Discussion:
EAP-TLS Radius problem
(too old to reply)
MadPAM
2008-07-10 12:41:01 UTC
Permalink
Hi,
we have an issue with Raidus and EAP-TLS which we can't seem to be able to
work out. Maybe somebody here has an idea.

We have 2 domains on 2003 standard edition running in our test environment.
Clients are running Windows XP SP3. The domain controllers of both domains
have an Enterprise Root CA installed on them. Both issue computer
certificates (standard template) via Group Policy to all domain members as
well as the cert of the root CA into the TRCA. In Domain2 the cert of Domain1
is also distributed via GP to the TRCA of the clients.

Domain1 runs a Radius server to do authentication for wired 802.1x. The
AuthMode for the clients is set to "machine". The certs of the root CA for
domain1 and domain2 was imported into the TRCA of the local computer store
(via GP) of the clients in domain2.

When a machine from domain1 tries to authenticate everything works fine.
When a machine from domain2 tries to authenticate we get an error in the
event log of the radius server: EventID 2, Source IAS, Reason Code 295, A
Certificate chain processed correctly, but one of the CA certificates is not
trusted by the policy provider.
We have created a separate "Connection Request Policy" for clients from
domain2 with a Find/Replace rule that replaces the subject with a known user
id from domain1 that we mapped the certificate of domain2 to (Many-to-One -
trusting the issuer of the cert).
Looking at the error message it seems as if IAS gets past this Connection
Request.
Then we have a "Remote Access Policy" which checks if the user is a member
of a specific group. And this seems to be the place where it fails (we see
the Policy-Name in the error message).
For test purposes we have taken of the the "Windows-Groups" condition on the
Remote Access Policy and sure enough it goes to the next policy (and of
course fails it - works as designed).
We have checked the cert store of the local computer of the Radius server
and the service account for IAS, and it contains the root CA cert from
domain1 (which it is a member of) and domain2.
Exported and looked at from the Radius server the client cert of domain2
checks out fine - no error messages.

So, just to reiterate, EAP-TLS authentication is working for the "local" CA
(domain1) - but not for the third-party CA (domain2).

Any help would be much appreciated!
James McIllece [MS]
2008-07-10 19:26:09 UTC
Permalink
It sounds like what you're trying to do is provide access to members of
both domains through the same 802.1X switch using a single IAS server that
is a member of Domain 1.

In this circumstance you have two choices to allow IAS to authenticate and
authorize the connection requests for both domains:

1. Domain 1 and Domain 2 have a two-way trust relationship.
2. The IAS server in Domain 1 forwards connection requests to a remote
RADIUS server in Domain 2 for processing when the requests come from
members of Domain 2.

In other words, if the domains do not have a two-way trust relationship,
IAS in domain 1 cannot process connection requests for members of Domain 2.
In that circumstance IAS must be configured as a proxy to forward
connection requests to another IAS server that is a Domain 2 member.

Also, even with a two way trust, ensure that the IAS server is registered
in Domain 2. (I.e. the IAS server must be a member of the RAS and IAS
Servers group in AD Users and Computers in Domain 2).
Post by MadPAM
Hi,
we have an issue with Raidus and EAP-TLS which we can't seem to be
able to work out. Maybe somebody here has an idea.
We have 2 domains on 2003 standard edition running in our test
environment. Clients are running Windows XP SP3. The domain
controllers of both domains have an Enterprise Root CA installed on
them. Both issue computer certificates (standard template) via Group
Policy to all domain members as well as the cert of the root CA into
the TRCA. In Domain2 the cert of Domain1 is also distributed via GP to
the TRCA of the clients.
Domain1 runs a Radius server to do authentication for wired 802.1x.
The AuthMode for the clients is set to "machine". The certs of the
root CA for domain1 and domain2 was imported into the TRCA of the
local computer store (via GP) of the clients in domain2.
When a machine from domain1 tries to authenticate everything works
fine. When a machine from domain2 tries to authenticate we get an
error in the event log of the radius server: EventID 2, Source IAS,
Reason Code 295, A Certificate chain processed correctly, but one of
the CA certificates is not trusted by the policy provider.
We have created a separate "Connection Request Policy" for clients
from domain2 with a Find/Replace rule that replaces the subject with a
known user id from domain1 that we mapped the certificate of domain2
to (Many-to-One - trusting the issuer of the cert).
Looking at the error message it seems as if IAS gets past this
Connection Request.
Then we have a "Remote Access Policy" which checks if the user is a
member of a specific group. And this seems to be the place where it
fails (we see the Policy-Name in the error message).
For test purposes we have taken of the the "Windows-Groups" condition
on the Remote Access Policy and sure enough it goes to the next policy
(and of course fails it - works as designed).
We have checked the cert store of the local computer of the Radius
server and the service account for IAS, and it contains the root CA
cert from domain1 (which it is a member of) and domain2.
Exported and looked at from the Radius server the client cert of
domain2 checks out fine - no error messages.
So, just to reiterate, EAP-TLS authentication is working for the
"local" CA (domain1) - but not for the third-party CA (domain2).
Any help would be much appreciated!
*******************************

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
MadPAM
2008-07-15 07:22:05 UTC
Permalink
James,

many thanks for your reply.

Do I understand you correctly that with IAS it is not possible to process
connection requests for any client that is not in the same domain or in a
domain that has a two-way trust relationship to the domain that the IAS
server is in? Respectively has a an account in the local SAM for standalone
IAS servers?

That seems like a pretty heavy limitation...

MadPAM
Post by James McIllece [MS]
It sounds like what you're trying to do is provide access to members of
both domains through the same 802.1X switch using a single IAS server that
is a member of Domain 1.
In this circumstance you have two choices to allow IAS to authenticate and
1. Domain 1 and Domain 2 have a two-way trust relationship.
2. The IAS server in Domain 1 forwards connection requests to a remote
RADIUS server in Domain 2 for processing when the requests come from
members of Domain 2.
In other words, if the domains do not have a two-way trust relationship,
IAS in domain 1 cannot process connection requests for members of Domain 2.
In that circumstance IAS must be configured as a proxy to forward
connection requests to another IAS server that is a Domain 2 member.
Also, even with a two way trust, ensure that the IAS server is registered
in Domain 2. (I.e. the IAS server must be a member of the RAS and IAS
Servers group in AD Users and Computers in Domain 2).
Post by MadPAM
Hi,
we have an issue with Raidus and EAP-TLS which we can't seem to be
able to work out. Maybe somebody here has an idea.
We have 2 domains on 2003 standard edition running in our test
environment. Clients are running Windows XP SP3. The domain
controllers of both domains have an Enterprise Root CA installed on
them. Both issue computer certificates (standard template) via Group
Policy to all domain members as well as the cert of the root CA into
the TRCA. In Domain2 the cert of Domain1 is also distributed via GP to
the TRCA of the clients.
Domain1 runs a Radius server to do authentication for wired 802.1x.
The AuthMode for the clients is set to "machine". The certs of the
root CA for domain1 and domain2 was imported into the TRCA of the
local computer store (via GP) of the clients in domain2.
When a machine from domain1 tries to authenticate everything works
fine. When a machine from domain2 tries to authenticate we get an
error in the event log of the radius server: EventID 2, Source IAS,
Reason Code 295, A Certificate chain processed correctly, but one of
the CA certificates is not trusted by the policy provider.
We have created a separate "Connection Request Policy" for clients
from domain2 with a Find/Replace rule that replaces the subject with a
known user id from domain1 that we mapped the certificate of domain2
to (Many-to-One - trusting the issuer of the cert).
Looking at the error message it seems as if IAS gets past this
Connection Request.
Then we have a "Remote Access Policy" which checks if the user is a
member of a specific group. And this seems to be the place where it
fails (we see the Policy-Name in the error message).
For test purposes we have taken of the the "Windows-Groups" condition
on the Remote Access Policy and sure enough it goes to the next policy
(and of course fails it - works as designed).
We have checked the cert store of the local computer of the Radius
server and the service account for IAS, and it contains the root CA
cert from domain1 (which it is a member of) and domain2.
Exported and looked at from the Radius server the client cert of
domain2 checks out fine - no error messages.
So, just to reiterate, EAP-TLS authentication is working for the
"local" CA (domain1) - but not for the third-party CA (domain2).
Any help would be much appreciated!
*******************************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
FenderAxe
2008-07-18 21:03:10 UTC
Permalink
Check this out:

Authentication across forests
http://technet2.microsoft.com/windowsserver/en/library/59d6c77b-dcc3-4656-
b498-a537904f4df41033.mspx
Post by MadPAM
James,
many thanks for your reply.
Do I understand you correctly that with IAS it is not possible to
process connection requests for any client that is not in the same
domain or in a domain that has a two-way trust relationship to the
domain that the IAS server is in? Respectively has a an account in the
local SAM for standalone IAS servers?
That seems like a pretty heavy limitation...
MadPAM
Post by James McIllece [MS]
It sounds like what you're trying to do is provide access to members
of both domains through the same 802.1X switch using a single IAS
server that is a member of Domain 1.
In this circumstance you have two choices to allow IAS to
1. Domain 1 and Domain 2 have a two-way trust relationship.
2. The IAS server in Domain 1 forwards connection requests to a
remote RADIUS server in Domain 2 for processing when the requests
come from members of Domain 2.
In other words, if the domains do not have a two-way trust
relationship, IAS in domain 1 cannot process connection requests for
members of Domain 2. In that circumstance IAS must be configured as a
proxy to forward connection requests to another IAS server that is a
Domain 2 member.
Also, even with a two way trust, ensure that the IAS server is
registered in Domain 2. (I.e. the IAS server must be a member of the
RAS and IAS Servers group in AD Users and Computers in Domain 2).
Post by MadPAM
Hi,
we have an issue with Raidus and EAP-TLS which we can't seem to be
able to work out. Maybe somebody here has an idea.
We have 2 domains on 2003 standard edition running in our test
environment. Clients are running Windows XP SP3. The domain
controllers of both domains have an Enterprise Root CA installed on
them. Both issue computer certificates (standard template) via
Group Policy to all domain members as well as the cert of the root
CA into the TRCA. In Domain2 the cert of Domain1 is also
distributed via GP to the TRCA of the clients.
Domain1 runs a Radius server to do authentication for wired 802.1x.
The AuthMode for the clients is set to "machine". The certs of the
root CA for domain1 and domain2 was imported into the TRCA of the
local computer store (via GP) of the clients in domain2.
When a machine from domain1 tries to authenticate everything works
fine. When a machine from domain2 tries to authenticate we get an
error in the event log of the radius server: EventID 2, Source IAS,
Reason Code 295, A Certificate chain processed correctly, but one
of the CA certificates is not trusted by the policy provider.
We have created a separate "Connection Request Policy" for clients
from domain2 with a Find/Replace rule that replaces the subject
with a known user id from domain1 that we mapped the certificate of
domain2 to (Many-to-One - trusting the issuer of the cert).
Looking at the error message it seems as if IAS gets past this
Connection Request.
Then we have a "Remote Access Policy" which checks if the user is a
member of a specific group. And this seems to be the place where it
fails (we see the Policy-Name in the error message).
For test purposes we have taken of the the "Windows-Groups"
condition on the Remote Access Policy and sure enough it goes to
the next policy (and of course fails it - works as designed).
We have checked the cert store of the local computer of the Radius
server and the service account for IAS, and it contains the root CA
cert from domain1 (which it is a member of) and domain2.
Exported and looked at from the Radius server the client cert of
domain2 checks out fine - no error messages.
So, just to reiterate, EAP-TLS authentication is working for the
"local" CA (domain1) - but not for the third-party CA (domain2).
Any help would be much appreciated!
*******************************
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...