Non-domain wireless clients do not trust IAS server certificate

I just set up a Windows 2003 server with IAS and made it a stand-alone certificate server and issued a certificate for the IAS. The purpose is to allow computers to authenticate to the wireless network without storing passwords. I use group policy to to push the server certificate to the clients trusted store and to configure the wireless network connection properties. We are using PEAP with AES encrytion and WPA-Enterprise and MS-CHAPv2.

Everything works great for domain computers, but the problem is with non-domain computers, such as visitors or contractors. Since we are using our own cert, the computers do not trust it and since they do not use our group policy then we cant make them trust it. So this leads to my specific questions:

1> Did I make a mistake of creating a "Stand-Alone Root CA" Certificate server instead of an "Enterprise Root CA" server? Would that make a difference, if I started over and made it an Enterprise Root?

2> Or do I need to purchase a third-party certificate, that is already in the trusted store on non-domain windows clients?

3> If I need a third-party cert, can I use a Go-Daddy cert? I do see a Godaddy cert already in trusted stores on some laptops here.

4> What is the process to generate a certificate request for an IAS server? Is it different than when making one for a web server? I am getting conflicting info on this.

5> Is the third-party certificate for IAS somehow different than a standard web server https certificate? If so, where do I get these and how do I know I am gettting the right one?
LVL 1
robw24Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ShmoidSenior EngineerCommented:
See responses to your questions inline below:

Question: I just set up a Windows 2003 server with IAS and made it a stand-alone certificate server and issued a certificate for the IAS. The purpose is to allow computers to authenticate to the wireless network without storing passwords. I use group policy to to push the server certificate to the clients trusted store and to configure the wireless network connection properties. We are using PEAP with AES encrytion and WPA-Enterprise and MS-CHAPv2.

Everything works great for domain computers, but the problem is with non-domain computers, such as visitors or contractors. Since we are using our own cert, the computers do not trust it and since they do not use our group policy then we cant make them trust it. So this leads to my specific questions:

1> Did I make a mistake of creating a "Stand-Alone Root CA" Certificate server instead of an "Enterprise Root CA" server? Would that make a difference, if I started over and made it an Enterprise Root?

I wouldn’t say mistake but from a security standpoint certainly not best practice.  However, it would make no difference if you had installed an Enterprise Root CA from the standpoint of non-domain users trusting it.  

2> Or do I need to purchase a third-party certificate, that is already in the trusted store on non-domain windows clients?

Purchasing a third party cert might be the cleanest solution if you don’t mind the cost. But you could also provide your CA’s public key to the non-domain members so it could be manually installed in the trusted root store. It’s a little more work but it’s free.

3> If I need a third-party cert, can I use a Go-Daddy cert? I do see a Godaddy cert already in trusted stores on some laptops here.

Yes, you could use GoDaddy or any other 3rd party Certificate Authority.

4> What is the process to generate a certificate request for an IAS server? Is it different than when making one for a web server? I am getting conflicting info on this.

No different. It is just a standard server authentication certificate.

5> Is the third-party certificate for IAS somehow different than a standard web server https certificate? If so, where do I get these and how do I know I am gettting the right one?

No. It is the same.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
robw24Author Commented:
Thanks Shmoid. However, when I go into IIS and i'm supposed to click on the site that I need to make a CSR for, there is none because there is no website. Would I use the "Default Web Site"?
0
ShmoidSenior EngineerCommented:
Yes, the Default Web Site is perfect.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

robw24Author Commented:
I have the cert and in the process of finishing the CSR within IIS. It is asking me to specify the SSL port to use, defaulting to 443. Do I need to change this, since I am not using SSL for the authentication of wireless clients?
0
ShmoidSenior EngineerCommented:
No, do not change it. Even though you will not be using the cert for securing a webpage the wizard just needs to complete the install. Once the cert is in place you can select it in the IAS configuraion. From there it will present that cert to wireless clients.
0
robw24Author Commented:
Ok, it's complete. You helped me resolve my issue. I just want to run by you whats going on now.

Now the non-domain clients are able to connect, however they do receive a certificate warning. With the self-signed cert, they could not connect at all, now they can connect but get a warning:

"is not configured as a valid trust anchor for this profile."

"not configured as a valid NPS server to connect"

It is a GoDaddy cert, and the root is www.valicert.com

0
ShmoidSenior EngineerCommented:
On the PEAP settings page make sure the GoDaddy CA that issued your cert is checked in the trusted root list.

 PEAP Settings
0
robw24Author Commented:
Thanks, that helped the domain computers, because the profile is pushed out through group policy. But on non-domain (visitors) computers, there is no profile or PEAP settings to edit before connecting for the first time.
0
ShmoidSenior EngineerCommented:
I'm not sure what you mean. I know you may have to create a new profile from scratch but you can set the PEAP settings during the initial configuration of a new profile. Let me know more specifics.
0
robw24Author Commented:
I see what you mean now, that a visitor would need to configure a profile from scratch. However, our intent is for a visitor to come in and click on the SSID of our WIFI, get prompted for a username and password, and then connect. We don't want to have to create a profile on every visitor laptop.

When I used an internally generated certificate, the guest would get the username and password prompt, but then it would not connect after entering it. Then, when I tried a GoDaddy certificate, the Windows 7 visitor laptops would get a username and password prompt, then a certificate warning, and then they would get connected. However Windows XP laptops could not connect at all.

I am now working on getting a Thawte certificate. I know these work good as we used one for our webmail. However, Thawte requires a fully qualified domain name for their SSL123 certs. In IIS ans IAS, it only shows the host name of the server with no domain. So I had to add our internal domain name to the host name during the CSR gerneration. Not sure if IAS will like that. Waiting on the cert now.
0
ShmoidSenior EngineerCommented:
Gotcha. Makes sense.

You said after you switched to the Godday cert the Win 7 would get prompted, cert error, then connect. But XP wouldn't connect at all. You didn't mention if the XP would get prompted. Did XP get prompted?

Let me know if the Thawte cert makes a differnce. Don't see why it would.
0
robw24Author Commented:
To answer your question, the XP machines were not being prompted.

Ok, well it don't seem like the Thawte cert made a difference. I did find out that the XP computer was not connecting because the connection profile needs to be manually configured, as it seems to default to using a certificate or smartcard, which cannot be found. I need to either edit or create a connection profile that specifies PEAP, and also not to automatically provide logged in name and password for authentication.

So, how can I get the visitor XP laptops to connect to the wifi without any manual intervention, other than a guest name and password? Not possible?
0
ShmoidSenior EngineerCommented:

Well, since you already have IAS server you could take a look at Microsoft's Wireless Provisioning Services (WPS).  Here's a link:  http://technet.microsoft.com/en-us/library/cc727956(WS.10).aspx

It will allow you to push a configuration to your guest computers without them having to join the domain.  Not sure it's worth that much trouble to you but if you have lots of guest computers running XP then maybe it would be. At least it would be transparent to the user.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.