAlternateName? That is a requirement for EAP-TLS. Also, does the
    CA's cert exist in the Trusted Root Authority list? Either of those will
    generate the error you're seeing.

    Hope that helps,

    Wayne Tilton, Sep 30, 2004
  4. Al Blake

    Al Blake Guest

    Thanks for the replies guys. I'll check those things (again) although I
    think they're ok.
    One question Jeff:

    Why are you only using certificates for machine accounts and not for users?
    I'd like to know the philosophy for this as we are just about to roll out a
    'real' wireless LAN with 400+ machines (as opposed to a few machines using
    WEP :( )
    As this will be a campus wide WLAN with 60+ APs we have to ensure we are
    ensure we are securing it as best we can whilst keeping the maintenance
    overhead down (adding WEP or WPA keys to every machine is not on).

    So we decided on EAP-TLS.......but I thought we had to authenticate both the
    computer *AND* the user to do this. Are you saying we dont? Cos if we dont
    this would make things a *lot* easier. Can you explain your approach?

    Regards Al.
    Al Blake, Oct 4, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.