MS IAS service in PEAP environment

K

kc

Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC
 
W

Wajihy [MSFT]

if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers NO rights
kc said:
"Wajihy [MSFT]" <[email protected]> wrote in message
you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
K

kc

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



Wajihy said:
if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers NO rights
kc said:
"Wajihy [MSFT]" <[email protected]> wrote in message
you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers NO rights
Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
W

Wajihy [MSFT]

IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers NO rights
kc said:
"Wajihy [MSFT]" <[email protected]> wrote in message
you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers NO rights
Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
K

kc

It is a stand alone CA running Windows 2000 Server SP4.

Wajihy said:
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be prompted to enter his
credentials before getting access to the network
you can do it both ways:
without installing an AD, add a local user to the IAS server and use that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you can also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers NO rights
Just want to use MS windows 2000 IAS service to show my boss that how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple. One
PC sit behind an Ap, one notebook trying to wirelessly connect to this
PC through the AP, using PEAP authentication. What I want to do is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate into this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
W

Wajihy [MSFT]

with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be prompted to
enter
his
credentials before getting access to the network
you can do it both ways:
without installing an AD, add a local user to the IAS server and
use
that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help
NO
rights
Just want to use MS windows 2000 IAS service to show my boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I want to
do
is to
group the PC and the notebook into one workgroup, install IAS service
and certificate service in this PC, get a certificate for this PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish this job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
K

kc

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

Wajihy said:
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be prompted to
enter
his
credentials before getting access to the network
you can do it both ways:
without installing an AD, add a local user to the IAS server and
use
that
user to connect from the client ( don't forget in the wireless configuration
of the client to uncheck " use winlogon credentials" option) you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help
NO
rights
Just want to use MS windows 2000 IAS service to show my boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I want to
do
is to
into
this
 
W

Wajihy [MSFT]

it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console :
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be prompted
to
enter
his
credentials before getting access to the network
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in message
you can do it both ways:
without installing an AD, add a local user to the IAS server
and
use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials" option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help
confers
NO
rights
Just want to use MS windows 2000 IAS service to show my
boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very simple.
One
PC sit behind an Ap, one notebook trying to wirelessly
connect
to
this
PC through the AP, using PEAP authentication. What I want
to
do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a certificate for
this
PC,
install the root CA certificate and IAS server certificate into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?
Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
K

kc

Thanks for your quick reply.

I finally get it worked. The problem is because the Hard disk was
formated as FAT32. After I convert it to NTFS system. The problem
gone.

Thanks for your help.

Wajihy said:
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be prompted to
enter
his
credentials before getting access to the network
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in message
you can do it both ways:
without installing an AD, add a local user to the IAS server and
use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials" option) you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show my boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I want to
do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a certificate for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?
Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
K

kc

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




Wajihy said:
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate console
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be prompted to
enter
his
credentials before getting access to the network
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in message
you can do it both ways:
without installing an AD, add a local user to the IAS server and
use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials" option) you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show my boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I want to
do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a certificate for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?
Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user that the
current wireless connection is in 802.1x condition when users use
Windows 2000 802.1x client?
 
W

Wajihy [MSFT]

are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate
console
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be
prompted
to
enter
his
credentials before getting access to the network
confers
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in
message
you can do it both ways:
without installing an AD, add a local user to the IAS
server
and
use
that
user to connect from the client ( don't forget in the wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show
my
boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I
want
to
do
is to
group the PC and the notebook into one workgroup,
install
IAS
service
and certificate service in this PC, get a certificate
for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to
finish
this
job?
Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user
that
the
current wireless connection is in 802.1x condition when
users
use
Windows 2000 802.1x client?
 
W

Wajihy [MSFT]

Glad to hear that it is worked for you

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
Thanks for your quick reply.

I finally get it worked. The problem is because the Hard disk was
formated as FAT32. After I convert it to NTFS system. The problem
gone.

Thanks for your help.

"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate
console
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be
prompted
to
enter
his
credentials before getting access to the network
confers
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in
message
you can do it both ways:
without installing an AD, add a local user to the IAS
server
and
use
that
user to connect from the client ( don't forget in the wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show
my
boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I
want
to
do
is to
group the PC and the notebook into one workgroup,
install
IAS
service
and certificate service in this PC, get a certificate
for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to
finish
this
job?
Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user
that
the
current wireless connection is in 802.1x condition when
users
use
Windows 2000 802.1x client?
 
K

kc

PEAP


Wajihy said:
are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already have a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate (Shows as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use local machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with this EAP"

I also have problem to get a certificate from certificate
console
run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in message
if you mean from the client side, the user you will be
prompted
to
enter
his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in
message
you can do it both ways:
without installing an AD, add a local user to the IAS
server
and
use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
Just want to use MS windows 2000 IAS service to show
my
boss
that
how
this service can be used as a wireless authentication server.

Play it for a while. My question is that my demo is very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly connect
to
this
PC through the AP, using PEAP authentication. What I
want
to
do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a certificate for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user
that
the
current wireless connection is in 802.1x condition when
users
use
Windows 2000 802.1x client?
 
W

Wajihy [MSFT]

do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message
are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already
have
a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate
(Shows
as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?
confers
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use
local
machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with
this
EAP"
I also have problem to get a certificate from certificate console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in
message
if you mean from the client side, the user you will be prompted
to
enter
his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
"Wajihy [MSFT]" <[email protected]> wrote in
message
you can do it both ways:
without installing an AD, add a local user to the
IAS
server
and
use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials" option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a
domain
user
let me know if you need more help
and
confers
NO
rights
Just want to use MS windows 2000 IAS service to
show
my
boss
that
how
this service can be used as a wireless
authentication
server.
Play it for a while. My question is that my demo
is
very
simple.
One
PC sit behind an Ap, one notebook trying to
wirelessly
connect
to
this
PC through the AP, using PEAP authentication.
What I
want
to
do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a
certificate
for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show
user
that
the
current wireless connection is in 802.1x condition
when
users
use
Windows 2000 802.1x client?
 
K

kc

Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?



Wajihy said:
do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message
are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already
have
a
windows2003 give it a shot and let me know the result

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to have a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use the AD to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate
(Shows
as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the key exportable

Hit Submit
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I can request a
certificate by using //server/certsrv and specify "use
local
machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with
this
EAP"
I also have problem to get a certificate from certificate
console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in
message
if you mean from the client side, the user you will be
prompted
to
enter
his
credentials before getting access to the network

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights
message
you can do it both ways:
without installing an AD, add a local user to the IAS
server
and
use
that
user to connect from the client ( don't forget in the
wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a
domain
user
let me know if you need more help
and
confers
NO
rights
Just want to use MS windows 2000 IAS service to show
my
boss
that
how
this service can be used as a wireless
authentication
server.
Play it for a while. My question is that my demo
is
very
simple.
One
PC sit behind an Ap, one notebook trying to
wirelessly
connect
to
this
PC through the AP, using PEAP authentication. What I
want
to
do
is to
group the PC and the notebook into one workgroup, install
IAS
service
and certificate service in this PC, get a
certificate
for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a domain to finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show user
that
the
current wireless connection is in 802.1x condition when
users
use
Windows 2000 802.1x client?
 
W

Wajihy [MSFT]

you should check the " authenticate as computer when computer ..." if you
want to do machine auth
and you should enable " authenticate as guest when user or ..." if you want
the client to connect as guest ( after 3 failed auths if this option is
checked and if the guest account is enabled on the AD, the client will
connect as guest"

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?



"Wajihy [MSFT]" <[email protected]> wrote in message
do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message
are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you
already
have
a
windows2003 give it a shot and let me know the result
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The
problem
is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to
have
a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use
the AD
to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer
certificate
(Shows
as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the
key
exportable
Hit Submit
confers
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in
message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I
can
request a
certificate by using //server/certsrv and specify "use local
machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a wireless policy :

double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used
with
this
EAP"
I also have problem to get a certificate from certificate
console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority that will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



"Wajihy [MSFT]" <[email protected]> wrote in
message
if you mean from the client side, the user you will be
prompted
to
enter
his
credentials before getting access to the network
and
confers
NO
rights
message
you can do it both ways:
without installing an AD, add a local user to
the
IAS
server
and
use
that
user to connect from the client ( don't forget
in
the
wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a domain
user

let me know if you need more help
warranties
and
confers
NO
rights
Just want to use MS windows 2000 IAS service
to
show
my
boss
that
how
this service can be used as a wireless authentication
server.

Play it for a while. My question is that my
demo
is
very
simple.
One
PC sit behind an Ap, one notebook trying to wirelessly
connect
to
this
PC through the AP, using PEAP authentication. What I
want
to
do
is to
group the PC and the notebook into one
workgroup,
install
IAS
service
and certificate service in this PC, get a certificate
for
this
PC,
install the root CA certificate and IAS server certificate
into
this
notebook. Then I think I can demo EAP-PEAP authentication.

Can this be done? Do I have to set up a
domain to
finish
this
job?

Appreciate any suggestions/comments from this group.

KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can
show
user
that
the
current wireless connection is in 802.1x condition when
users
use
Windows 2000 802.1x client?
 
K

kc

But, even though I check the " authenticate as computer when computer
...." I still can get connected and use the resources in the wired
section when the machine authentication fail and the user
authentication success.

To check this box seems meaningless.



Wajihy said:
you should check the " authenticate as computer when computer ..." if you
want to do machine auth
and you should enable " authenticate as guest when user or ..." if you want
the client to connect as guest ( after 3 failed auths if this option is
checked and if the guest account is enabled on the AD, the client will
connect as guest"

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?



"Wajihy [MSFT]" <[email protected]> wrote in message
do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message
are you using EAPTLS or PEAP?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found the IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to connect into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already
have
a
windows2003 give it a shot and let me know the result
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The
problem
is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4 to
have
a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I use
the AD
to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate
(Shows
as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer certificate store"

[optional] You might want to mark the
key
exportable
Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in
message
IS IT a stand alone CA or an entreprise CA?

--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC. I
can
request a
and
confers the
IAS in
the to
show workgroup,
install
domain to
finish
show
user
 
W

Wajihy [MSFT]

you will check it if you want to do machine auth first and if it fails it
fall back to user auth

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
But, even though I check the " authenticate as computer when computer
..." I still can get connected and use the resources in the wired
section when the machine authentication fail and the user
authentication success.

To check this box seems meaningless.



"Wajihy [MSFT]" <[email protected]> wrote in message
you should check the " authenticate as computer when computer ..." if you
want to do machine auth
and you should enable " authenticate as guest when user or ..." if you want
the client to connect as guest ( after 3 failed auths if this option is
checked and if the guest account is enabled on the AD, the client will
connect as guest"

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

kc said:
Your question give me some hints.

There are 2 events. One for the machine and one for the username. If
I uncheck AUTHENTICATE AS COMPUTER WHEN COMPUTER INFORMATION IS
AVAILABLE in 802.1x client

then, no machine is authenticated.

The check or uncheck this box has no effect for PEAP authentication,
when should I select AUTHENTICATE AS COMPUTER WHEN COMPUTER
INFORMATION IS AVAILABLE?

and in what situation, should I select AUTHENTICATE AS GUEST WHEN USER
OR COMPUTER INFORMATION IS UNAVAILABLE?



"Wajihy [MSFT]" <[email protected]> wrote in message
do you see 2 evnets one for the machine and one for the username? or only
one the access reject for the machine?

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

PEAP


"Wajihy [MSFT]" <[email protected]> wrote in message
are you using EAPTLS or PEAP?
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is another simple scenario :

One PC install Windows 2000 sp4, IAS, and certificate service. The PC
is configured as a DC. One AP ( support WPA ), and one notebook.

domain name : mydomain.com

notebook name : compaq1

one user name : kc

add compaq1 and kc into AD.

create a wireless user group, and add compaq1 and kc into this group.

create a wireless group policy

IAS successfully authenticates user kc, and kc can wirelessly connect
to Internet through IAS authentication.

When looking up the log file through IAS Log Viewer, I found
the
IAS
also authenticate the computer ( it shows the user name is
host/compaq1.mydomain.com ). However, the result is IAS_NO_SUCH_USER,
and the connect result shows rejected.

However, this reject message has no effect for a user to
connect
into
the wired network.

Any comments?




"Wajihy [MSFT]" <[email protected]> wrote in message
it is weird because we have tried it and it works
PEAP Mschap v2 using a stand alone CA
I have tried it using windows2003
I will try using windows 2000 and get abck to you ( if you already
have
a
windows2003 give it a shot and let me know the result
confers
NO
rights
Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I did what you said. Unfortunately, it didn't work. The problem
is
the same.

I reinstall the Windows 2000 server and upgrade it to SP 4
to
have
a
clean 2000 server to test it again. The problem is the same.

However, IAS and certificate cervice works well when I
use
the AD
to
set up a small and simple domain.

Any suggestions again?

Will Windows 2003 help?

"Wajihy [MSFT]" <[email protected]> wrote in
message
with a stand alone CA here is how you request the cert:
Login as Member of the local administrators on the machine

Open the cert web page (on your stand alone)

Select request Certificate

Select Advanced certificate request

Select Create and submit request to this CA

In the NAME filed put the FQDN of your machine

In the type of certificate needed select computer certificate
(Shows
as
"Server authentication Certificate")

In the CSP select "Microsoft RSA SChannel Cryptographic Provider"

Check the "Store Certificate in Local computer
certificate
store"
[optional] You might want to mark
the
key
exportable
Hit Submit



--

This posting is provided "AS IS", with NO warranties and confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

It is a stand alone CA running Windows 2000 Server SP4.

"Wajihy [MSFT]" <[email protected]> wrote in
message
IS IT a stand alone CA or an entreprise CA?
and
confers
NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

I install IAS and Certificate service in one PC.
I
can
request a
certificate by using //server/certsrv and specify "use
local
machine
store" to get a machine certificate for this PC.

However, when I tried to configure EAP in a
wireless
policy :
double click wireless policy
click edit profile
click authentication tab
check EAP check box
click configure

the error message show up :
"A certificate could not be found that can be used with
this
EAP"

I also have problem to get a certificate from certificate
console

run MMC
add certificate
certificate/personal/all tasks/request new certificate
the error appears:
"Windows cannot find a certification authority
that
will
process
the
request"
However, I can get a new certificate by using //server/certsrv.

Any suggestions?

KC



message
if you mean from the client side, the user you
will
be
prompted
to
enter
his
credentials before getting access to the network
warranties
and
confers
NO
rights
message
you can do it both ways:
without installing an AD, add a local user
to
the
IAS
server
and
use
that
user to connect from the client ( don't
forget
in
the
wireless
configuration
of the client to uncheck " use winlogon credentials"
option)
you
can
also
install the CA on the IAS server

use it with an a AD in this case you will use a
domain
user

let me know if you need more help

--

This posting is provided "AS IS", with NO warranties
and
confers
NO
rights
Just want to use MS windows 2000 IAS
service
to
show
my
boss
that
how
this service can be used as a wireless
authentication
server.

Play it for a while. My question is that
my
demo
is
very
simple.
One
PC sit behind an Ap, one notebook trying to
wirelessly
connect
to
this
PC through the AP, using PEAP
authentication.
What I
want
to
do
is to
group the PC and the notebook into one workgroup,
install
IAS
service
and certificate service in this PC, get a
certificate
for
this
PC,
install the root CA certificate and IAS
server
certificate
into
this
notebook. Then I think I can demo
EAP-PEAP
authentication.
Can this be done? Do I have to set up a
domain to
finish
this
job?

Appreciate any suggestions/comments from
this
group.
KC

Hi Wajihy

Thanks for your reply.

Is there any indication on the screen that can show
user
that
the
current wireless connection is in 802.1x
condition
when
users
use
Windows 2000 802.1x client?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top