config-free login to IAS/RADIUS server

We've set up a Wireless AP in connection with our IAS Serverto allow both
domain members and guests to log into our LAN. It's working fine with domain
users, but the issue is that a guest has to do a number of manual config
options to log into our LAN successfully:
1.) Install our root certificate (we're using a self-signed IAS cert)
2.) Go into advanced properties for our network connection, and:
a. Change from Smart Card authentication to PEAP authentication
b. Uncheck "automatically use my Windows login name and password"
Both a and b require extensive drill-downs. My main issue is how we can get
Windows to automatically or efficiently take care of 2a and 2b without me
having to release a complicated procedural to our guests. Is this what
Microsoft's "addRADIUSclient.exe" vb project aims to do?
I imagine there's not much I can do about 1 except shell out $300 a year for
a Verisign certificate. But if anyone knows of another way, other than
installing our root certificate via a USB drive onto guest computers, I'd
like to hear it.

---------
Ron B.
mrbiggs.net

I just purchased a cert from GoDaddy for less then $20. We are migrating off
of our old CA and trying to figure out how to bring up a new CA, re-enroll
computer certs, etc. was going to be a pain. I just need to verify how to
generate a CSR (I assume via IIS) so I can get the cert for my IAS server.

For these being "paid/MS managed" groups, I sure seem to never get a
response from them.


"Ron B." wrote:

> We've set up a Wireless AP in connection with our IAS Serverto allow both
> domain members and guests to log into our LAN. It's working fine with domain
> users, but the issue is that a guest has to do a number of manual config
> options to log into our LAN successfully:
> 1.) Install our root certificate (we're using a self-signed IAS cert)
> 2.) Go into advanced properties for our network connection, and:
> a. Change from Smart Card authentication to PEAP authentication
> b. Uncheck "automatically use my Windows login name and password"
> Both a and b require extensive drill-downs. My main issue is how we can get
> Windows to automatically or efficiently take care of 2a and 2b without me
> having to release a complicated procedural to our guests. Is this what
> Microsoft's "addRADIUSclient.exe" vb project aims to do?
> I imagine there's not much I can do about 1 except shell out $300 a year for
> a Verisign certificate. But if anyone knows of another way, other than
> installing our root certificate via a USB drive onto guest computers, I'd
> like to hear it.
>
> ---------
> Ron B.
> mrbiggs.net

I'd be careful because there are certificates and then there are
certificates. You may very well have bought a certificate for the HTTPS
protocol and not the IAS protocol. This is what the websites are used to
selling, and they're not even aware that other certificates exist. But if
that's indeed what you bought, it's just not going to work.
The only commercial vendor I found that actually sells IAS certificates is
Verisign:
http://www.verisign.com/ssl/buy-ssl-...-lan-security/
It took me a lot of fiddling with our PKI infrastructure before I could
finally request an IAS certificate to our issuing server.
And yes, it would be nice if we could get some kind of answer on this post
before I give up and blow another chunk of change on a paid phone call.

---------
Ron B.
mrbiggs.net


"MH" wrote:

> I just purchased a cert from GoDaddy for less then $20. We are migrating off
> of our old CA and trying to figure out how to bring up a new CA, re-enroll
> computer certs, etc. was going to be a pain. I just need to verify how to
> generate a CSR (I assume via IIS) so I can get the cert for my IAS server.
>
> For these being "paid/MS managed" groups, I sure seem to never get a
> response from them.
>
>
> "Ron B." wrote:
>
> > We've set up a Wireless AP in connection with our IAS Serverto allow both
> > domain members and guests to log into our LAN. It's working fine with domain
> > users, but the issue is that a guest has to do a number of manual config
> > options to log into our LAN successfully:
> > 1.) Install our root certificate (we're using a self-signed IAS cert)
> > 2.) Go into advanced properties for our network connection, and:
> > a. Change from Smart Card authentication to PEAP authentication
> > b. Uncheck "automatically use my Windows login name and password"
> > Both a and b require extensive drill-downs. My main issue is how we can get
> > Windows to automatically or efficiently take care of 2a and 2b without me
> > having to release a complicated procedural to our guests. Is this what
> > Microsoft's "addRADIUSclient.exe" vb project aims to do?
> > I imagine there's not much I can do about 1 except shell out $300 a year for
> > a Verisign certificate. But if anyone knows of another way, other than
> > installing our root certificate via a USB drive onto guest computers, I'd
> > like to hear it.
> >
> > ---------
> > Ron B.
> > mrbiggs.net

With that in mind, I don't think you can make a CSR by going into IIS, as it
just has a wizard for requesting HTTPS certificates. An IAS request needs to
be done within the MMC's Certificates module.
---------
Ron B.
mrbiggs.net


"MH" wrote:

> I just purchased a cert from GoDaddy for less then $20. We are migrating off
> of our old CA and trying to figure out how to bring up a new CA, re-enroll
> computer certs, etc. was going to be a pain. I just need to verify how to
> generate a CSR (I assume via IIS) so I can get the cert for my IAS server.
>
> For these being "paid/MS managed" groups, I sure seem to never get a
> response from them.
>
>
> "Ron B." wrote:
>
> > We've set up a Wireless AP in connection with our IAS Serverto allow both
> > domain members and guests to log into our LAN. It's working fine with domain
> > users, but the issue is that a guest has to do a number of manual config
> > options to log into our LAN successfully:
> > 1.) Install our root certificate (we're using a self-signed IAS cert)
> > 2.) Go into advanced properties for our network connection, and:
> > a. Change from Smart Card authentication to PEAP authentication
> > b. Uncheck "automatically use my Windows login name and password"
> > Both a and b require extensive drill-downs. My main issue is how we can get
> > Windows to automatically or efficiently take care of 2a and 2b without me
> > having to release a complicated procedural to our guests. Is this what
> > Microsoft's "addRADIUSclient.exe" vb project aims to do?
> > I imagine there's not much I can do about 1 except shell out $300 a year for
> > a Verisign certificate. But if anyone knows of another way, other than
> > installing our root certificate via a USB drive onto guest computers, I'd
> > like to hear it.
> >
> > ---------
> > Ron B.
> > mrbiggs.net