Solved

802.1x, IAS, PKI Setup Problem

Posted on 2009-04-07
3
1,362 Views
Last Modified: 2013-12-04
Hello EE,

I have been working for several weeks now on our PKI.  the primary and intial purpose of the PKI it to provide 802.1x authentication for wireless users.  All wireless Devices are connected through our Cisco Wireless LAN Controller that has 9 Lightweight WAP's spread throughout our infrastructure.  Initial Wireless setup with MAC filtering have very good results.  Now with some upgrades coming down very soon, we are required to setup our PKI and though what a good time to implement 802.1x on our Wireless side.  Preliminary setup steps have brought us to some obstacles to over come.

1.  Our original setup had 1 Offile Enterprise Root CA (Server A) and 2 Subordinate CA (erver's B, and C).  The problem we encountered here was the fact that the Subordinate CA were Server 2003 Standard machine and did not support the Autoenrollment need for the wireless clients.

2. After cleaning up a big group policy screw up, I took a step back.  A failed attempt to upgrade Server B to into Enterpise (problem with virtual iron), we decided to move forward and make our existing WSUS (Future System Center) server (server D) our first Subordante CA.  At first glance everything works great.  Though went setting up IAS for 802.1x, it cannot find a certificate (see attachment)

3.  Thinking the IAS problem may be related to the Mixed Standard/Enterprise environment, I decided to setup IAS on the new Sub CA (Server D).  After doing so I encounter the same issue.  I double checked to verify that IAS for Server is registered in AD (GOOD), but for some reason he will not grab a certificate.  

So this is where I am stuck.  Why wont my IAS server enrolled?

Here are some spec fot all servers envolved

Server A
Enterprise Root CA
Offline - Already shutdown
Server 2003 Enterprise
Virtual Server

Server B
Domain Controller 1
DHCP, DNS, etc.
Original Candidate for Sub CA 1 and IAS
Server 2003 Standard
Virtual Server

Server C
Domain Controller 2
DHCP, DNS, etc.
Currently Configured as Stand-Alone Root for OWA.  Plan to migrate OWA function to new Sub CA when up and running.  Further plans to Upgrade to Server 2003 Enterprise, and turn into Sub CA 2, and install IAS
Currently Server 2003 Standard
Physical Server

Server D
Enterprise Subordinate CA
WSUS
Future plans to be full blown System Center
IAS
Server 2003 Enterprise

Thats what I have so far.  Getting IAS working is the first step, Then wireless Client Autoenrollment, and finally 802.1x authentication.  See my diagram for details


IAS-Error.JPG
IAS-PKI-8021X.jpg
0
Comment
Question by:CityofKerrville
  • 2
3 Comments
 

Author Comment

by:CityofKerrville
ID: 24091267
Update!!
IAS finally enrolled, but I still get the same error shown above when setting up ithe Remote Access Policy for Wireless Authentication.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24096964
What size keyset are you creating, and from which template?  A web server cert should be fine (or a duplicate thereof).  If you are trying a 2048 keyset, try a 1024 instead.

Here's a general install list of the process - pay attention to other options throughout that you may desire for your own environment as this is a pretty basic installation guide, but you can use this to make sure you have the key componants:
http://www.isaserver.org/tutorials/Configuring-ISA-Firewall-Support-Certificate-Based-EAP-TLS-Authentication-Part2.html
0
 

Author Comment

by:CityofKerrville
ID: 24097182
I have recreated the certificate.  the original was 1024 so I set it up for 2048.  Will wait for the autoenrollemnt to take place and see what happens.  Will let you know.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As technology users and professionals, we’re always learning. Our universal interest in advancing our knowledge of the trade is unmatched by most industries. It’s a curiosity that makes sense, given the climate of change. Within that, there lies a…
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question