Hi Lee,
Yet another 802.1x question... but should be an easy one.
Is it possible to successfully authenticate a 802.1x supplicant with a
computer certificate, using IAS, that is not on the same domain as the IAS
server? Or not on a domain at all? I haven't found a way to do it yet.
Thanks for any help.
It's not an easy question and I have some good and some bad news.
The good news is that it can be done! I've got a setup running with a
Belkin WiFi router as base station, IAS, Windows Server 2003 in stand-alone
mode and a Windows XP Pro client in stand-alone mode too.
The bad news is that it takes a lot of fiddling around, and I cannot give
you a good description on how to do it.
This is more or less what I did:
- On the W2K3 server I setup Microsoft Certificate Services and IAS.
- I created a Radius Client for the Belkin WiFi Router in IAS
(Client-Vendor: Radius Standard)
- Created a remote access policy with EAP method PEAP and MS-CHAP2.
- Created a certificate for the client computer and installed on the client
computer.
- On the client computer, at one point in time I had to select the
certificate but also provide credentials of a W2K3 server user account.
Then the whole thing did not work when using TKIP encryption. When as a
last resort (after days of fiddling around) I changed the encryption to EAS
(which -to my surprise- was supported by the Belkin WiFi router) it suddenly
worked. What the encryption had to do with it, is beyond my understanding.
So there you are: It can be done, but the plethoria of settings and
options, both on the server, theWiFi router and the client computer make it
hell to configure and when it works, I anyway had no clue why it actually
did.
Good luck!
Jan.