Non-domain wireless clients do not trust IAS server certificate
Posted on 2011-10-03
I just set up a Windows 2003 server with IAS and made it a stand-alone certificate server and issued a certificate for the IAS. The purpose is to allow computers to authenticate to the wireless network without storing passwords. I use group policy to to push the server certificate to the clients trusted store and to configure the wireless network connection properties. We are using PEAP with AES encrytion and WPA-Enterprise and MS-CHAPv2.
Everything works great for domain computers, but the problem is with non-domain computers, such as visitors or contractors. Since we are using our own cert, the computers do not trust it and since they do not use our group policy then we cant make them trust it. So this leads to my specific questions:
1> Did I make a mistake of creating a "Stand-Alone Root CA" Certificate server instead of an "Enterprise Root CA" server? Would that make a difference, if I started over and made it an Enterprise Root?
2> Or do I need to purchase a third-party certificate, that is already in the trusted store on non-domain windows clients?
3> If I need a third-party cert, can I use a Go-Daddy cert? I do see a Godaddy cert already in trusted stores on some laptops here.
4> What is the process to generate a certificate request for an IAS server? Is it different than when making one for a web server? I am getting conflicting info on this.
5> Is the third-party certificate for IAS somehow different than a standard web server https certificate? If so, where do I get these and how do I know I am gettting the right one?