IAS with WorkGroup machines

Discussion:

(too old to reply)

Harindra000

2008-02-06 20:23:01 UTC

I'm using EAP-MSCHAP V2 for WiFi Access using 3Com managed switch as RADIUS
Client. Setup includs In house CA. AD, IIS, CA and IAS in a single ProLient
server.

My IAS works all fine for domain computers with AD user accounts.

But, whenever non-domain (Work Group) system tries to connect to my internal
network by using domain credentals; IAS denies it.

Event viewer contains event id 5052 (There is no domain controller available
for domain ...) and 3 (Access request for user domain\ADUser is discarded;
the user account domain can not be accessed) from source IAS.

How can I grant access for my mobile access clients without connecting them
to my domain? (Many of them are vista\xp home)

Your comments are highly appriciated.

FenderAxe

2008-02-07 02:34:13 UTC

Permalink

Post by Harindra000
I'm using EAP-MSCHAP V2 for WiFi Access using 3Com managed switch as
RADIUS Client. Setup includs In house CA. AD, IIS, CA and IAS in a
single ProLient server.
My IAS works all fine for domain computers with AD user accounts.
But, whenever non-domain (Work Group) system tries to connect to my
internal network by using domain credentals; IAS denies it.
Event viewer contains event id 5052 (There is no domain controller
available for domain ...) and 3 (Access request for user domain\ADUser
is discarded; the user account domain can not be accessed) from source
IAS.
How can I grant access for my mobile access clients without connecting
them to my domain? (Many of them are vista\xp home)
Your comments are highly appriciated.

When you deployed your own CA, domain member computers automatically
received the CA's certificate, which was stored in the certificate stores
for the Local Computer and Current User, in the Trusted Root Certification
Authorities store.

Because domain member computers have that certificate in the cert store,
they trust certificates that are issued by your CA.

To deploy PEAP-MS-CHAPv2 for wireless clients, you must issue server
certificates to IAS servers; after you have done that, the server uses the
certificate during authentication to prove its identity to client
computers. In turn, users provide credentials (user name and password) to
prove their identities to IAS.

When the client computers receive the IAS server certificate, they check
their Trusted Root Certification Authorities cert store to find out if they
trust the CA that issued the server certfiicate. Your domain member
computers can do this successfully, however any non-domain member computer
that tries to connect cannot accomplish this, because they don't have the
CA certificate in the Trusted Root Certification Authorities cert store.

The solution is to export the CA cert to removable media and then import
the cert into the TRCA store for the Local Computer and Current User on
non-domain member computers.

See the IAS Help topic "Network access authentication and certificates" for
more info.

Harindra000

2008-04-24 18:48:01 UTC

Permalink

Perfect!

I installed certificates in Client machines and now working all fine!

Khuyen

2009-07-21 09:56:01 UTC

Permalink

Which is CA Cert (root CA or IAS CA) that I need to export and then import to
wifi client?

Thanks,

Khuyen.

Post by FenderAxe

When you deployed your own CA, domain member computers automatically
received the CA's certificate, which was stored in the certificate stores
for the Local Computer and Current User, in the Trusted Root Certification
Authorities store.
Because domain member computers have that certificate in the cert store,
they trust certificates that are issued by your CA.
To deploy PEAP-MS-CHAPv2 for wireless clients, you must issue server
certificates to IAS servers; after you have done that, the server uses the
certificate during authentication to prove its identity to client
computers. In turn, users provide credentials (user name and password) to
prove their identities to IAS.
When the client computers receive the IAS server certificate, they check
their Trusted Root Certification Authorities cert store to find out if they
trust the CA that issued the server certfiicate. Your domain member
computers can do this successfully, however any non-domain member computer
that tries to connect cannot accomplish this, because they don't have the
CA certificate in the Trusted Root Certification Authorities cert store.
The solution is to export the CA cert to removable media and then import
the cert into the TRCA store for the Local Computer and Current User on
non-domain member computers.
See the IAS Help topic "Network access authentication and certificates" for
more info.

James McIllece [MS]

2009-07-21 18:24:14 UTC

Permalink

Post by Khuyen
Which is CA Cert (root CA or IAS CA) that I need to export and then
import to wifi client?
Thanks,
Khuyen.

The CA cert must be in the Trusted Root Certification Authorities store for
the Current User and for the Local Computer on clients.

A couple of things to note:

-- Do not put the IAS cert on the client machines.
-- After importing a cert into the Certificates MMC, do not drag and drop
it to another location in the MMC or the cert will break. If you need to
move a cert to another folder, import it to that location.

HTH --

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.