MS IAS service in PEAP environment

[kc]

Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

 

[Wajihy [MSFT]]

if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers NO rights

"Wajihy [MSFT]" <[email protected]> wrote in message

you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[kc]

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC

if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers NO rights

"Wajihy [MSFT]" <[email protected]> wrote in message

you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers NO rights
Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[Wajihy [MSFT]]

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers NO rights

"Wajihy [MSFT]" <[email protected]> wrote in message

you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers NO rights
Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[kc]

It is a stand alone CA running Windows 2000 Server SP4.

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers NO rights
Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[Wajihy [MSFT]]

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be prompted to

enter
his

credentials before getting access to the network

you can do it both ways:
without installing an AD, add a local user to the IAS server and

use
that

user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you

can
also

install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

NO
rights

Just want to use MS windows 2000 IAS service to show my boss

that
how

this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very

simple.
One

PC sit behind an Ap, one notebook trying to wirelessly connect

to
this

PC through the AP, using PEAP authentication. What I want to

do
is to

group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate

into
this

notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[kc]

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be prompted to

enter
his

credentials before getting access to the network

you can do it both ways:
without installing an AD, add a local user to the IAS server and

use
that

user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you

can
also

install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

NO
rights

Just want to use MS windows 2000 IAS service to show my boss

that
how

this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very

simple.
One

PC sit behind an Ap, one notebook trying to wirelessly connect

to
this

PC through the AP, using PEAP authentication. What I want to

do
is to

into
this

 

[Wajihy [MSFT]]

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be prompted

to
enter
his

credentials before getting access to the network

NO
rights

"Wajihy [MSFT]" <[email protected]> wrote in message

you can do it both ways:
without installing an AD, add a local user to the IAS server

and
use
that

user to connect from the client ( don't forget in the

wireless
configuration

of the client to uncheck " use winlogon credentials" option)

you
can
also

install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

confers
NO
rights

Just want to use MS windows 2000 IAS service to show my

boss
that
how

this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple.
One
PC sit behind an Ap, one notebook trying to wirelessly

connect
to
this

PC through the AP, using PEAP authentication. What I want

to
do
is to

group the PC and the notebook into one workgroup, install

IAS
service

and certificate service in this PC, get a certificate for

this
PC,

install the root CA certificate and IAS server certificate into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish

this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[kc]

Thanks for your quick reply.

I finally get it worked. The problem is because the Hard disk was
formated as FAT32. After I convert it to NTFS system. The problem
gone.

Thanks for your help.

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be prompted to
enter
his
credentials before getting access to the network

NO
rights

"Wajihy [MSFT]" <[email protected]> wrote in message

you can do it both ways:
without installing an AD, add a local user to the IAS server and
use
that
user to connect from the client ( don't forget in the

wireless
configuration

of the client to uncheck " use winlogon credentials" option) you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show my boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I want to
do
is to
group the PC and the notebook into one workgroup, install

IAS
service

and certificate service in this PC, get a certificate for

this
PC,

install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish

this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[kc]

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be prompted to
enter
his
credentials before getting access to the network

NO
rights

"Wajihy [MSFT]" <[email protected]> wrote in message

you can do it both ways:
without installing an AD, add a local user to the IAS server and
use
that
user to connect from the client ( don't forget in the

wireless
configuration

of the client to uncheck " use winlogon credentials" option) you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show my boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I want to
do
is to
group the PC and the notebook into one workgroup, install

IAS
service

and certificate service in this PC, get a certificate for

this
PC,

install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish

this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?

 

[Wajihy [MSFT]]

are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate

console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will

process
the

request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be

prompted
to

enter
his
credentials before getting access to the network

confers
NO
rights

"Wajihy [MSFT]" <[email protected]> wrote in

message

you can do it both ways:
without installing an AD, add a local user to the IAS

server
and

use
that
user to connect from the client ( don't forget in the wireless
configuration
of the client to uncheck " use winlogon credentials"

option)
you

can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show

my
boss

that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I

want
to

do
is to
group the PC and the notebook into one workgroup,

install
IAS
service

and certificate service in this PC, get a certificate

for
this
PC,

install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to

finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user

that
the

current wireless connection is in 802.1x condition when

users
use

Windows 2000 802.1x client?

 

[Wajihy [MSFT]]

Glad to hear that it is worked for you

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

Thanks for your quick reply.

I finally get it worked. The problem is because the Hard disk was
formated as FAT32. After I convert it to NTFS system. The problem
gone.

Thanks for your help.

"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate

console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will

process
the

request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be

prompted
to

enter
his
credentials before getting access to the network

confers
NO
rights

"Wajihy [MSFT]" <[email protected]> wrote in

message

you can do it both ways:
without installing an AD, add a local user to the IAS

server
and

use
that
user to connect from the client ( don't forget in the wireless
configuration
of the client to uncheck " use winlogon credentials"

option)
you

can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show

my
boss

that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I

want
to

do
is to
group the PC and the notebook into one workgroup,

install
IAS
service

and certificate service in this PC, get a certificate

for
this
PC,

install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to

finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user

that
the

current wireless connection is in 802.1x condition when

users
use

Windows 2000 802.1x client?

 

[kc]

PEAP

are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate

console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will

process
the

request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message

if you mean from the client side, the user you will be

prompted
to

enter
his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in

message

you can do it both ways:
without installing an AD, add a local user to the IAS

server
and

use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials"

option)
you

can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show

my
boss

that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I

want
to

do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a certificate for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user

that
the

current wireless connection is in 802.1x condition when

users
use

Windows 2000 802.1x client?

 

[Wajihy [MSFT]]

do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message

are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already

have
a

windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate

(Shows
as

"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use

local
machine

store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with

this
EAP"

I also have problem to get a certificate from certificate console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in

message

if you mean from the client side, the user you will be prompted
to
enter
his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in

message

you can do it both ways:
without installing an AD, add a local user to the

IAS
server
and

use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials" option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a

domain
user

let me know if you need more help

and
confers

NO
rights
Just want to use MS windows 2000 IAS service to

show
my
boss

that
how
this service can be used as a wireless

authentication
server.

Play it for a while. My question is that my demo

is
very

simple.
One
PC sit behind an Ap, one notebook trying to

wirelessly
connect

to
this
PC through the AP, using PEAP authentication.

What I
want
to

do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a

certificate
for

this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show

user
that
the

current wireless connection is in 802.1x condition

when
users
use

Windows 2000 802.1x client?

 

[kc]

Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?

do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message

are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already

have
a

windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate

(Shows
as

"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use

local
machine

store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with

this
EAP"

I also have problem to get a certificate from certificate
console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in

message

if you mean from the client side, the user you will be
prompted
to
enter
his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
message
you can do it both ways:
without installing an AD, add a local user to the IAS
server
and
use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a

domain
user

let me know if you need more help

and
confers

NO
rights
Just want to use MS windows 2000 IAS service to show
my
boss
that
how
this service can be used as a wireless

authentication
server.

Play it for a while. My question is that my demo

is
very

simple.
One
PC sit behind an Ap, one notebook trying to

wirelessly
connect

to
this
PC through the AP, using PEAP authentication. What I
want
to
do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a

certificate
for

this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user
that
the
current wireless connection is in 802.1x condition when
users
use
Windows 2000 802.1x client?

 

[Wajihy [MSFT]]

you should check the " authenticate as computer when computer ..." if you
want to do machine auth
and you should enable " authenticate as guest when user or ..." if you want
the client to connect as guest ( after 3 failed auths if this option is
checked and if the guest account is enabled on the AD, the client will
connect as guest"

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?



"Wajihy [MSFT]" <[email protected]> wrote in message

do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message

are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you

already
have
a

windows2003 give it a shot and let me know the result

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The

problem
is

the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to

have
a

clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use

the AD
to

set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer

certificate
(Shows
as

"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the

key
exportable

Hit Submit

confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in

message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I

can
request a

certificate by using //server/certsrv and specify "use local
machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used

with
this
EAP"

I also have problem to get a certificate from certificate
console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in

message

if you mean from the client side, the user you will be
prompted
to
enter
his
credentials before getting access to the network

and
confers

NO
rights
message
you can do it both ways:
without installing an AD, add a local user to

the
IAS

server
and
use
that
user to connect from the client ( don't forget

in
the

wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain
user

let me know if you need more help

warranties
and
confers

NO
rights
Just want to use MS windows 2000 IAS service

to
show

my
boss
that
how
this service can be used as a wireless authentication
server.

Play it for a while. My question is that my

demo
is
very

simple.
One
PC sit behind an Ap, one notebook trying to wirelessly
connect
to
this
PC through the AP, using PEAP authentication. What I
want
to
do
is to
group the PC and the notebook into one

workgroup,
install

IAS
service
and certificate service in this PC, get a certificate
for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a

domain to
finish

this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can

show
user

that
the
current wireless connection is in 802.1x condition when
users
use
Windows 2000 802.1x client?

 

[kc]

But, even though I check the " authenticate as computer when computer
...." I still can get connected and use the resources in the wired
section when the machine authentication fail and the user
authentication success.

To check this box seems meaningless.

you should check the " authenticate as computer when computer ..." if you
want to do machine auth
and you should enable " authenticate as guest when user or ..." if you want
the client to connect as guest ( after 3 failed auths if this option is
checked and if the guest account is enabled on the AD, the client will
connect as guest"

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?



"Wajihy [MSFT]" <[email protected]> wrote in message

do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message

are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already
have
a
windows2003 give it a shot and let me know the result

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The

problem
is

the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to

have
a

clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use

the AD
to

set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate
(Shows
as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the

key
exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in

message

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I

can
request a

and
confers the
IAS in
the to
show workgroup,
install

domain to
finish

show
user

 

[Wajihy [MSFT]]

you will check it if you want to do machine auth first and if it fails it
fall back to user auth

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

But, even though I check the " authenticate as computer when computer
..." I still can get connected and use the resources in the wired
section when the machine authentication fail and the user
authentication success.

To check this box seems meaningless.



"Wajihy [MSFT]" <[email protected]> wrote in message

you should check the " authenticate as computer when computer ..." if you
want to do machine auth
and you should enable " authenticate as guest when user or ..." if you want
the client to connect as guest ( after 3 failed auths if this option is
checked and if the guest account is enabled on the AD, the client will
connect as guest"

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?



"Wajihy [MSFT]" <[email protected]> wrote in message

do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication

using
IAS,

PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message

are you using EAPTLS or PEAP?

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found

the
IAS

also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to

connect
into

the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already
have
a
windows2003 give it a shot and let me know the result

confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem
is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4

to
have
a

clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I

use
the AD
to

set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in

message

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate
(Shows
as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer

certificate
store"

[optional] You might want to mark

the
key
exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in

message

IS IT a stand alone CA or an entreprise CA?

and
confers

NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC.

I
can
request a

certificate by using //server/certsrv and specify "use
local
machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a

wireless
policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with
this
EAP"

I also have problem to get a certificate from certificate
console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority

that
will

process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



message
if you mean from the client side, the user you

will
be

prompted
to
enter
his
credentials before getting access to the network

warranties
and
confers

NO
rights
message
you can do it both ways:
without installing an AD, add a local user

to
the
IAS

server
and
use
that
user to connect from the client ( don't

forget
in
the

wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a
domain
user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties
and
confers
NO
rights
Just want to use MS windows 2000 IAS

service
to
show

my
boss
that
how
this service can be used as a wireless
authentication
server.

Play it for a while. My question is that

my
demo

is
very
simple.
One
PC sit behind an Ap, one notebook trying to
wirelessly
connect
to
this
PC through the AP, using PEAP

authentication.
What I

want
to
do
is to
group the PC and the notebook into one workgroup,
install
IAS
service
and certificate service in this PC, get a
certificate
for
this
PC,
install the root CA certificate and IAS

server
certificate

into
this
notebook. Then I think I can demo

EAP-PEAP
authentication.

Can this be done? Do I have to set up a

domain to
finish

this
job?

Appreciate any suggestions/comments from

this
group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show
user
that
the
current wireless connection is in 802.1x

condition
when

users
use
Windows 2000 802.1x client?

 

[btech1]

Buy a certificate...

This procedure works pretty well, and you don't need to install a CA. Just buy a cert from godaddy for $25 and you're all set.

Configuring PEAP on Cisco WCS using Microsoft’s Radius (IAS) Server