Connecting to a WPA2 Enterprise WLan, using computer certificates on non-domain members
Hi Experts,
I have the need to connect a few mobile medical devices to my network, for the purpose of backing up critical data. After some investigation, the easiest solution for this requires setting up and connecting to a wireless network. I am most of the way down the track with this, having the wireless network setup, and connected to a VLAN.
These devices run Windows XP, and I need to be able to have these devices connect using computer certificates. I do not want to use PEAP for the connection. I have been able to get Windows XP SP3 domain members to successfully connect to the wireless using requested computer certificates, however I cannot obtain the correct certificate for the non-domain members to be able to connect.
Here are the details of what I am using:
Windows 2003 Enterprise Domain Enrolled CA
- Certificate issued to 2003 IAS Server (DC)
- Computer (Machine) certificate issued to domain members
Windows 2003 IAS
- Setup for EAP auth, using the DC cert. Policy condition set to the IP of the AP
WPA2-AES setup on the AP
- Setup with the IP of the IAS, and shared secret according to the RADIUS Client setup
Windows XP Client
- Configured to use Computer Authentication as per http://support.microsoft.com/kb/929847
- Wlan profile configured to use simple certificate selection
I have been using a test PC for this. As I mentioned, when the client is a domain member, I can request a computer cert, and then the Wlan profile uses this cert to connect, and the computer connects to the Wlan at boot up time, without a logon required. However when I remove the client from the domain, and request a cert from the CA, it fails to connect. I have created duplicate of the Computer template (ComputerWlan), and created a new certificate to issue based on this template. I set this template to supply the subject name in the request, and then used certreq from the client to create a request, using an inf file. This is what the inf file contained:
[Version]
Signature = "$Windows NT$"
[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
Subject="CN=evo"
UseExistingKeySet = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = "ComputerWlan"
SAN = "dns=evo"
I was able to submit this request to the CA, and then install the subsequent certificate on the client, however the client is unable to connect to the Wlan using this certificate.
Does anyone know how to get a non-domain member to connect to the Wlan using computer certificate authentication?
I have the need to connect a few mobile medical devices to my network, for the purpose of backing up critical data. After some investigation, the easiest solution for this requires setting up and connecting to a wireless network. I am most of the way down the track with this, having the wireless network setup, and connected to a VLAN.
These devices run Windows XP, and I need to be able to have these devices connect using computer certificates. I do not want to use PEAP for the connection. I have been able to get Windows XP SP3 domain members to successfully connect to the wireless using requested computer certificates, however I cannot obtain the correct certificate for the non-domain members to be able to connect.
Here are the details of what I am using:
Windows 2003 Enterprise Domain Enrolled CA
- Certificate issued to 2003 IAS Server (DC)
- Computer (Machine) certificate issued to domain members
Windows 2003 IAS
- Setup for EAP auth, using the DC cert. Policy condition set to the IP of the AP
WPA2-AES setup on the AP
- Setup with the IP of the IAS, and shared secret according to the RADIUS Client setup
Windows XP Client
- Configured to use Computer Authentication as per http://support.microsoft.com/kb/929847
- Wlan profile configured to use simple certificate selection
I have been using a test PC for this. As I mentioned, when the client is a domain member, I can request a computer cert, and then the Wlan profile uses this cert to connect, and the computer connects to the Wlan at boot up time, without a logon required. However when I remove the client from the domain, and request a cert from the CA, it fails to connect. I have created duplicate of the Computer template (ComputerWlan), and created a new certificate to issue based on this template. I set this template to supply the subject name in the request, and then used certreq from the client to create a request, using an inf file. This is what the inf file contained:
[Version]
Signature = "$Windows NT$"
[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
Subject="CN=evo"
UseExistingKeySet = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = "ComputerWlan"
SAN = "dns=evo"
I was able to submit this request to the CA, and then install the subsequent certificate on the client, however the client is unable to connect to the Wlan using this certificate.
Does anyone know how to get a non-domain member to connect to the Wlan using computer certificate authentication?
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/3fa3b0fb-ca78-4b78-af61-557cf0fc2593
How to put Machine Certs on Non-domain systems
1. Create INF file( eg., dmz14.inf)[Note: !!Important!! The inf file must be stored as UNICODE! ]
2. Copy INF file and root and issuing CA certs to device needing cert.
3. Using RDP, connect to the device
4. Add MMC for Certificates, Local Machine. Import CA certs into root and intermediate trusted CAs store respectively.
5. Open cmd prompt, cd to directory containing INF file.
6. Enter the command to create a certificate request as in this example:
Certreq -new dmz14.inf dmz14.req [where dmz14 is the name of the device]
7. This should generate a .req file. Copy that file back to the domain.
8. From a domain machine, login as domain admin, open cmd prompt and type:
certreq –submit dmz14.req dmz14.cer
A window pops up asking you to select a CA. Choose the Domain issuing CA.
This should generate a .cer file which you then copy back to the device.
9. Using certificates mmc, import into Local Machine, personal store or alternatively, use cmdline:
certreq -accept dmz14.cer
1. Create INF file( eg., dmz14.inf)[Note: !!Important!! The inf file must be stored as UNICODE! ]
2. Copy INF file and root and issuing CA certs to device needing cert.
3. Using RDP, connect to the device
4. Add MMC for Certificates, Local Machine. Import CA certs into root and intermediate trusted CAs store respectively.
5. Open cmd prompt, cd to directory containing INF file.
6. Enter the command to create a certificate request as in this example:
Certreq -new dmz14.inf dmz14.req [where dmz14 is the name of the device]
7. This should generate a .req file. Copy that file back to the domain.
8. From a domain machine, login as domain admin, open cmd prompt and type:
certreq –submit dmz14.req dmz14.cer
A window pops up asking you to select a CA. Choose the Domain issuing CA.
This should generate a .cer file which you then copy back to the device.
9. Using certificates mmc, import into Local Machine, personal store or alternatively, use cmdline:
certreq -accept dmz14.cer
ASKER
Hi Experts,
Sorry for the delayed response, I have been concentrating on other tasks.
Boilermaker85, thanks for your input. THis is the same process I used to generate the request, approve and install the certificate, except for saving the file in unicode. I have since tried this again, using unicode format for th inf, whith no success.
Tomago, I have viewed this article, and tried assigning a certificate to a user (using web enrollment, authenticating as the user), and imported this certificate into the client. I have also change the registry to allow use of user certificates (and also tried the windows default setting), and then set the WLan connection to use certificate authentication. The message that I get at this point is 'Windows was unable to find a certificate to log you onto the network [wireless_network_name]'. I have tried changing a few of the connection options, with no success.
Does anyone have any further ideas?
Sorry for the delayed response, I have been concentrating on other tasks.
Boilermaker85, thanks for your input. THis is the same process I used to generate the request, approve and install the certificate, except for saving the file in unicode. I have since tried this again, using unicode format for th inf, whith no success.
Tomago, I have viewed this article, and tried assigning a certificate to a user (using web enrollment, authenticating as the user), and imported this certificate into the client. I have also change the registry to allow use of user certificates (and also tried the windows default setting), and then set the WLan connection to use certificate authentication. The message that I get at this point is 'Windows was unable to find a certificate to log you onto the network [wireless_network_name]'. I have tried changing a few of the connection options, with no success.
Does anyone have any further ideas?
ASKER
Hi Experts,
Is someone able to give some advice on this subject, how to successfully connect to a WPA2 Enterprise WLan, using computer certificates on non-domain members. There must be something that is not quite right that is stopping this from working.
Any ideas please.
Is someone able to give some advice on this subject, how to successfully connect to a WPA2 Enterprise WLan, using computer certificates on non-domain members. There must be something that is not quite right that is stopping this from working.
Any ideas please.
ASKER
Hi,
I would like this question to remain so that I can obtain an answer to this. There has to be some way of achieving this.
I would like this question to remain so that I can obtain an answer to this. There has to be some way of achieving this.
Could you please post screen shots of your remote access policies?
There's no problem getting non-domain members connected to wireless. i have 200 iPhone and iPads connected with certificates.
Also - i could be helpful to look in System log for warnings or errors with source IAS. Please post here
There's no problem getting non-domain members connected to wireless. i have 200 iPhone and iPads connected with certificates.
Also - i could be helpful to look in System log for warnings or errors with source IAS. Please post here
ASKER
Sure thing. I will post some screenshots of my IAS policies when I am in at work tomorrow. 200 iPads & iPhones connected with certs; looks promising :-).
ASKER
Thanks for expanding the zones admin, and for asking some experts to review this :-)
Here are some screenshots of the Remote Access Policy (domain names have been modified).
The Dial-in Constraints tab has no settings and the Multilink tab has the default options set.
Let me know your thoughts.
TestWlan-Policy-Img1.gif
TestWlan-Policy-Img2.gif
TestWlan-Policy-Img3.gif
TestWlan-Policy-Img4.gif
TestWlan-Policy-Img5.gif
TestWlan-Policy-Img6.gif
TestWlan-Policy-Img7.gif
TestWlan-Policy-Img8.gif
Here are some screenshots of the Remote Access Policy (domain names have been modified).
The Dial-in Constraints tab has no settings and the Multilink tab has the default options set.
Let me know your thoughts.
TestWlan-Policy-Img1.gif
TestWlan-Policy-Img2.gif
TestWlan-Policy-Img3.gif
TestWlan-Policy-Img4.gif
TestWlan-Policy-Img5.gif
TestWlan-Policy-Img6.gif
TestWlan-Policy-Img7.gif
TestWlan-Policy-Img8.gif
if you look in event viewer, are there any errors in Ssytem log - Source IAS?
ASKER
This is one of the errors I see when I try to connect using Computer Certificates. This is using the cert that I created using certreq.
(Note, the name of my domain has been changed to MyDomain)
User 37831b9a-d293-4c0c-a96a-6e
Fully-Qualified-User-Name = MyDomain\37831b9a-d293-4c0
NAS-IP-Address = 10.3.7.10
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = Test Wireless AP
Client-IP-Address = 10.3.7.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
When I tried to use a certificate assigned to a user (as per post by tomago), this is what I get (username is 'Mobile Imaging'.
User host/Mobile Imaging was denied access.
Fully-Qualified-User-Name = MyDomain\host/Mobile Imaging
NAS-IP-Address = 10.3.7.10
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = Test Wireless AP
Client-IP-Address = 10.3.7.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
(Note, the name of my domain has been changed to MyDomain)
User 37831b9a-d293-4c0c-a96a-6e
Fully-Qualified-User-Name = MyDomain\37831b9a-d293-4c0
NAS-IP-Address = 10.3.7.10
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = Test Wireless AP
Client-IP-Address = 10.3.7.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
When I tried to use a certificate assigned to a user (as per post by tomago), this is what I get (username is 'Mobile Imaging'.
User host/Mobile Imaging was denied access.
Fully-Qualified-User-Name = MyDomain\host/Mobile Imaging
NAS-IP-Address = 10.3.7.10
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier
Client-Friendly-Name = Test Wireless AP
Client-IP-Address = 10.3.7.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
as it says, no user account exists for that certificate.
Create a "dummy" user account for tablets - and request a certificate using that account - export that certificate and enroll onto tablets
Create a "dummy" user account for tablets - and request a certificate using that account - export that certificate and enroll onto tablets
ASKER
I had already created this one. This was the 'Mobile Imaging' one you saw above. I have exported the certificate for this user via ADUC (as a cer file).
I have placed this certificate, as well as the CA certificate into a profile, and installed this on my iPhone. I can see the 2 certificates when I go into the profile details.
When I try to create a wireless connection to the visible Wlan, I select EAP-TLS mode, but the identty section does not show me any of the certificates I installed via the profile. Does the cert need to be p7b?
One of the requirements of this wireless is to have some systems that run Windows XP connect to this, but I am unable to make these domain members, as they are propietary systems (however I can install USB wireless adapters on them).
I have a Windows XP SP3 machine that I am using to try to connect to the wireless. I have installed the 'Mobile Imaging' certificate onto this, and I have added a Wlan profile using the following:
Type: WPA2
Encryption: AES
EAP Type: Protected EAP
Authentication Method: Smart Card or other Certificate
Certificate Properties: Use Certificate on this computer and Use simple certificate selection
Fastconnect: disabled
When I try to connect with this computer, it tells me it was 'Unable to find a certificate to lof me onto TestWLAN'. What store should the cert be in? Nothing shows in IAS when trying to connect either.
Also, when I connect to the WLan using a domain member laptop (Windows 7 though), it connects properly.
Is there something I am missing?
I have placed this certificate, as well as the CA certificate into a profile, and installed this on my iPhone. I can see the 2 certificates when I go into the profile details.
When I try to create a wireless connection to the visible Wlan, I select EAP-TLS mode, but the identty section does not show me any of the certificates I installed via the profile. Does the cert need to be p7b?
One of the requirements of this wireless is to have some systems that run Windows XP connect to this, but I am unable to make these domain members, as they are propietary systems (however I can install USB wireless adapters on them).
I have a Windows XP SP3 machine that I am using to try to connect to the wireless. I have installed the 'Mobile Imaging' certificate onto this, and I have added a Wlan profile using the following:
Type: WPA2
Encryption: AES
EAP Type: Protected EAP
Authentication Method: Smart Card or other Certificate
Certificate Properties: Use Certificate on this computer and Use simple certificate selection
Fastconnect: disabled
When I try to connect with this computer, it tells me it was 'Unable to find a certificate to lof me onto TestWLAN'. What store should the cert be in? Nothing shows in IAS when trying to connect either.
Also, when I connect to the WLan using a domain member laptop (Windows 7 though), it connects properly.
Is there something I am missing?
You probably have the wrong usage on your certificate. see more here.
http://technet.microsoft.com/en-us/library/cc731363.aspx
Open certificate - look at properties and make sure it has at least this object identifier: 1.3.6.1.5.5.7.3.2
You can create a new template that has only client authentication as intended purpose
http://technet.microsoft.com/en-us/library/cc731363.aspx
Open certificate - look at properties and make sure it has at least this object identifier: 1.3.6.1.5.5.7.3.2
You can create a new template that has only client authentication as intended purpose
ASKER
I have tried to create and submit a certreq using the following inf:
[Version]
Signature = "$Windows NT$"
[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
MachineKeySet = FALSE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
Subject="CN=mobileimaging"
UseExistingKeySet = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = "Computer Wlan"
However I get the error "The requested certificate template is not supported by this CA.... Denied policy module 0x80094800. The request was for a certificate template that is not supported by the certificate services policy: Computer Wlan/Computer Wlan.
I am getting a bit lost here. It has been almost a month since I last did any work on this, and I have only just started creating certificates and using CAs (so typically I end up using google a lot). Are you able to let me know how to create a certificate that I can use to connect devices. Initially this will be to connect computers running Windows XP, and connecting prior to a user logging onto the device.
[Version]
Signature = "$Windows NT$"
[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
MachineKeySet = FALSE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
Subject="CN=mobileimaging"
UseExistingKeySet = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = "Computer Wlan"
However I get the error "The requested certificate template is not supported by this CA.... Denied policy module 0x80094800. The request was for a certificate template that is not supported by the certificate services policy: Computer Wlan/Computer Wlan.
I am getting a bit lost here. It has been almost a month since I last did any work on this, and I have only just started creating certificates and using CAs (so typically I end up using google a lot). Are you able to let me know how to create a certificate that I can use to connect devices. Initially this will be to connect computers running Windows XP, and connecting prior to a user logging onto the device.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I have followed that. I now have a cert that states that its enhanced key usage is Client Auth (1.3.6.1.5.5.7.3.2). When I put this onto my iPhone, it is still not available for use.
When I add this cert to the XP machine, I still come up with the same issue, 'Unable to find a certificate to log me onto TestWLAN'. I have placed the certificate into the user store, under Personal, trusted people, and then the trusted root CA store, with the same result.
Is there something on IAS that is wrong?
When I add this cert to the XP machine, I still come up with the same issue, 'Unable to find a certificate to log me onto TestWLAN'. I have placed the certificate into the user store, under Personal, trusted people, and then the trusted root CA store, with the same result.
Is there something on IAS that is wrong?
could be --- what do the IAS event viewer say this time ... Those logs are your most valuable troubleshooting tools in IAS world !
ASKER
The PC trying to connect does not show in the System log for some reason. I have removed the preffered network prifile on the PC and had it try to reconnect, but no luck. When I try to connect using my iPhone (with a cert that is not correct) then I see an event ID2 relating to this. It can talk to IAS though, because if I add EAP-MSCHAP v2 to the IAS profile, I can connect to the wireless network from the XP pc using the credentials for the 'mobileimaging' user.
Sorry ... I meant event viewer on IAS server. They tend to include a rather straightforward explanation for the problems
ASKER
Yes, this is where I am looking. On the IAS System log, I can see the domain member laptop I have (Windows 7) connecting successfully, I can see IAS event ID2 entries when the iPhone fails to connect, and I can see the IAS event ID1 when using EAP-MSCHAP v2, using the 'mobileimaging' user.
It looks like the XP PC is not even trying to attempt a connection, because it cannot find a certificate to use to attempt the connection.
What store should the cert be in on this PC?
Also, do you know why this cert does not show as being available on m iPhone? I have also installed the root CA cert on the phone, so that the cert is trusted.
It looks like the XP PC is not even trying to attempt a connection, because it cannot find a certificate to use to attempt the connection.
What store should the cert be in on this PC?
Also, do you know why this cert does not show as being available on m iPhone? I have also installed the root CA cert on the phone, so that the cert is trusted.
you must also configure wireless settings on PC to PEAP - with inner method EAP-TLS (ONLY) to force certificate authentication
The exported certificate is not available on iPhone? Can you see it in settings - profiles?
The exported certificate is not available on iPhone? Can you see it in settings - profiles?
ASKER
The wireless settings on the PC are: PEAP --> Smart Card or Other Certificate --> Use Certificate on this computer --> Use Simple Certificate selection (I have included some screenshots
On the iPhone, when I go into settings - general - profiles, I can see the cert there (along with the root CA cert). The mobileimaging cert properties on the iPhone shows its purpose is for Client Auth.
PC-Settings1.gif
PC-Settings2.gif
PC-Settings3.gif
PC-Settings4.gif
On the iPhone, when I go into settings - general - profiles, I can see the cert there (along with the root CA cert). The mobileimaging cert properties on the iPhone shows its purpose is for Client Auth.
PC-Settings1.gif
PC-Settings2.gif
PC-Settings3.gif
PC-Settings4.gif
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ah ... of course. Forgot to tell you to check certificate validity. You always need to
import certificate to computer where you created request, and export with private key to use with other units ---
Excellent ! Good Work
import certificate to computer where you created request, and export with private key to use with other units ---
Excellent ! Good Work
ASKER
Thanks Jakob,
I will award points on Monday when I am back at work, and I will also post a full description of what I have done.
When I created the template 'Computer Wlan', based on the computer template, I set it to allow the private key to be exportable. I found that this was the cause of the error I was getting "The requested certificate template is not supported by this CA.... Denied policy module 0x80094800. The request was for a certificate template that is not supported by the certificate services policy: Computer Wlan/Computer Wlan."
Do you know how to set a new computer template so that the private key can be exported?
I will award points on Monday when I am back at work, and I will also post a full description of what I have done.
When I created the template 'Computer Wlan', based on the computer template, I set it to allow the private key to be exportable. I found that this was the cause of the error I was getting "The requested certificate template is not supported by this CA.... Denied policy module 0x80094800. The request was for a certificate template that is not supported by the certificate services policy: Computer Wlan/Computer Wlan."
Do you know how to set a new computer template so that the private key can be exported?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The solution by jakob pointed me in the right direction for using user certificates. Following this I was able to work out how to connect a non-domain computer using computer certificates.