Discussion:
Cisco 1242 AP + 2000 IAS with WPA2
(too old to reply)
maxximum
2006-07-23 08:18:01 UTC
Permalink
I have a cisco 1242 AP that i would like to use with IAS/AD authentication
and force users to have WPA2 encryption. I have installed the WPA2 patch on
my computers and issues a computer cert from our trusted CA to both the PCs
and the IAS box. When ever i try to connect the XP PC states that "Windows
was unable to find a certificate to log you on to the network". What are the
setting to make this work. I have been through about 4 different white
papers and each one states something different.
Eric J.
2006-07-27 06:00:41 UTC
Permalink
hi,

i think the problem is, that you didn´t change the registry-key for
certificate authentication.

for default windows tries to authenticate via user certificate. And so
windows only looks in user store for certificate.

Go to your registry and set up the following:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\EAPOL\PARAMETERS\GENERAL\GLOBAL

and create a DWORD with value of 2

that tells your windows to do authentication via machine cert.

Here is the explanation:

· 0 - Computer authentication mode. If computer authentication is
successful, no user authentication is attempted. If the user logon is
successful before computer authentication, user authentication is
performed. This is the default setting for Windows XP (prior to Service
Pack 1).
· 1 - Computer authentication with re-authentication. If computer
authentication is successful, a subsequent user logon results in a
re-authentication with user credentials. The user logon has to complete
in 60 seconds or the existing network connectivity is terminated. The
user credentials are used for subsequent authentication or
re-authentication. Computer authentication is not attempted again until
the user logs off the computer. This is the default setting for Windows
XP Service Pack 1 (SP1) and Windows Server 2003.
· 2 - Computer authentication only. When a user logs on, it has no
effect on the connection. Only computer authentication is performed.
The exception to this behavior is when a user successfully logs on, and
then roams between wireless APs. In that case, user authentication is
performed. For changes to this setting to take effect, restart the
Wireless Zero Configuration service for Windows XP or Windows Server
2003.


Hope that was what you were looking for

Greetz Eric
Post by maxximum
I have a cisco 1242 AP that i would like to use with IAS/AD authentication
and force users to have WPA2 encryption. I have installed the WPA2 patch on
my computers and issues a computer cert from our trusted CA to both the PCs
and the IAS box. When ever i try to connect the XP PC states that "Windows
was unable to find a certificate to log you on to the network". What are the
setting to make this work. I have been through about 4 different white
papers and each one states something different.
Roostermiester
2008-06-06 20:38:03 UTC
Permalink
The full key is:
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode=2
The machine must be rebooted for it to be affective.
Post by Eric J.
hi,
i think the problem is, that you didn´t change the registry-key for
certificate authentication.
for default windows tries to authenticate via user certificate. And so
windows only looks in user store for certificate.
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\EAPOL\PARAMETERS\GENERAL\GLOBAL
and create a DWORD with value of 2
that tells your windows to do authentication via machine cert.
· 0 - Computer authentication mode. If computer authentication is
successful, no user authentication is attempted. If the user logon is
successful before computer authentication, user authentication is
performed. This is the default setting for Windows XP (prior to Service
Pack 1).
· 1 - Computer authentication with re-authentication. If computer
authentication is successful, a subsequent user logon results in a
re-authentication with user credentials. The user logon has to complete
in 60 seconds or the existing network connectivity is terminated. The
user credentials are used for subsequent authentication or
re-authentication. Computer authentication is not attempted again until
the user logs off the computer. This is the default setting for Windows
XP Service Pack 1 (SP1) and Windows Server 2003.
· 2 - Computer authentication only. When a user logs on, it has no
effect on the connection. Only computer authentication is performed.
The exception to this behavior is when a user successfully logs on, and
then roams between wireless APs. In that case, user authentication is
performed. For changes to this setting to take effect, restart the
Wireless Zero Configuration service for Windows XP or Windows Server
2003.
Hope that was what you were looking for
Greetz Eric
Post by maxximum
I have a cisco 1242 AP that i would like to use with IAS/AD authentication
and force users to have WPA2 encryption. I have installed the WPA2 patch on
my computers and issues a computer cert from our trusted CA to both the PCs
and the IAS box. When ever i try to connect the XP PC states that "Windows
was unable to find a certificate to log you on to the network". What are the
setting to make this work. I have been through about 4 different white
papers and each one states something different.
Loading...