Solved

802.1x, IAS, PKI Setup Problem

Posted on 2009-04-07
3
1,366 Views
Last Modified: 2013-12-04
Hello EE,

I have been working for several weeks now on our PKI.  the primary and intial purpose of the PKI it to provide 802.1x authentication for wireless users.  All wireless Devices are connected through our Cisco Wireless LAN Controller that has 9 Lightweight WAP's spread throughout our infrastructure.  Initial Wireless setup with MAC filtering have very good results.  Now with some upgrades coming down very soon, we are required to setup our PKI and though what a good time to implement 802.1x on our Wireless side.  Preliminary setup steps have brought us to some obstacles to over come.

1.  Our original setup had 1 Offile Enterprise Root CA (Server A) and 2 Subordinate CA (erver's B, and C).  The problem we encountered here was the fact that the Subordinate CA were Server 2003 Standard machine and did not support the Autoenrollment need for the wireless clients.

2. After cleaning up a big group policy screw up, I took a step back.  A failed attempt to upgrade Server B to into Enterpise (problem with virtual iron), we decided to move forward and make our existing WSUS (Future System Center) server (server D) our first Subordante CA.  At first glance everything works great.  Though went setting up IAS for 802.1x, it cannot find a certificate (see attachment)

3.  Thinking the IAS problem may be related to the Mixed Standard/Enterprise environment, I decided to setup IAS on the new Sub CA (Server D).  After doing so I encounter the same issue.  I double checked to verify that IAS for Server is registered in AD (GOOD), but for some reason he will not grab a certificate.  

So this is where I am stuck.  Why wont my IAS server enrolled?

Here are some spec fot all servers envolved

Server A
Enterprise Root CA
Offline - Already shutdown
Server 2003 Enterprise
Virtual Server

Server B
Domain Controller 1
DHCP, DNS, etc.
Original Candidate for Sub CA 1 and IAS
Server 2003 Standard
Virtual Server

Server C
Domain Controller 2
DHCP, DNS, etc.
Currently Configured as Stand-Alone Root for OWA.  Plan to migrate OWA function to new Sub CA when up and running.  Further plans to Upgrade to Server 2003 Enterprise, and turn into Sub CA 2, and install IAS
Currently Server 2003 Standard
Physical Server

Server D
Enterprise Subordinate CA
WSUS
Future plans to be full blown System Center
IAS
Server 2003 Enterprise

Thats what I have so far.  Getting IAS working is the first step, Then wireless Client Autoenrollment, and finally 802.1x authentication.  See my diagram for details


IAS-Error.JPG
IAS-PKI-8021X.jpg
0
Comment
Question by:CityofKerrville
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 

Author Comment

by:CityofKerrville
ID: 24091267
Update!!
IAS finally enrolled, but I still get the same error shown above when setting up ithe Remote Access Policy for Wireless Authentication.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24096964
What size keyset are you creating, and from which template?  A web server cert should be fine (or a duplicate thereof).  If you are trying a 2048 keyset, try a 1024 instead.

Here's a general install list of the process - pay attention to other options throughout that you may desire for your own environment as this is a pretty basic installation guide, but you can use this to make sure you have the key componants:
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html
0
 

Author Comment

by:CityofKerrville
ID: 24097182
I have recreated the certificate.  the original was 1024 so I set it up for 2048.  Will wait for the autoenrollemnt to take place and see what happens.  Will let you know.
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question