robw24
asked on
Non-domain wireless clients do not trust IAS server certificate
I just set up a Windows 2003 server with IAS and made it a stand-alone certificate server and issued a certificate for the IAS. The purpose is to allow computers to authenticate to the wireless network without storing passwords. I use group policy to to push the server certificate to the clients trusted store and to configure the wireless network connection properties. We are using PEAP with AES encrytion and WPA-Enterprise and MS-CHAPv2.
Everything works great for domain computers, but the problem is with non-domain computers, such as visitors or contractors. Since we are using our own cert, the computers do not trust it and since they do not use our group policy then we cant make them trust it. So this leads to my specific questions:
1> Did I make a mistake of creating a "Stand-Alone Root CA" Certificate server instead of an "Enterprise Root CA" server? Would that make a difference, if I started over and made it an Enterprise Root?
2> Or do I need to purchase a third-party certificate, that is already in the trusted store on non-domain windows clients?
3> If I need a third-party cert, can I use a Go-Daddy cert? I do see a Godaddy cert already in trusted stores on some laptops here.
4> What is the process to generate a certificate request for an IAS server? Is it different than when making one for a web server? I am getting conflicting info on this.
5> Is the third-party certificate for IAS somehow different than a standard web server https certificate? If so, where do I get these and how do I know I am gettting the right one?
Everything works great for domain computers, but the problem is with non-domain computers, such as visitors or contractors. Since we are using our own cert, the computers do not trust it and since they do not use our group policy then we cant make them trust it. So this leads to my specific questions:
1> Did I make a mistake of creating a "Stand-Alone Root CA" Certificate server instead of an "Enterprise Root CA" server? Would that make a difference, if I started over and made it an Enterprise Root?
2> Or do I need to purchase a third-party certificate, that is already in the trusted store on non-domain windows clients?
3> If I need a third-party cert, can I use a Go-Daddy cert? I do see a Godaddy cert already in trusted stores on some laptops here.
4> What is the process to generate a certificate request for an IAS server? Is it different than when making one for a web server? I am getting conflicting info on this.
5> Is the third-party certificate for IAS somehow different than a standard web server https certificate? If so, where do I get these and how do I know I am gettting the right one?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, the Default Web Site is perfect.
ASKER
I have the cert and in the process of finishing the CSR within IIS. It is asking me to specify the SSL port to use, defaulting to 443. Do I need to change this, since I am not using SSL for the authentication of wireless clients?
No, do not change it. Even though you will not be using the cert for securing a webpage the wizard just needs to complete the install. Once the cert is in place you can select it in the IAS configuraion. From there it will present that cert to wireless clients.
ASKER
Ok, it's complete. You helped me resolve my issue. I just want to run by you whats going on now.
Now the non-domain clients are able to connect, however they do receive a certificate warning. With the self-signed cert, they could not connect at all, now they can connect but get a warning:
"is not configured as a valid trust anchor for this profile."
"not configured as a valid NPS server to connect"
It is a GoDaddy cert, and the root is www.valicert.com
Now the non-domain clients are able to connect, however they do receive a certificate warning. With the self-signed cert, they could not connect at all, now they can connect but get a warning:
"is not configured as a valid trust anchor for this profile."
"not configured as a valid NPS server to connect"
It is a GoDaddy cert, and the root is www.valicert.com
On the PEAP settings page make sure the GoDaddy CA that issued your cert is checked in the trusted root list.
ASKER
Thanks, that helped the domain computers, because the profile is pushed out through group policy. But on non-domain (visitors) computers, there is no profile or PEAP settings to edit before connecting for the first time.
I'm not sure what you mean. I know you may have to create a new profile from scratch but you can set the PEAP settings during the initial configuration of a new profile. Let me know more specifics.
ASKER
I see what you mean now, that a visitor would need to configure a profile from scratch. However, our intent is for a visitor to come in and click on the SSID of our WIFI, get prompted for a username and password, and then connect. We don't want to have to create a profile on every visitor laptop.
When I used an internally generated certificate, the guest would get the username and password prompt, but then it would not connect after entering it. Then, when I tried a GoDaddy certificate, the Windows 7 visitor laptops would get a username and password prompt, then a certificate warning, and then they would get connected. However Windows XP laptops could not connect at all.
I am now working on getting a Thawte certificate. I know these work good as we used one for our webmail. However, Thawte requires a fully qualified domain name for their SSL123 certs. In IIS ans IAS, it only shows the host name of the server with no domain. So I had to add our internal domain name to the host name during the CSR gerneration. Not sure if IAS will like that. Waiting on the cert now.
When I used an internally generated certificate, the guest would get the username and password prompt, but then it would not connect after entering it. Then, when I tried a GoDaddy certificate, the Windows 7 visitor laptops would get a username and password prompt, then a certificate warning, and then they would get connected. However Windows XP laptops could not connect at all.
I am now working on getting a Thawte certificate. I know these work good as we used one for our webmail. However, Thawte requires a fully qualified domain name for their SSL123 certs. In IIS ans IAS, it only shows the host name of the server with no domain. So I had to add our internal domain name to the host name during the CSR gerneration. Not sure if IAS will like that. Waiting on the cert now.
Gotcha. Makes sense.
You said after you switched to the Godday cert the Win 7 would get prompted, cert error, then connect. But XP wouldn't connect at all. You didn't mention if the XP would get prompted. Did XP get prompted?
Let me know if the Thawte cert makes a differnce. Don't see why it would.
You said after you switched to the Godday cert the Win 7 would get prompted, cert error, then connect. But XP wouldn't connect at all. You didn't mention if the XP would get prompted. Did XP get prompted?
Let me know if the Thawte cert makes a differnce. Don't see why it would.
ASKER
To answer your question, the XP machines were not being prompted.
Ok, well it don't seem like the Thawte cert made a difference. I did find out that the XP computer was not connecting because the connection profile needs to be manually configured, as it seems to default to using a certificate or smartcard, which cannot be found. I need to either edit or create a connection profile that specifies PEAP, and also not to automatically provide logged in name and password for authentication.
So, how can I get the visitor XP laptops to connect to the wifi without any manual intervention, other than a guest name and password? Not possible?
Ok, well it don't seem like the Thawte cert made a difference. I did find out that the XP computer was not connecting because the connection profile needs to be manually configured, as it seems to default to using a certificate or smartcard, which cannot be found. I need to either edit or create a connection profile that specifies PEAP, and also not to automatically provide logged in name and password for authentication.
So, how can I get the visitor XP laptops to connect to the wifi without any manual intervention, other than a guest name and password? Not possible?
Well, since you already have IAS server you could take a look at Microsoft's Wireless Provisioning Services (WPS). Here's a link: http://technet.microsoft.c
It will allow you to push a configuration to your guest computers without them having to join the domain. Not sure it's worth that much trouble to you but if you have lots of guest computers running XP then maybe it would be. At least it would be transparent to the user.
ASKER