How to implement PEAP-EAP-TLD authentication?

I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
authentication.

I already have a two-tier CA infrastructure, an my clients all have
certificates for workstation, user and IPSec authentication. No Smart Cards
yet.

How do I go about getting the IAS/RADIUS server to recognize my workstation
on my client? Right now it rejects the request; only MSCHAPv2 works. How
do I make use of my existing certificates for WLAN authentication?

Thanks in advance.

Ed

http://www.microsoft.com/wifi has some info

http://www.microsoft.com/vpn may be helpful too.

Basically, it's the same as PEAP except:

1. each user must have a valid certificate for user auth
2. each machine must have a valid certificate for machine auth
3. you must enable EAP-TLS in the IAS policy
4. you must set the client to use EAP-TLS
5. the IAS server must have valid certs (server certs)

By "valid" I mean that the certs chain properly and that the CA certs needed
for validation are present. EAP-TLS is cert-based, so properly deploying it
is more of a PKI-thing.

If your certs are standard issue from a Windows-based CA, it should be
usable for wireless and it should all work smoothly - same as PEAP.
Certificates are best for domain-joined machines - if you have machines in
other domains or workgroup machines you'll probably still want to use PEAP.

If you can be more specific about what happens when the request is rejected,
I can give you more specific solutions. Does IAS just deny authentication or
does it drop the packets or something?

There is also a microsoft.public.internet.radius newsgroup that might help
you answer IAS questions.

--
Standard Disclaimers -
This posting is provided "AS IS" with no warranties,
and confers no rights. Please do not send e-mail directly
to this alias. This alias is for newsgroup purposes only.


"Edward W. Ray" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
>authentication.
>
> I already have a two-tier CA infrastructure, an my clients all have
> certificates for workstation, user and IPSec authentication. No Smart
> Cards yet.
>
> How do I go about getting the IAS/RADIUS server to recognize my
> workstation on my client? Right now it rejects the request; only MSCHAPv2
> works. How do I make use of my existing certificates for WLAN
> authentication?
>
> Thanks in advance.
>
> Ed
>

I have a valid workstation certificate, as well as a user certificate issued
by an Windows 2003 enterprise subordinate CA. I verified this on my client
via mmc->certificates->personal.

from windump packet logs, it rejects the request when I set up for
PEAP-EAP-TLS. On both XP wireless setup and IAS, the server certificate
used is the enterprise sub CA. Since my IPSec works with certificate
authentication, I know my certificates are valid. Autoenrollment is set for
Workstation, Computer, and User certificates in GPO.

Ed


"Carl DaVault [MSFT]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> http://www.microsoft.com/wifi has some info
>
> http://www.microsoft.com/vpn may be helpful too.
>
> Basically, it's the same as PEAP except:
>
> 1. each user must have a valid certificate for user auth
> 2. each machine must have a valid certificate for machine auth
> 3. you must enable EAP-TLS in the IAS policy
> 4. you must set the client to use EAP-TLS
> 5. the IAS server must have valid certs (server certs)
>
> By "valid" I mean that the certs chain properly and that the CA certs
> needed for validation are present. EAP-TLS is cert-based, so properly
> deploying it is more of a PKI-thing.
>
> If your certs are standard issue from a Windows-based CA, it should be
> usable for wireless and it should all work smoothly - same as PEAP.
> Certificates are best for domain-joined machines - if you have machines in
> other domains or workgroup machines you'll probably still want to use
> PEAP.
>
> If you can be more specific about what happens when the request is
> rejected, I can give you more specific solutions. Does IAS just deny
> authentication or does it drop the packets or something?
>
> There is also a microsoft.public.internet.radius newsgroup that might help
> you answer IAS questions.
>
> --
> Standard Disclaimers -
> This posting is provided "AS IS" with no warranties,
> and confers no rights. Please do not send e-mail directly
> to this alias. This alias is for newsgroup purposes only.
>
>
> "Edward W. Ray" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
>>authentication.
>>
>> I already have a two-tier CA infrastructure, an my clients all have
>> certificates for workstation, user and IPSec authentication. No Smart
>> Cards yet.
>>
>> How do I go about getting the IAS/RADIUS server to recognize my
>> workstation on my client? Right now it rejects the request; only
>> MSCHAPv2 works. How do I make use of my existing certificates for WLAN
>> authentication?
>>
>> Thanks in advance.
>>
>> Ed
>>
>
>

My computer authetication request via cert worked fine, but user auth
failed, see below:

__________________________________________________ __________________________________________________ ______________________

Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 5/6/2005
Time: 2:02:59 PM
User: N/A
Computer: BLACKDOG
Description:
User host/eraylap.mmicmanhomenet.local was granted access.
Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/ERAYLAP
NAS-IP-Address = 192.168.1.254
NAS-Identifier = 0012177af760
Client-Friendly-Name = hunglikethor
Client-IP-Address = 192.168.1.254
Calling-Station-Identifier = 0012173570c2
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 7
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Computers
Authentication-Type = PEAP
EAP-Type = Smart Card or other certificate

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....



Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/6/2005
Time: 1:57:48 PM
User: N/A
Computer: BLACKDOG
Description:
User (E-Mail Removed) was denied access.
Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/Edward
W. Ray
NAS-IP-Address = 192.168.1.254
NAS-Identifier = 0012177af760
Called-Station-Identifier = 0012177af760
Calling-Station-Identifier = 0012173570c2
Client-Friendly-Name = hunglikethor
Client-IP-Address = 192.168.1.254
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 7
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Users
Authentication-Type = PEAP
EAP-Type = Smart Card or other certificate
Reason-Code = 73
Reason = The user attempted to authenticate using a certificate with an
Extended Key Usage or Issuance Policy that is not allowed by the matching
remote access policy.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
__________________________________________________ __________________________________________________ __________________________________________

I deleted then restablished my Wireless User policy, and the link was
established. Strange....

Thanks for your help!

Edward W. Ray
CISSP, MCSE 2003+Security, P.E., SANS GCIA, SANS GCIH

Were you able to get this to work? Does IAS have to go on a 2003 DC?


"Edward W. Ray" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> My computer authetication request via cert worked fine, but user auth
> failed, see below:
>
> __________________________________________________ __________________________________________________ ______________________
>
> Event Type: Information
> Event Source: IAS
> Event Category: None
> Event ID: 1
> Date: 5/6/2005
> Time: 2:02:59 PM
> User: N/A
> Computer: BLACKDOG
> Description:
> User host/eraylap.mmicmanhomenet.local was granted access.
> Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP
> Laptops/ERAYLAP
> NAS-IP-Address = 192.168.1.254
> NAS-Identifier = 0012177af760
> Client-Friendly-Name = hunglikethor
> Client-IP-Address = 192.168.1.254
> Calling-Station-Identifier = 0012173570c2
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 7
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Wireless Computers
> Authentication-Type = PEAP
> EAP-Type = Smart Card or other certificate
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 00 00 00 00 ....
>
>
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 5/6/2005
> Time: 1:57:48 PM
> User: N/A
> Computer: BLACKDOG
> Description:
> User (E-Mail Removed) was denied access.
> Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/Edward
> W. Ray
> NAS-IP-Address = 192.168.1.254
> NAS-Identifier = 0012177af760
> Called-Station-Identifier = 0012177af760
> Calling-Station-Identifier = 0012173570c2
> Client-Friendly-Name = hunglikethor
> Client-IP-Address = 192.168.1.254
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 7
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Wireless Users
> Authentication-Type = PEAP
> EAP-Type = Smart Card or other certificate
> Reason-Code = 73
> Reason = The user attempted to authenticate using a certificate with an
> Extended Key Usage or Issuance Policy that is not allowed by the matching
> remote access policy.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 00 00 00 00 ....
> __________________________________________________ __________________________________________________ __________________________________________
>
> I deleted then restablished my Wireless User policy, and the link was
> established. Strange....
>
> Thanks for your help!
>
> Edward W. Ray
> CISSP, MCSE 2003+Security, P.E., SANS GCIA, SANS GCIH
>
>