CityofKerrville
asked on
802.1x, IAS, PKI Setup Problem
Hello EE,
I have been working for several weeks now on our PKI. the primary and intial purpose of the PKI it to provide 802.1x authentication for wireless users. All wireless Devices are connected through our Cisco Wireless LAN Controller that has 9 Lightweight WAP's spread throughout our infrastructure. Initial Wireless setup with MAC filtering have very good results. Now with some upgrades coming down very soon, we are required to setup our PKI and though what a good time to implement 802.1x on our Wireless side. Preliminary setup steps have brought us to some obstacles to over come.
1. Our original setup had 1 Offile Enterprise Root CA (Server A) and 2 Subordinate CA (erver's B, and C). The problem we encountered here was the fact that the Subordinate CA were Server 2003 Standard machine and did not support the Autoenrollment need for the wireless clients.
2. After cleaning up a big group policy screw up, I took a step back. A failed attempt to upgrade Server B to into Enterpise (problem with virtual iron), we decided to move forward and make our existing WSUS (Future System Center) server (server D) our first Subordante CA. At first glance everything works great. Though went setting up IAS for 802.1x, it cannot find a certificate (see attachment)
3. Thinking the IAS problem may be related to the Mixed Standard/Enterprise environment, I decided to setup IAS on the new Sub CA (Server D). After doing so I encounter the same issue. I double checked to verify that IAS for Server is registered in AD (GOOD), but for some reason he will not grab a certificate.
So this is where I am stuck. Why wont my IAS server enrolled?
Here are some spec fot all servers envolved
Server A
Enterprise Root CA
Offline - Already shutdown
Server 2003 Enterprise
Virtual Server
Server B
Domain Controller 1
DHCP, DNS, etc.
Original Candidate for Sub CA 1 and IAS
Server 2003 Standard
Virtual Server
Server C
Domain Controller 2
DHCP, DNS, etc.
Currently Configured as Stand-Alone Root for OWA. Plan to migrate OWA function to new Sub CA when up and running. Further plans to Upgrade to Server 2003 Enterprise, and turn into Sub CA 2, and install IAS
Currently Server 2003 Standard
Physical Server
Server D
Enterprise Subordinate CA
WSUS
Future plans to be full blown System Center
IAS
Server 2003 Enterprise
Thats what I have so far. Getting IAS working is the first step, Then wireless Client Autoenrollment, and finally 802.1x authentication. See my diagram for details
IAS-Error.JPG
IAS-PKI-8021X.jpg
I have been working for several weeks now on our PKI. the primary and intial purpose of the PKI it to provide 802.1x authentication for wireless users. All wireless Devices are connected through our Cisco Wireless LAN Controller that has 9 Lightweight WAP's spread throughout our infrastructure. Initial Wireless setup with MAC filtering have very good results. Now with some upgrades coming down very soon, we are required to setup our PKI and though what a good time to implement 802.1x on our Wireless side. Preliminary setup steps have brought us to some obstacles to over come.
1. Our original setup had 1 Offile Enterprise Root CA (Server A) and 2 Subordinate CA (erver's B, and C). The problem we encountered here was the fact that the Subordinate CA were Server 2003 Standard machine and did not support the Autoenrollment need for the wireless clients.
2. After cleaning up a big group policy screw up, I took a step back. A failed attempt to upgrade Server B to into Enterpise (problem with virtual iron), we decided to move forward and make our existing WSUS (Future System Center) server (server D) our first Subordante CA. At first glance everything works great. Though went setting up IAS for 802.1x, it cannot find a certificate (see attachment)
3. Thinking the IAS problem may be related to the Mixed Standard/Enterprise environment, I decided to setup IAS on the new Sub CA (Server D). After doing so I encounter the same issue. I double checked to verify that IAS for Server is registered in AD (GOOD), but for some reason he will not grab a certificate.
So this is where I am stuck. Why wont my IAS server enrolled?
Here are some spec fot all servers envolved
Server A
Enterprise Root CA
Offline - Already shutdown
Server 2003 Enterprise
Virtual Server
Server B
Domain Controller 1
DHCP, DNS, etc.
Original Candidate for Sub CA 1 and IAS
Server 2003 Standard
Virtual Server
Server C
Domain Controller 2
DHCP, DNS, etc.
Currently Configured as Stand-Alone Root for OWA. Plan to migrate OWA function to new Sub CA when up and running. Further plans to Upgrade to Server 2003 Enterprise, and turn into Sub CA 2, and install IAS
Currently Server 2003 Standard
Physical Server
Server D
Enterprise Subordinate CA
WSUS
Future plans to be full blown System Center
IAS
Server 2003 Enterprise
Thats what I have so far. Getting IAS working is the first step, Then wireless Client Autoenrollment, and finally 802.1x authentication. See my diagram for details
IAS-Error.JPG
IAS-PKI-8021X.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have recreated the certificate. the original was 1024 so I set it up for 2048. Will wait for the autoenrollemnt to take place and see what happens. Will let you know.
ASKER
IAS finally enrolled, but I still get the same error shown above when setting up ithe Remote Access Policy for Wireless Authentication.