Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

IAS with WorkGroup machines

13 views
Skip to first unread message

Harindra000

unread,
Feb 6, 2008, 3:23:01 PM2/6/08
to
I'm using EAP-MSCHAP V2 for WiFi Access using 3Com managed switch as RADIUS
Client. Setup includs In house CA. AD, IIS, CA and IAS in a single ProLient
server.

My IAS works all fine for domain computers with AD user accounts.

But, whenever non-domain (Work Group) system tries to connect to my internal
network by using domain credentals; IAS denies it.

Event viewer contains event id 5052 (There is no domain controller available
for domain ...) and 3 (Access request for user domain\ADUser is discarded;
the user account domain can not be accessed) from source IAS.

How can I grant access for my mobile access clients without connecting them
to my domain? (Many of them are vista\xp home)


Your comments are highly appriciated.

FenderAxe

unread,
Feb 6, 2008, 9:34:13 PM2/6/08
to
=?Utf-8?B?SGFyaW5kcmEwMDA=?= <Harin...@discussions.microsoft.com>
wrote in news:21753608-2D29-4888...@microsoft.com:

When you deployed your own CA, domain member computers automatically
received the CA's certificate, which was stored in the certificate stores
for the Local Computer and Current User, in the Trusted Root Certification
Authorities store.

Because domain member computers have that certificate in the cert store,
they trust certificates that are issued by your CA.

To deploy PEAP-MS-CHAPv2 for wireless clients, you must issue server
certificates to IAS servers; after you have done that, the server uses the
certificate during authentication to prove its identity to client
computers. In turn, users provide credentials (user name and password) to
prove their identities to IAS.

When the client computers receive the IAS server certificate, they check
their Trusted Root Certification Authorities cert store to find out if they
trust the CA that issued the server certfiicate. Your domain member
computers can do this successfully, however any non-domain member computer
that tries to connect cannot accomplish this, because they don't have the
CA certificate in the Trusted Root Certification Authorities cert store.

The solution is to export the CA cert to removable media and then import
the cert into the TRCA store for the Local Computer and Current User on
non-domain member computers.

See the IAS Help topic "Network access authentication and certificates" for
more info.

Harindra000

unread,
Apr 24, 2008, 2:48:01 PM4/24/08
to

Perfect!

I installed certificates in Client machines and now working all fine!

Khuyen

unread,
Jul 21, 2009, 5:56:01 AM7/21/09
to
Which is CA Cert (root CA or IAS CA) that I need to export and then import to
wifi client?

Thanks,

Khuyen.

James McIllece [MS]

unread,
Jul 21, 2009, 2:24:14 PM7/21/09
to
=?Utf-8?B?S2h1eWVu?= <Khu...@discussions.microsoft.com> wrote in
news:1EE9D090-824A-4A37...@microsoft.com:

> Which is CA Cert (root CA or IAS CA) that I need to export and then
> import to wifi client?
>
> Thanks,
>
> Khuyen.
>
>

The CA cert must be in the Trusted Root Certification Authorities store for
the Current User and for the Local Computer on clients.

A couple of things to note:

-- Do not put the IAS cert on the client machines.
-- After importing a cert into the Certificates MMC, do not drag and drop
it to another location in the MMC or the cert will break. If you need to
move a cert to another folder, import it to that location.

HTH --

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

0 new messages