Computer Certificate for Wireless Not Recognised?

Hi,

I'm setting up a wireless connection using WPA2/AES and PEAP, which uses
RADIUS on a Win2003 server to authenticate. I would like to use computer
authentication prior to logon, and then user authentication after.

I have issued the user with a user certificate and computer with a computer
certificate. However the wireless will not connect prior to logon. Once
logged on, everything works perfectly, IAS authenticates the user, the
connection is made, and you can use the connection.

The Radius server has a wireless policy, which is set to allow all
'Domain\domain users' and 'Domain\domain computers' access, I have check my
computer, and it is a member of the 'domain computers' group.

Looking at the ISA event log, I'm getting the following error, which states
"Reason = The specified user account does not exist. "

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 01/02/2006
Time: 13:44:49
User: N/A
Computer: RADIUS1
Description:
User laptop001.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\laptop001.domain.com
NAS-IP-Address = 10.0.0.100
NAS-Identifier = QWERTY01
Called-Station-Identifier = 0012A954BD94:QWERTY01
Calling-Station-Identifier = 0014A438FCA0
Client-Friendly-Name = QWERTY01
Client-IP-Address = 10.0.0.100
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.

Can anyone suggest a way of getting computer authentication working?

Cheers

Ben

What I did was create a seperate group called "wireless users and computers"
and added the laptops and users who I wanted wireless access in that group.
The only problem that I've run into and maybe someone here will know a
solution comes from using roaming profiles. When the laptop logs into the
wireless with the computer account and the user starts to load their profile
there's a transition from the computer account to the user account in the
middle of loading the roaming profile so then the profile fails. If I can
get the switch to happen after the profile has loaded I'll be very happy.

--
--
Eric Hicks [That_Kid] (MS-MVP Mobile Devices)

The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

"Ben" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi,
>
> I'm setting up a wireless connection using WPA2/AES and PEAP, which uses
> RADIUS on a Win2003 server to authenticate. I would like to use computer
> authentication prior to logon, and then user authentication after.
>
> I have issued the user with a user certificate and computer with a
> computer certificate. However the wireless will not connect prior to
> logon. Once logged on, everything works perfectly, IAS authenticates the
> user, the connection is made, and you can use the connection.
>
> The Radius server has a wireless policy, which is set to allow all
> 'Domain\domain users' and 'Domain\domain computers' access, I have check
> my computer, and it is a member of the 'domain computers' group.
>
> Looking at the ISA event log, I'm getting the following error, which
> states "Reason = The specified user account does not exist. "
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 01/02/2006
> Time: 13:44:49
> User: N/A
> Computer: RADIUS1
> Description:
> User laptop001.domain.com was denied access.
> Fully-Qualified-User-Name = DOMAIN\laptop001.domain.com
> NAS-IP-Address = 10.0.0.100
> NAS-Identifier = QWERTY01
> Called-Station-Identifier = 0012A954BD94:QWERTY01
> Calling-Station-Identifier = 0014A438FCA0
> Client-Friendly-Name = QWERTY01
> Client-IP-Address = 10.0.0.100
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 1
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 8
> Reason = The specified user account does not exist.
>
> Can anyone suggest a way of getting computer authentication working?
>
> Cheers
>
> Ben
>
>

Hi Thanks for the reply.

I'll give it a try tomorrow, but you shouldn't really have to create a
separate group, I've already added the 'domain users' and 'domain computers'
groups to the radius policy, which *should* work.

Ben

"Eric Hicks [MVP]" <i'(E-Mail Removed)> wrote in message
news:OT5%(E-Mail Removed)...
> What I did was create a seperate group called "wireless users and
> computers" and added the laptops and users who I wanted wireless access in
> that group. The only problem that I've run into and maybe someone here
> will know a solution comes from using roaming profiles. When the laptop
> logs into the wireless with the computer account and the user starts to
> load their profile there's a transition from the computer account to the
> user account in the middle of loading the roaming profile so then the
> profile fails. If I can get the switch to happen after the profile has
> loaded I'll be very happy.
>
> --
> --
> Eric Hicks [That_Kid] (MS-MVP Mobile Devices)
>
> The MS-MVP Program - http://mvp.support.microsoft.com
> This posting is provided "AS IS" with no warranties, and confers no
> rights...
>
> "Ben" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Hi,
>>
>> I'm setting up a wireless connection using WPA2/AES and PEAP, which uses
>> RADIUS on a Win2003 server to authenticate. I would like to use computer
>> authentication prior to logon, and then user authentication after.
>>
>> I have issued the user with a user certificate and computer with a
>> computer certificate. However the wireless will not connect prior to
>> logon. Once logged on, everything works perfectly, IAS authenticates the
>> user, the connection is made, and you can use the connection.
>>
>> The Radius server has a wireless policy, which is set to allow all
>> 'Domain\domain users' and 'Domain\domain computers' access, I have check
>> my computer, and it is a member of the 'domain computers' group.
>>
>> Looking at the ISA event log, I'm getting the following error, which
>> states "Reason = The specified user account does not exist. "
>>
>> Event Type: Warning
>> Event Source: IAS
>> Event Category: None
>> Event ID: 2
>> Date: 01/02/2006
>> Time: 13:44:49
>> User: N/A
>> Computer: RADIUS1
>> Description:
>> User laptop001.domain.com was denied access.
>> Fully-Qualified-User-Name = DOMAIN\laptop001.domain.com
>> NAS-IP-Address = 10.0.0.100
>> NAS-Identifier = QWERTY01
>> Called-Station-Identifier = 0012A954BD94:QWERTY01
>> Calling-Station-Identifier = 0014A438FCA0
>> Client-Friendly-Name = QWERTY01
>> Client-IP-Address = 10.0.0.100
>> NAS-Port-Type = Wireless - IEEE 802.11
>> NAS-Port = 1
>> Proxy-Policy-Name = Use Windows authentication for all users
>> Authentication-Provider = Windows
>> Authentication-Server = <undetermined>
>> Policy-Name = <undetermined>
>> Authentication-Type = EAP
>> EAP-Type = <undetermined>
>> Reason-Code = 8
>> Reason = The specified user account does not exist.
>>
>> Can anyone suggest a way of getting computer authentication working?
>>
>> Cheers
>>
>> Ben
>>
>>
>
>

Yes that should work, I created another group because I didn't want everyone
to be able to use wireless.

--
--
Eric Hicks [That_Kid] (MS-MVP Mobile Devices)

The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

"Ben" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Thanks for the reply.
>
> I'll give it a try tomorrow, but you shouldn't really have to create a
> separate group, I've already added the 'domain users' and 'domain
> computers' groups to the radius policy, which *should* work.
>
> Ben
>
> "Eric Hicks [MVP]" <i'(E-Mail Removed)> wrote in message
> news:OT5%(E-Mail Removed)...
>> What I did was create a seperate group called "wireless users and
>> computers" and added the laptops and users who I wanted wireless access
>> in that group. The only problem that I've run into and maybe someone here
>> will know a solution comes from using roaming profiles. When the laptop
>> logs into the wireless with the computer account and the user starts to
>> load their profile there's a transition from the computer account to the
>> user account in the middle of loading the roaming profile so then the
>> profile fails. If I can get the switch to happen after the profile has
>> loaded I'll be very happy.
>>
>> --
>> --
>> Eric Hicks [That_Kid] (MS-MVP Mobile Devices)
>>
>> The MS-MVP Program - http://mvp.support.microsoft.com
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights...
>>
>> "Ben" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Hi,
>>>
>>> I'm setting up a wireless connection using WPA2/AES and PEAP, which uses
>>> RADIUS on a Win2003 server to authenticate. I would like to use computer
>>> authentication prior to logon, and then user authentication after.
>>>
>>> I have issued the user with a user certificate and computer with a
>>> computer certificate. However the wireless will not connect prior to
>>> logon. Once logged on, everything works perfectly, IAS authenticates the
>>> user, the connection is made, and you can use the connection.
>>>
>>> The Radius server has a wireless policy, which is set to allow all
>>> 'Domain\domain users' and 'Domain\domain computers' access, I have check
>>> my computer, and it is a member of the 'domain computers' group.
>>>
>>> Looking at the ISA event log, I'm getting the following error, which
>>> states "Reason = The specified user account does not exist. "
>>>
>>> Event Type: Warning
>>> Event Source: IAS
>>> Event Category: None
>>> Event ID: 2
>>> Date: 01/02/2006
>>> Time: 13:44:49
>>> User: N/A
>>> Computer: RADIUS1
>>> Description:
>>> User laptop001.domain.com was denied access.
>>> Fully-Qualified-User-Name = DOMAIN\laptop001.domain.com
>>> NAS-IP-Address = 10.0.0.100
>>> NAS-Identifier = QWERTY01
>>> Called-Station-Identifier = 0012A954BD94:QWERTY01
>>> Calling-Station-Identifier = 0014A438FCA0
>>> Client-Friendly-Name = QWERTY01
>>> Client-IP-Address = 10.0.0.100
>>> NAS-Port-Type = Wireless - IEEE 802.11
>>> NAS-Port = 1
>>> Proxy-Policy-Name = Use Windows authentication for all users
>>> Authentication-Provider = Windows
>>> Authentication-Server = <undetermined>
>>> Policy-Name = <undetermined>
>>> Authentication-Type = EAP
>>> EAP-Type = <undetermined>
>>> Reason-Code = 8
>>> Reason = The specified user account does not exist.
>>>
>>> Can anyone suggest a way of getting computer authentication working?
>>>
>>> Cheers
>>>
>>> Ben
>>>
>>>
>>
>>
>
>

"Ben" <(E-Mail Removed)> wrote in
news:#(E-Mail Removed):

> Hi,
>
> I'm setting up a wireless connection using WPA2/AES and PEAP, which
> uses RADIUS on a Win2003 server to authenticate. I would like to use
> computer authentication prior to logon, and then user authentication
> after.
>
> I have issued the user with a user certificate and computer with a
> computer certificate. However the wireless will not connect prior to
> logon. Once logged on, everything works perfectly, IAS authenticates
> the user, the connection is made, and you can use the connection.
>
> The Radius server has a wireless policy, which is set to allow all
> 'Domain\domain users' and 'Domain\domain computers' access, I have
> check my computer, and it is a member of the 'domain computers' group.
>
> Looking at the ISA event log, I'm getting the following error, which
> states "Reason = The specified user account does not exist. "
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 01/02/2006
> Time: 13:44:49
> User: N/A
> Computer: RADIUS1
> Description:
> User laptop001.domain.com was denied access.
> Fully-Qualified-User-Name = DOMAIN\laptop001.domain.com
> NAS-IP-Address = 10.0.0.100
> NAS-Identifier = QWERTY01
> Called-Station-Identifier = 0012A954BD94:QWERTY01
> Calling-Station-Identifier = 0014A438FCA0
> Client-Friendly-Name = QWERTY01
> Client-IP-Address = 10.0.0.100
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 1
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 8
> Reason = The specified user account does not exist.
>
> Can anyone suggest a way of getting computer authentication working?
>
> Cheers
>
> Ben
>
>

Hi Ben --

There are a couple of possible problems:

-- Authentication on the IAS server remote access policy might not be
configured properly.

If you have deployed certificates to users, I assume you are trying to
deploy EAP-TLS, not PEAP-MS-CHAP v2.

If this is the case, make sure that the authentication type is set to
"Smartcard or other certificate."

-- The CA certificate is not in the trusted root certification authorities
store on client computers.

For clients to authenticate the IAS server, they must have the CA server
cert in this store. Verify that it is there by using the certificates snap-
in. The cert must be in the TRCA store for the Local Computer and Current
User. If it is NOT in these stores, you should plug the computer into the
wire and refresh Group Policy. (I assume you are autoenrolling certs. If
so, wireless computers must first be plugged in to get their cert and the
CA cert, or you must distribute/enroll the certs in another fashion.)

Let me know how it goes.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

"James McIllece [MS]" <(E-Mail Removed)> wrote in message
news:Xns975E6FCF7B7B1jamesmcimsftcorp@207.46.248.1 6...
>
> Hi Ben --
>
> There are a couple of possible problems:
>
> -- Authentication on the IAS server remote access policy might not be
> configured properly.
>
> If you have deployed certificates to users, I assume you are trying to
> deploy EAP-TLS, not PEAP-MS-CHAP v2.
>
> If this is the case, make sure that the authentication type is set to
> "Smartcard or other certificate."
>
> -- The CA certificate is not in the trusted root certification authorities
> store on client computers.
>
> For clients to authenticate the IAS server, they must have the CA server
> cert in this store. Verify that it is there by using the certificates
> snap-
> in. The cert must be in the TRCA store for the Local Computer and Current
> User. If it is NOT in these stores, you should plug the computer into the
> wire and refresh Group Policy. (I assume you are autoenrolling certs. If
> so, wireless computers must first be plugged in to get their cert and the
> CA cert, or you must distribute/enroll the certs in another fashion.)
>
> Let me know how it goes.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
> account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

Hi James,

Thanks for the reply.

Yes we are using EAP-TLS (PEAP) on our wireless network. The wireless policy
is set to authentication type "Smartcard or other certificate" & "Protected
EAP" . The CA certificate is in both the Users TRCA store & Computer TRCA
store. The connection works if I use the users certificate to connect, but I
need the computer certificate to work as well, for authentication prior to
logon.

Ben

"Ben" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> "James McIllece [MS]" <(E-Mail Removed)> wrote in message
> news:Xns975E6FCF7B7B1jamesmcimsftcorp@207.46.248.1 6...
>>
>> Hi Ben --
>>
>> There are a couple of possible problems:
>>
>> -- Authentication on the IAS server remote access policy might not
>> be configured properly.
>>
>> If you have deployed certificates to users, I assume you are trying
>> to deploy EAP-TLS, not PEAP-MS-CHAP v2.
>>
>> If this is the case, make sure that the authentication type is set to
>> "Smartcard or other certificate."
>>
>> -- The CA certificate is not in the trusted root certification
>> authorities store on client computers.
>>
>> For clients to authenticate the IAS server, they must have the CA
>> server cert in this store. Verify that it is there by using the
>> certificates snap-
>> in. The cert must be in the TRCA store for the Local Computer and
>> Current User. If it is NOT in these stores, you should plug the
>> computer into the wire and refresh Group Policy. (I assume you are
>> autoenrolling certs. If so, wireless computers must first be plugged
>> in to get their cert and the CA cert, or you must distribute/enroll
>> the certs in another fashion.)
>>
>> Let me know how it goes.
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> account
>> name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>
> Hi James,
>
> Thanks for the reply.
>
> Yes we are using EAP-TLS (PEAP) on our wireless network. The wireless
> policy is set to authentication type "Smartcard or other certificate"
> & "Protected EAP" . The CA certificate is in both the Users TRCA store
> & Computer TRCA store. The connection works if I use the users
> certificate to connect, but I need the computer certificate to work as
> well, for authentication prior to logon.
>
> Ben
>
>
>

OK -- so on the properties of the wireless network on clients, on the
Authentication tab, you need to check the checkbox "Authenticate as
computer when computer information is available."

That should solve the issue.

You can also configure this setting in Group Policy.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

"James McIllece [MS]" <(E-Mail Removed)> wrote in message
news:Xns97648C3BEF42Cjamesmcionlinemicros@207.46.2 48.16...
>
> OK -- so on the properties of the wireless network on clients, on the
> Authentication tab, you need to check the checkbox "Authenticate as
> computer when computer information is available."
>
> That should solve the issue.
>
> You can also configure this setting in Group Policy.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
> account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

Hi James,

This setting is already configured and issued by GP. I've run RSOP and the
policy is being applied, and if I open the WZC utility, the option is
ticked.

Ben

"Ben" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "James McIllece [MS]" <(E-Mail Removed)> wrote in message Hi
> James,
>
> This setting is already configured and issued by GP. I've run RSOP and the
> policy is being applied, and if I open the WZC utility, the option is
> ticked.
>
> Ben

Curious, what type of wireless device? What key length did you choose?

I had probs with a Cisco Aironet using a 2048 kewy only to find out Cisco
doesn't support anything higher than 1024. I had to scrap the whole thing
and start from scratch.

Now my prob is to automatically or by script, remove all user and computer
certs from EVERY machine in the domain. No luck so far... I posted about
this too, however, no responses yet.

Ace

"Ace Fekay [MVP]" <(E-Mail Removed) m> wrote
in message news:(E-Mail Removed)...
>
>
> Curious, what type of wireless device? What key length did you choose?
>
> I had probs with a Cisco Aironet using a 2048 kewy only to find out Cisco
> doesn't support anything higher than 1024. I had to scrap the whole thing
> and start from scratch.
>
> Now my prob is to automatically or by script, remove all user and computer
> certs from EVERY machine in the domain. No luck so far... I posted about
> this too, however, no responses yet.
>
> Ace

Hi Ace,

My laptop is running an internal Broadcom 54g wireless card (think it's a
44xx chipset). Others are running 3com USB 54g cards. Our wi-fi units are 3x
3com OfficeConnect 108mb access points. With 1 configured as an AP, and the
other 2 are WDSLinks, to boost the signal.

Ben