IAS fails with certs from Stand Alone CA

Discussion in 'Wireless Networking' started by Harrison Midkiff, Jul 20, 2004.

  1. Hello:

    I am deploying a secure wireless solution with a Stand Alone CA. When my
    clients are trying to authenticate I am getting the following 2 error
    messages in my event viewer. I have searched on these but can not seem to
    find a resolution for them. Any help anyone could offer would be greatly
    appreciated.

    Harrison Midkiff

    ******* Error 1 *********
    Event Type: Information
    Event Source: IAS
    Event Category: None
    Event ID: 20190
    Date: 7/20/2004
    Time: 12:23:25 PM
    User: N/A
    Computer: MERCURY
    Description:
    Because no certificate has been configured for clients dialing in with
    EAP-TLS, a default certificate is being sent to user aviinc\hmidkiff. Please
    go to the user's Remote Access Policy and configure the Extensible
    Authentication Protocol (EAP).

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.


    ******* Error 2 *********
    Event Type: Error
    Event Source: IAS
    Event Category: None
    Event ID: 20168
    Date: 7/20/2004
    Time: 12:23:25 PM
    User: N/A
    Computer: MERCURY
    Description:
    Could not retrieve the Remote Access Server's certificate due to the
    following error: Cannot find object or property.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 04 20 09 80 . .€
     
    Harrison Midkiff, Jul 20, 2004
    #1
    1. Advertisements

  2. Harrison Midkiff

    MikeF Guest


    The messages pretty much tell you what the problem is. You've set up an
    authentication type which requres certificates. Either the certificates
    have not been issued, or are stored in the wrong place, or do not refer back
    to a valid root certificate. brush up on how to issue certificates, where
    to store them, how to make sure there's a valid certificate path or chain,
    and whether or not a stand alone CA is adequate for what you are doing.
     
    MikeF, Jul 20, 2004
    #2
    1. Advertisements

  3. Here are some steps you can use to verify whether you have a valid
    certificate installed on your RADIUS (IAS) server:

    On your RADIUS (IAS) server, do the following:

    1) Click on the Start button and choose "Run..."
    2) Type in "mmc" and click OK
    3) From the "File" pull-down menu, click on "Add/Remove Snap-in..."
    4) Click "Add..."
    5) Select "Certificates" and click "Add"
    6) Select "Computer account" and click "Next >"
    7) Click "Finish"
    8) Click "Close"
    9) Click "OK"
    10) On the left side of the window, browse down to "Certificate (Local
    Computer) \ Personal \ Certificates"
    11) Look for the certificate, which you plan to use with EAP, on the right
    side of the window and double click on it

    If no certificates appear on the right side of the window, then you have not
    installed your certificate into the correct location.

    11) Switch to the "Details" tab
    12) Make sure the value for the "Valid from" field is a date that is
    earlier than today's date.
    13) Make sure the value for the "Valid to" field is a date that is later
    than today's date.
    14) Make sure the field called "Subject" exists, that it has a value
    assigned to it, and that the value includes a "CN = " which is followed by
    some name.
    15) Make sure that the "Enhanced Key Usage" field exists and that its value
    mentions "Server Authentication".

    If your certificate does not meet one of these checks, then it will not be
    recognized by your RADIUS (IAS) server.

    16) Lastly, with a certificate from a Stand-Alone CA server, you may need
    to manually install a copy of the certificate for the Root CA into the
    Enterprise "NTAuth" certificate store. The following KB article, will show
    you how this is done:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;295663

    If you meet all these requirements, then you should be able to select this
    certificate when configuring EAP in your Remote Access policy.

    --

    Patrick Sears
    Bluetooth PAN
    Windows Networking

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Please do not send email directly to this alias. This alias is for newsgroup
    purposes only.
     
    Patrick Sears [MSFT], Jul 22, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.