MadPAM
2008-07-10 12:41:01 UTC
Hi,
we have an issue with Raidus and EAP-TLS which we can't seem to be able to
work out. Maybe somebody here has an idea.
We have 2 domains on 2003 standard edition running in our test environment.
Clients are running Windows XP SP3. The domain controllers of both domains
have an Enterprise Root CA installed on them. Both issue computer
certificates (standard template) via Group Policy to all domain members as
well as the cert of the root CA into the TRCA. In Domain2 the cert of Domain1
is also distributed via GP to the TRCA of the clients.
Domain1 runs a Radius server to do authentication for wired 802.1x. The
AuthMode for the clients is set to "machine". The certs of the root CA for
domain1 and domain2 was imported into the TRCA of the local computer store
(via GP) of the clients in domain2.
When a machine from domain1 tries to authenticate everything works fine.
When a machine from domain2 tries to authenticate we get an error in the
event log of the radius server: EventID 2, Source IAS, Reason Code 295, A
Certificate chain processed correctly, but one of the CA certificates is not
trusted by the policy provider.
We have created a separate "Connection Request Policy" for clients from
domain2 with a Find/Replace rule that replaces the subject with a known user
id from domain1 that we mapped the certificate of domain2 to (Many-to-One -
trusting the issuer of the cert).
Looking at the error message it seems as if IAS gets past this Connection
Request.
Then we have a "Remote Access Policy" which checks if the user is a member
of a specific group. And this seems to be the place where it fails (we see
the Policy-Name in the error message).
For test purposes we have taken of the the "Windows-Groups" condition on the
Remote Access Policy and sure enough it goes to the next policy (and of
course fails it - works as designed).
We have checked the cert store of the local computer of the Radius server
and the service account for IAS, and it contains the root CA cert from
domain1 (which it is a member of) and domain2.
Exported and looked at from the Radius server the client cert of domain2
checks out fine - no error messages.
So, just to reiterate, EAP-TLS authentication is working for the "local" CA
(domain1) - but not for the third-party CA (domain2).
Any help would be much appreciated!
we have an issue with Raidus and EAP-TLS which we can't seem to be able to
work out. Maybe somebody here has an idea.
We have 2 domains on 2003 standard edition running in our test environment.
Clients are running Windows XP SP3. The domain controllers of both domains
have an Enterprise Root CA installed on them. Both issue computer
certificates (standard template) via Group Policy to all domain members as
well as the cert of the root CA into the TRCA. In Domain2 the cert of Domain1
is also distributed via GP to the TRCA of the clients.
Domain1 runs a Radius server to do authentication for wired 802.1x. The
AuthMode for the clients is set to "machine". The certs of the root CA for
domain1 and domain2 was imported into the TRCA of the local computer store
(via GP) of the clients in domain2.
When a machine from domain1 tries to authenticate everything works fine.
When a machine from domain2 tries to authenticate we get an error in the
event log of the radius server: EventID 2, Source IAS, Reason Code 295, A
Certificate chain processed correctly, but one of the CA certificates is not
trusted by the policy provider.
We have created a separate "Connection Request Policy" for clients from
domain2 with a Find/Replace rule that replaces the subject with a known user
id from domain1 that we mapped the certificate of domain2 to (Many-to-One -
trusting the issuer of the cert).
Looking at the error message it seems as if IAS gets past this Connection
Request.
Then we have a "Remote Access Policy" which checks if the user is a member
of a specific group. And this seems to be the place where it fails (we see
the Policy-Name in the error message).
For test purposes we have taken of the the "Windows-Groups" condition on the
Remote Access Policy and sure enough it goes to the next policy (and of
course fails it - works as designed).
We have checked the cert store of the local computer of the Radius server
and the service account for IAS, and it contains the root CA cert from
domain1 (which it is a member of) and domain2.
Exported and looked at from the Radius server the client cert of domain2
checks out fine - no error messages.
So, just to reiterate, EAP-TLS authentication is working for the "local" CA
(domain1) - but not for the third-party CA (domain2).
Any help would be much appreciated!