Vista clients and EAP-TLS authentication - problem with certificates

We have half a dozen Cisco 1240AG wireless access points that are set up to
use 802.1x EAP-TLS for authentication and TKIP encryption.
To do the authentication we have a pair of Windows Server 2003 R2 SP2
servers running IAS and also as an MS certificate authority (AD Integrated
root and subordinate).

This works perfectly for all sorts of laptops running windows XP however we
have recently bought a few Dell Laptops running Vista and they don't want to
connect.

The problem is that when we try and request a new digital certificate for
the user from the CA we get warnings about it not being compatible with this
version of windows so we can't request a certificate directly. I have read
the instructions on how to amend the CA's web interface with code from
Longhorn Server but haven't yet done this (No longhorn machines for a start)
, and as a work round we thought we can just request the cert using an XP
machine then export it and import into vista.

I don't think the wireless connection setup is as good on Vista as XP (it
seems to be overly simplified and the advanced settings are too well hidden)
but I have configured a client with the same settings as XP and when I try
and connect it informs me that I don't have a certificate , yet it's sat
there in my personal certificates store.

If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then
I can connect OK as you'd expect.

So , is there any workround for this or something that I could be doing
wrong when I try and export the certificates from an XP to Vista machine?

Any suggestions gratefully appreciated.

--
Alex

New laptop - Sig missing

Do you have EAP-TLS set up to authenticate both the computer and the user?
That would explain why you are failing the authentication. You don't have a
computer cert. That also means that you cannot work around the problem by
exporting certs from an XP machine unless that XP machine has the same name
as the Vista machine you are putting the certs on.

The enrollment problem likely stems from the new security infrastructure in
Internet Explorer. You need an updated web enrollment tool to acquire
certificates using IE7 on Vista. It blocks the common ways to do it on XP.

The better solution is to use an autoenrollment solution though. It is
completely automatic and obviates the need for the web enrollment altogether.
It works just fine on Vista against a Server 2003 CA. This doc tells you how
to configure it: http://www.microsoft.com/technet/net...i/ed80211.mspx

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Dr Zoidberg" wrote:

> We have half a dozen Cisco 1240AG wireless access points that are set up to
> use 802.1x EAP-TLS for authentication and TKIP encryption.
> To do the authentication we have a pair of Windows Server 2003 R2 SP2
> servers running IAS and also as an MS certificate authority (AD Integrated
> root and subordinate).
>
> This works perfectly for all sorts of laptops running windows XP however we
> have recently bought a few Dell Laptops running Vista and they don't want to
> connect.
>
> The problem is that when we try and request a new digital certificate for
> the user from the CA we get warnings about it not being compatible with this
> version of windows so we can't request a certificate directly. I have read
> the instructions on how to amend the CA's web interface with code from
> Longhorn Server but haven't yet done this (No longhorn machines for a start)
> , and as a work round we thought we can just request the cert using an XP
> machine then export it and import into vista.
>
> I don't think the wireless connection setup is as good on Vista as XP (it
> seems to be overly simplified and the advanced settings are too well hidden)
> but I have configured a client with the same settings as XP and when I try
> and connect it informs me that I don't have a certificate , yet it's sat
> there in my personal certificates store.
>
> If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then
> I can connect OK as you'd expect.
>
> So , is there any workround for this or something that I could be doing
> wrong when I try and export the certificates from an XP to Vista machine?
>
> Any suggestions gratefully appreciated.
>
> --
> Alex
>
> New laptop - Sig missing
>
>

"Jesper" <(E-Mail Removed)> wrote in message
news:6E79207A-62E1-4719-A1DC-(E-Mail Removed)...
> Do you have EAP-TLS set up to authenticate both the computer and the user?

No , just user accounts.

> That would explain why you are failing the authentication. You don't have
> a
> computer cert. That also means that you cannot work around the problem by
> exporting certs from an XP machine unless that XP machine has the same
> name
> as the Vista machine you are putting the certs on.
>
> The enrollment problem likely stems from the new security infrastructure
> in
> Internet Explorer. You need an updated web enrollment tool to acquire
> certificates using IE7 on Vista. It blocks the common ways to do it on XP.
>
> The better solution is to use an autoenrollment solution though. It is
> completely automatic and obviates the need for the web enrollment
> altogether.
> It works just fine on Vista against a Server 2003 CA. This doc tells you
> how
> to configure it:
> http://www.microsoft.com/technet/net...i/ed80211.mspx
>
Thanks , I'll try setting that up tomorrow
--
Alex

New laptop - Sig missing

"Dr Zoidberg" <AlexNOOOO!!!!!!@drzoidberg.co.uk> wrote in message
news:(E-Mail Removed)...
> "Jesper" <(E-Mail Removed)> wrote in message
> news:6E79207A-62E1-4719-A1DC-(E-Mail Removed)...
>> Do you have EAP-TLS set up to authenticate both the computer and the
>> user?
>
> No , just user accounts.
>
>> That would explain why you are failing the authentication. You don't have
>> a
>> computer cert. That also means that you cannot work around the problem by
>> exporting certs from an XP machine unless that XP machine has the same
>> name
>> as the Vista machine you are putting the certs on.
>>
>> The enrollment problem likely stems from the new security infrastructure
>> in
>> Internet Explorer. You need an updated web enrollment tool to acquire
>> certificates using IE7 on Vista. It blocks the common ways to do it on
>> XP.
>>
>> The better solution is to use an autoenrollment solution though. It is
>> completely automatic and obviates the need for the web enrollment
>> altogether.
>> It works just fine on Vista against a Server 2003 CA. This doc tells you
>> how
>> to configure it:
>> http://www.microsoft.com/technet/net...i/ed80211.mspx
>>
> Thanks , I'll try setting that up tomorrow


Just tried to work through this and though I can create a new template with
the appropriate settings , when I go to step 14.


"On the Action menu, point to New, and then click Certificate to Issue. "
it's not there in the list to select - just the other unused predefined
ones.

Any suggestions?

--
Alex

New laptop - Sig missing

On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote:

> Just tried to work through this and though I can create a new template with
> the appropriate settings , when I go to step 14.
>
>
> "On the Action menu, point to New, and then click Certificate to Issue. "
> it's not there in the list to select - just the other unused predefined
> ones.
>
> Any suggestions?

That means that your CA is running the Standard Edition SKU and can only
issue v1 templates. When you modify an existing template the new template
is a v2 and only a CA running Enterprise or Datacenter can issue
certificates based on v2 templates.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Downtime: Coffee breaks, lunch, or Friday mentality in the office.

"Paul Adare" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote:
>
>> Just tried to work through this and though I can create a new template
>> with
>> the appropriate settings , when I go to step 14.
>>
>>
>> "On the Action menu, point to New, and then click Certificate to Issue. "
>> it's not there in the list to select - just the other unused predefined
>> ones.
>>
>> Any suggestions?
>
> That means that your CA is running the Standard Edition SKU and can only
> issue v1 templates. When you modify an existing template the new template
> is a v2 and only a CA running Enterprise or Datacenter can issue
> certificates based on v2 templates.
>

Thanks , that'll be it

--
Alex

New laptop - Sig missing