Solved

802.1x, IAS, PKI Setup Problem

Posted on 2009-04-07
3
1,361 Views
Last Modified: 2013-12-04
Hello EE,

I have been working for several weeks now on our PKI.  the primary and intial purpose of the PKI it to provide 802.1x authentication for wireless users.  All wireless Devices are connected through our Cisco Wireless LAN Controller that has 9 Lightweight WAP's spread throughout our infrastructure.  Initial Wireless setup with MAC filtering have very good results.  Now with some upgrades coming down very soon, we are required to setup our PKI and though what a good time to implement 802.1x on our Wireless side.  Preliminary setup steps have brought us to some obstacles to over come.

1.  Our original setup had 1 Offile Enterprise Root CA (Server A) and 2 Subordinate CA (erver's B, and C).  The problem we encountered here was the fact that the Subordinate CA were Server 2003 Standard machine and did not support the Autoenrollment need for the wireless clients.

2. After cleaning up a big group policy screw up, I took a step back.  A failed attempt to upgrade Server B to into Enterpise (problem with virtual iron), we decided to move forward and make our existing WSUS (Future System Center) server (server D) our first Subordante CA.  At first glance everything works great.  Though went setting up IAS for 802.1x, it cannot find a certificate (see attachment)

3.  Thinking the IAS problem may be related to the Mixed Standard/Enterprise environment, I decided to setup IAS on the new Sub CA (Server D).  After doing so I encounter the same issue.  I double checked to verify that IAS for Server is registered in AD (GOOD), but for some reason he will not grab a certificate.  

So this is where I am stuck.  Why wont my IAS server enrolled?

Here are some spec fot all servers envolved

Server A
Enterprise Root CA
Offline - Already shutdown
Server 2003 Enterprise
Virtual Server

Server B
Domain Controller 1
DHCP, DNS, etc.
Original Candidate for Sub CA 1 and IAS
Server 2003 Standard
Virtual Server

Server C
Domain Controller 2
DHCP, DNS, etc.
Currently Configured as Stand-Alone Root for OWA.  Plan to migrate OWA function to new Sub CA when up and running.  Further plans to Upgrade to Server 2003 Enterprise, and turn into Sub CA 2, and install IAS
Currently Server 2003 Standard
Physical Server

Server D
Enterprise Subordinate CA
WSUS
Future plans to be full blown System Center
IAS
Server 2003 Enterprise

Thats what I have so far.  Getting IAS working is the first step, Then wireless Client Autoenrollment, and finally 802.1x authentication.  See my diagram for details


IAS-Error.JPG
IAS-PKI-8021X.jpg
0
Comment
Question by:CityofKerrville
  • 2
3 Comments
 

Author Comment

by:CityofKerrville
ID: 24091267
Update!!
IAS finally enrolled, but I still get the same error shown above when setting up ithe Remote Access Policy for Wireless Authentication.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24096964
What size keyset are you creating, and from which template?  A web server cert should be fine (or a duplicate thereof).  If you are trying a 2048 keyset, try a 1024 instead.

Here's a general install list of the process - pay attention to other options throughout that you may desire for your own environment as this is a pretty basic installation guide, but you can use this to make sure you have the key componants:
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html
0
 

Author Comment

by:CityofKerrville
ID: 24097182
I have recreated the certificate.  the original was 1024 so I set it up for 2048.  Will wait for the autoenrollemnt to take place and see what happens.  Will let you know.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now