How to implement PEAP-EAP-TLD authentication?

Discussion in 'Wireless Networks' started by Edward W. Ray, May 6, 2005.

  1. I always use PEAP-EAP-MSCHAPv2 on my Windows 2003 IAS for wireless
    authentication.

    I already have a two-tier CA infrastructure, an my clients all have
    certificates for workstation, user and IPSec authentication. No Smart Cards
    yet.

    How do I go about getting the IAS/RADIUS server to recognize my workstation
    on my client? Right now it rejects the request; only MSCHAPv2 works. How
    do I make use of my existing certificates for WLAN authentication?

    Thanks in advance.

    Ed
     
    Edward W. Ray, May 6, 2005
    #1
    1. Advertisements

  2. http://www.microsoft.com/wifi has some info

    http://www.microsoft.com/vpn may be helpful too.

    Basically, it's the same as PEAP except:

    1. each user must have a valid certificate for user auth
    2. each machine must have a valid certificate for machine auth
    3. you must enable EAP-TLS in the IAS policy
    4. you must set the client to use EAP-TLS
    5. the IAS server must have valid certs (server certs)

    By "valid" I mean that the certs chain properly and that the CA certs needed
    for validation are present. EAP-TLS is cert-based, so properly deploying it
    is more of a PKI-thing.

    If your certs are standard issue from a Windows-based CA, it should be
    usable for wireless and it should all work smoothly - same as PEAP.
    Certificates are best for domain-joined machines - if you have machines in
    other domains or workgroup machines you'll probably still want to use PEAP.

    If you can be more specific about what happens when the request is rejected,
    I can give you more specific solutions. Does IAS just deny authentication or
    does it drop the packets or something?

    There is also a microsoft.public.internet.radius newsgroup that might help
    you answer IAS questions.
     
    Carl DaVault [MSFT], May 6, 2005
    #2
    1. Advertisements

  3. I have a valid workstation certificate, as well as a user certificate issued
    by an Windows 2003 enterprise subordinate CA. I verified this on my client
    via mmc->certificates->personal.

    from windump packet logs, it rejects the request when I set up for
    PEAP-EAP-TLS. On both XP wireless setup and IAS, the server certificate
    used is the enterprise sub CA. Since my IPSec works with certificate
    authentication, I know my certificates are valid. Autoenrollment is set for
    Workstation, Computer, and User certificates in GPO.

    Ed
     
    Edward W. Ray, May 6, 2005
    #3
  4. My computer authetication request via cert worked fine, but user auth
    failed, see below:

    __________________________________________________________________________________________________________________________

    Event Type: Information
    Event Source: IAS
    Event Category: None
    Event ID: 1
    Date: 5/6/2005
    Time: 2:02:59 PM
    User: N/A
    Computer: BLACKDOG
    Description:
    User host/eraylap.mmicmanhomenet.local was granted access.
    Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/ERAYLAP
    NAS-IP-Address = 192.168.1.254
    NAS-Identifier = 0012177af760
    Client-Friendly-Name = hunglikethor
    Client-IP-Address = 192.168.1.254
    Calling-Station-Identifier = 0012173570c2
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 7
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Computers
    Authentication-Type = PEAP
    EAP-Type = Smart Card or other certificate

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....



    Event Type: Warning
    Event Source: IAS
    Event Category: None
    Event ID: 2
    Date: 5/6/2005
    Time: 1:57:48 PM
    User: N/A
    Computer: BLACKDOG
    Description:
    User was denied access.
    Fully-Qualified-User-Name = mmicmanhomenet.local/Windows XP Laptops/Edward
    W. Ray
    NAS-IP-Address = 192.168.1.254
    NAS-Identifier = 0012177af760
    Called-Station-Identifier = 0012177af760
    Calling-Station-Identifier = 0012173570c2
    Client-Friendly-Name = hunglikethor
    Client-IP-Address = 192.168.1.254
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 7
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Users
    Authentication-Type = PEAP
    EAP-Type = Smart Card or other certificate
    Reason-Code = 73
    Reason = The user attempted to authenticate using a certificate with an
    Extended Key Usage or Issuance Policy that is not allowed by the matching
    remote access policy.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 00 00 00 00 ....
    ______________________________________________________________________________________________________________________________________________

    I deleted then restablished my Wireless User policy, and the link was
    established. Strange....

    Thanks for your help!

    Edward W. Ray
    CISSP, MCSE 2003+Security, P.E., SANS GCIA, SANS GCIH
     
    Edward W. Ray, May 6, 2005
    #4
  5. Edward W. Ray

    Jobe Gates Guest

    Were you able to get this to work? Does IAS have to go on a 2003 DC?
     
    Jobe Gates, May 26, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.