?
Solved

Non-domain wireless clients do not trust IAS server certificate

Posted on 2011-10-03
13
Medium Priority
?
2,521 Views
Last Modified: 2013-12-09
I just set up a Windows 2003 server with IAS and made it a stand-alone certificate server and issued a certificate for the IAS. The purpose is to allow computers to authenticate to the wireless network without storing passwords. I use group policy to to push the server certificate to the clients trusted store and to configure the wireless network connection properties. We are using PEAP with AES encrytion and WPA-Enterprise and MS-CHAPv2.

Everything works great for domain computers, but the problem is with non-domain computers, such as visitors or contractors. Since we are using our own cert, the computers do not trust it and since they do not use our group policy then we cant make them trust it. So this leads to my specific questions:

1> Did I make a mistake of creating a "Stand-Alone Root CA" Certificate server instead of an "Enterprise Root CA" server? Would that make a difference, if I started over and made it an Enterprise Root?

2> Or do I need to purchase a third-party certificate, that is already in the trusted store on non-domain windows clients?

3> If I need a third-party cert, can I use a Go-Daddy cert? I do see a Godaddy cert already in trusted stores on some laptops here.

4> What is the process to generate a certificate request for an IAS server? Is it different than when making one for a web server? I am getting conflicting info on this.

5> Is the third-party certificate for IAS somehow different than a standard web server https certificate? If so, where do I get these and how do I know I am gettting the right one?
0
Comment
Question by:robw24
  • 7
  • 6
13 Comments
 
LVL 8

Accepted Solution

by:
Shmoid earned 2000 total points
ID: 36905260
See responses to your questions inline below:

Question: I just set up a Windows 2003 server with IAS and made it a stand-alone certificate server and issued a certificate for the IAS. The purpose is to allow computers to authenticate to the wireless network without storing passwords. I use group policy to to push the server certificate to the clients trusted store and to configure the wireless network connection properties. We are using PEAP with AES encrytion and WPA-Enterprise and MS-CHAPv2.

Everything works great for domain computers, but the problem is with non-domain computers, such as visitors or contractors. Since we are using our own cert, the computers do not trust it and since they do not use our group policy then we cant make them trust it. So this leads to my specific questions:

1> Did I make a mistake of creating a "Stand-Alone Root CA" Certificate server instead of an "Enterprise Root CA" server? Would that make a difference, if I started over and made it an Enterprise Root?

I wouldn’t say mistake but from a security standpoint certainly not best practice.  However, it would make no difference if you had installed an Enterprise Root CA from the standpoint of non-domain users trusting it.  

2> Or do I need to purchase a third-party certificate, that is already in the trusted store on non-domain windows clients?

Purchasing a third party cert might be the cleanest solution if you don’t mind the cost. But you could also provide your CA’s public key to the non-domain members so it could be manually installed in the trusted root store. It’s a little more work but it’s free.

3> If I need a third-party cert, can I use a Go-Daddy cert? I do see a Godaddy cert already in trusted stores on some laptops here.

Yes, you could use GoDaddy or any other 3rd party Certificate Authority.

4> What is the process to generate a certificate request for an IAS server? Is it different than when making one for a web server? I am getting conflicting info on this.

No different. It is just a standard server authentication certificate.

5> Is the third-party certificate for IAS somehow different than a standard web server https certificate? If so, where do I get these and how do I know I am gettting the right one?

No. It is the same.
0
 
LVL 1

Author Comment

by:robw24
ID: 36905295
Thanks Shmoid. However, when I go into IIS and i'm supposed to click on the site that I need to make a CSR for, there is none because there is no website. Would I use the "Default Web Site"?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36905392
Yes, the Default Web Site is perfect.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Comment

by:robw24
ID: 36905952
I have the cert and in the process of finishing the CSR within IIS. It is asking me to specify the SSL port to use, defaulting to 443. Do I need to change this, since I am not using SSL for the authentication of wireless clients?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36906103
No, do not change it. Even though you will not be using the cert for securing a webpage the wizard just needs to complete the install. Once the cert is in place you can select it in the IAS configuraion. From there it will present that cert to wireless clients.
0
 
LVL 1

Author Comment

by:robw24
ID: 36909431
Ok, it's complete. You helped me resolve my issue. I just want to run by you whats going on now.

Now the non-domain clients are able to connect, however they do receive a certificate warning. With the self-signed cert, they could not connect at all, now they can connect but get a warning:

"is not configured as a valid trust anchor for this profile."

"not configured as a valid NPS server to connect"

It is a GoDaddy cert, and the root is www.valicert.com

0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36910255
On the PEAP settings page make sure the GoDaddy CA that issued your cert is checked in the trusted root list.

 PEAP Settings
0
 
LVL 1

Author Comment

by:robw24
ID: 36911229
Thanks, that helped the domain computers, because the profile is pushed out through group policy. But on non-domain (visitors) computers, there is no profile or PEAP settings to edit before connecting for the first time.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36912475
I'm not sure what you mean. I know you may have to create a new profile from scratch but you can set the PEAP settings during the initial configuration of a new profile. Let me know more specifics.
0
 
LVL 1

Author Comment

by:robw24
ID: 36912743
I see what you mean now, that a visitor would need to configure a profile from scratch. However, our intent is for a visitor to come in and click on the SSID of our WIFI, get prompted for a username and password, and then connect. We don't want to have to create a profile on every visitor laptop.

When I used an internally generated certificate, the guest would get the username and password prompt, but then it would not connect after entering it. Then, when I tried a GoDaddy certificate, the Windows 7 visitor laptops would get a username and password prompt, then a certificate warning, and then they would get connected. However Windows XP laptops could not connect at all.

I am now working on getting a Thawte certificate. I know these work good as we used one for our webmail. However, Thawte requires a fully qualified domain name for their SSL123 certs. In IIS ans IAS, it only shows the host name of the server with no domain. So I had to add our internal domain name to the host name during the CSR gerneration. Not sure if IAS will like that. Waiting on the cert now.
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36914918
Gotcha. Makes sense.

You said after you switched to the Godday cert the Win 7 would get prompted, cert error, then connect. But XP wouldn't connect at all. You didn't mention if the XP would get prompted. Did XP get prompted?

Let me know if the Thawte cert makes a differnce. Don't see why it would.
0
 
LVL 1

Author Comment

by:robw24
ID: 36917456
To answer your question, the XP machines were not being prompted.

Ok, well it don't seem like the Thawte cert made a difference. I did find out that the XP computer was not connecting because the connection profile needs to be manually configured, as it seems to default to using a certificate or smartcard, which cannot be found. I need to either edit or create a connection profile that specifies PEAP, and also not to automatically provide logged in name and password for authentication.

So, how can I get the visitor XP laptops to connect to the wifi without any manual intervention, other than a guest name and password? Not possible?
0
 
LVL 8

Expert Comment

by:Shmoid
ID: 36918509

Well, since you already have IAS server you could take a look at Microsoft's Wireless Provisioning Services (WPS).  Here's a link:  http://technet.microsoft.com/en-us/library/cc727956(WS.10).aspx

It will allow you to push a configuration to your guest computers without them having to join the domain.  Not sure it's worth that much trouble to you but if you have lots of guest computers running XP then maybe it would be. At least it would be transparent to the user.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question