Non-domain Cert-based 802.1x using IAS

Greetings.

Yet another 802.1x question... but should be an easy one.

Is it possible to successfully authenticate a 802.1x supplicant with a
computer certificate, using IAS, that is not on the same domain as the IAS
server? Or not on a domain at all? I haven't found a way to do it yet.

Thanks for any help.

Lee

Lee wrote:
> Is it possible to successfully authenticate a 802.1x supplicant with a
> computer certificate, using IAS, that is not on the same domain as the IAS
> server? Or not on a domain at all? I haven't found a way to do it yet.

If there is a two-way trust relationship between the two domains, the
answer is "should do".
If there is no two-way trust, you will need a Radius proxy between the
two domains.
They talk about it a bit in this document, page 11:
http://www.microsoft.com/downloads/d...DisplayLang=en

Cheers

Hi Lee,

> Yet another 802.1x question... but should be an easy one.
>
> Is it possible to successfully authenticate a 802.1x supplicant with a
> computer certificate, using IAS, that is not on the same domain as the IAS
> server? Or not on a domain at all? I haven't found a way to do it yet.
>
> Thanks for any help.

It's not an easy question and I have some good and some bad news.
The good news is that it can be done! I've got a setup running with a
Belkin WiFi router as base station, IAS, Windows Server 2003 in stand-alone
mode and a Windows XP Pro client in stand-alone mode too.
The bad news is that it takes a lot of fiddling around, and I cannot give
you a good description on how to do it.

This is more or less what I did:

- On the W2K3 server I setup Microsoft Certificate Services and IAS.
- I created a Radius Client for the Belkin WiFi Router in IAS
(Client-Vendor: Radius Standard)
- Created a remote access policy with EAP method PEAP and MS-CHAP2.
- Created a certificate for the client computer and installed on the client
computer.
- On the client computer, at one point in time I had to select the
certificate but also provide credentials of a W2K3 server user account.

Then the whole thing did not work when using TKIP encryption. When as a
last resort (after days of fiddling around) I changed the encryption to EAS
(which -to my surprise- was supported by the Belkin WiFi router) it suddenly
worked. What the encryption had to do with it, is beyond my understanding.

So there you are: It can be done, but the plethoria of settings and
options, both on the server, theWiFi router and the client computer make it
hell to configure and when it works, I anyway had no clue why it actually
did. :-)

Good luck!
Jan.

EAP-TLS will work. I had Windows Mobile clients authenticating to wireless
network using EAP-TLS - those are definitely not members of the domain.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"Lee" <(E-Mail Removed)> wrote in message
news:550DE112-C4FD-4C34-A603-(E-Mail Removed)...
> Greetings.
>
> Yet another 802.1x question... but should be an easy one.
>
> Is it possible to successfully authenticate a 802.1x supplicant with a
> computer certificate, using IAS, that is not on the same domain as the IAS
> server? Or not on a domain at all? I haven't found a way to do it yet.
>
> Thanks for any help.
>
> Lee