EAP-TLS authentication in Win2003 Standard Edition

Discussion in 'Windows Networking' started by Al, Oct 16, 2006.

  1. Al

    Al Guest

    Hi Folks.

    In our AD we have 2 domain controllers (PDC & BDC), both running 2003
    Standard Edition. We want to deploy a secure wireless network using
    certificates for users and computers. The problem is that when I try to issue
    a user certificate (CA installed on the PDC), it always shows the
    Administrator as the user. I have read tons of documents regarding this
    subject, but most of them talks about autoenrollment in a 2003 server
    Enterprise Edition. Is it possible to implement EAP-TLS authentication in a
    2003 Standard Edition?

    Thanks in advance.

    Regards,


    Alvaro Motta
     
    Al, Oct 16, 2006
    #1
    1. Advertisements

  2. Hi Alvaro,

    Windows Sever 2003 Standard Edition does not issue version 2 certificate
    templates, which are required to autoenroll certificates. You need to either
    use the certificates snap-in, or web enrollment to request a certificate.
    You will need to request the certificate on the client using the certificate
    request wizard or web enrollment, and (depending on user rights) approve the
    certificate to be issued on the CA using the certificate authority snap-in.
    See the link below for instructions on how to use the certificate request
    wizard and web enrollement.

    http://support.microsoft.com/kb/895433/en-us

    I hope this helps!
     
    Greg Lindsay [MSFT], Oct 16, 2006
    #2
    1. Advertisements

  3. Al

    Al Guest

    Hi Greg, thanks for your reply.

    I already have the whole thing in place.

    I was goofing, since I was requesting the certificate logged in as
    Administrator. I only realized that when I tried the request using the
    snap-in.

    Once again, thanks for your time and have a good one.

     
    Al, Oct 16, 2006
    #3
  4. Cool, I'm glad you figured it out =)

    --
    Greg Lindsay [MSFT]

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.

     
    Greg Lindsay [MSFT], Oct 16, 2006
    #4
  5. Al

    Al Guest

    Hi Greg.

    I have a few additional questions, that I hope you don't mind answering.

    1 - Every 3 minutes there is an entry in system log (source IAS) stating
    that the user has been granted access. Where do I need to modify in order to
    avoid this re-authentication or where to configure the re-authentication
    interval? Don't now even if it's possible.

    2 - When I reboot the wireless client (or even when the wireless user logs
    off), an entry is written to system log (source IAS) stating: the user
    attempted to use an authetication method that is not enabled on the matching
    remote access policy.
    Any idea on how to get rid of this one?

    3 - Even after modifying the ValidityPeriodUnits of the certificates
    (through regedit), the user and the computer certificates are issued with a
    validity period of one year (I know that this 1 year is the default value).
    Is there any other way around in order to have the certificates generated
    with longer validity periods.


    Hope I am not bothering you too much.


    Thanks for your time.


    Regards,

    AL
     
    Al, Oct 17, 2006
    #5
  6. 1) The re-authentication is probably happening on your wireless AP. Check
    for a setting there.
    2) I'm just guessing here, but make sure your IAS policy allows Domain
    computers as well as Domain users.
    3) After you modify the validity period, particularly if you did it with
    registry settings, you need to restart the CA. Did you do this?

    I hope this helps.
     
    Greg Lindsay [MSFT], Oct 18, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.