Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

MS IAS service in PEAP environment

3 views
Skip to first unread message

kc

unread,
Aug 15, 2003, 5:56:34 AM8/15/03
to
Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Wajihy [MSFT]

unread,
Aug 15, 2003, 1:16:22 PM8/15/03
to
you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers NO rights
"kc" <shi...@ms8.hinet.net> wrote in message
news:2a088c26.03081...@posting.google.com...

kc

unread,
Aug 18, 2003, 4:41:08 AM8/18/03
to
"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<uSSH1D1Y...@TK2MSFTNGP10.phx.gbl>...

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

Wajihy [MSFT]

unread,
Aug 18, 2003, 3:10:28 PM8/18/03
to
if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

kc

unread,
Aug 30, 2003, 10:01:53 PM8/30/03
to
I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC

"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<ejIzhxbZ...@TK2MSFTNGP09.phx.gbl>...

Wajihy [MSFT]

unread,
Aug 31, 2003, 9:52:28 PM8/31/03
to
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

"kc" <shi...@ms8.hinet.net> wrote in message

news:2a088c26.03083...@posting.google.com...

kc

unread,
Sep 1, 2003, 5:30:36 AM9/1/03
to
It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<O$LBAvCcD...@TK2MSFTNGP11.phx.gbl>...

Wajihy [MSFT]

unread,
Sep 2, 2003, 11:33:42 AM9/2/03
to
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

"kc" <shi...@ms8.hinet.net> wrote in message

news:2a088c26.0309...@posting.google.com...

kc

unread,
Sep 8, 2003, 1:33:06 AM9/8/03
to
I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<Or45YeWc...@TK2MSFTNGP10.phx.gbl>...

Wajihy [MSFT]

unread,
Sep 8, 2003, 1:55:04 AM9/8/03
to
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

"kc" <shi...@ms8.hinet.net> wrote in message

news:2a088c26.03090...@posting.google.com...

kc

unread,
Sep 8, 2003, 9:33:36 AM9/8/03
to
Thanks for your quick reply.

I finally get it worked. The problem is because the Hard disk was
formated as FAT32. After I convert it to NTFS system. The problem
gone.

Thanks for your help.

"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<OiZgB3cd...@TK2MSFTNGP10.phx.gbl>...

kc

unread,
Sep 9, 2003, 11:25:41 AM9/9/03
to
It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?


"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<OiZgB3cd...@TK2MSFTNGP10.phx.gbl>...

Wajihy [MSFT]

unread,
Sep 9, 2003, 1:20:24 PM9/9/03
to
Glad to hear that it is worked for you

Wajihy [MSFT]

unread,
Sep 9, 2003, 1:20:07 PM9/9/03
to
are you using EAPTLS or PEAP?

kc

unread,
Sep 9, 2003, 9:44:58 PM9/9/03
to
PEAP


"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<OHvKgavd...@TK2MSFTNGP11.phx.gbl>...

Wajihy [MSFT]

unread,
Sep 12, 2003, 11:41:01 AM9/12/03
to
do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

kc

unread,
Sep 14, 2003, 3:43:35 AM9/14/03
to
Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?

"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<eNqhERUe...@TK2MSFTNGP11.phx.gbl>...

Wajihy [MSFT]

unread,
Sep 14, 2003, 5:43:12 PM9/14/03
to
you should check the " authenticate as computer when computer ..." if you
want to do machine auth
and you should enable " authenticate as guest when user or ..." if you want
the client to connect as guest ( after 3 failed auths if this option is
checked and if the guest account is enabled on the AD, the client will
connect as guest"

kc

unread,
Sep 16, 2003, 4:32:01 AM9/16/03
to
But, even though I check the " authenticate as computer when computer
..." I still can get connected and use the resources in the wired
section when the machine authentication fail and the user
authentication success.

To check this box seems meaningless.

"Wajihy [MSFT]" <waj...@online.microsoft.com> wrote in message news:<#WtQvkwe...@TK2MSFTNGP12.phx.gbl>...

Wajihy [MSFT]

unread,
Sep 16, 2003, 11:23:18 AM9/16/03
to
you will check it if you want to do machine auth first and if it fails it
fall back to user auth

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

"kc" <shi...@ms8.hinet.net> wrote in message

news:2a088c26.03091...@posting.google.com...

0 new messages