Connecting to a WPA2 Enterprise WLan, using computer certificates on non-domain members

Hi Experts,

I have the need to connect a few mobile medical devices to my network, for the purpose of backing up critical data. After some investigation, the easiest solution for this requires setting up and connecting to a wireless network. I am most of the way down the track with this, having the wireless network setup, and connected to a VLAN.

These devices run Windows XP, and I need to be able to have these devices connect using computer certificates. I do not want to use PEAP for the connection. I have been able to get Windows XP SP3 domain members to successfully connect to the wireless using requested computer certificates, however I cannot obtain the correct certificate for the non-domain members to be able to connect.

Here are the details of what I am using:

Windows 2003 Enterprise Domain Enrolled CA
- Certificate issued to 2003 IAS Server (DC)
- Computer (Machine) certificate issued to domain members

Windows 2003 IAS
- Setup for EAP auth, using the DC cert. Policy condition set to the IP of the AP

WPA2-AES setup on the AP
- Setup with the IP of the IAS, and shared secret according to the RADIUS Client setup

Windows XP Client
- Configured to use Computer Authentication as per http://support.microsoft.com/kb/929847
- Wlan profile configured to use simple certificate selection

I have been using a test PC for this. As I mentioned, when the client is a domain member, I can request a computer cert, and then the Wlan profile uses this cert to connect, and the computer connects to the Wlan at boot up time, without a logon required. However when I remove the client from the domain, and request a cert from the CA, it fails to connect. I have created duplicate of the Computer template (ComputerWlan), and created a new certificate to issue based on this template. I set this template to supply the subject name in the request, and then used certreq from the client to create a request, using an inf file. This is what the inf file contained:

[Version]
Signature = "$Windows NT$"
[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
Subject="CN=evo"
UseExistingKeySet = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = "ComputerWlan"
SAN = "dns=evo"

I was able to submit this request to the CA, and then install the subsequent certificate on the client, however the client is unable to connect to the Wlan using this certificate.

Does anyone know how to get a non-domain member to connect to the Wlan using computer certificate authentication?
Terry-CrossinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Boilermaker85Commented:
How to put Machine Certs on Non-domain systems

1.      Create INF file( eg., dmz14.inf)[Note: !!Important!! The inf file must be stored as UNICODE! ]
2.      Copy INF file and root and issuing CA certs to device needing cert.
3.      Using RDP, connect to the device
4.      Add MMC for Certificates, Local Machine. Import CA certs into root and intermediate trusted CAs store respectively.
5.      Open cmd prompt, cd to directory containing INF file.
6.      Enter the command to create a certificate request as in this example:
Certreq -new  dmz14.inf dmz14.req  [where dmz14 is the name of the device]
7.      This should generate a .req file. Copy that file back to the domain.
8.      From a domain machine, login as domain admin, open cmd prompt and type:
certreq –submit dmz14.req dmz14.cer
A window pops up asking you to select a CA. Choose the Domain issuing CA.
This should generate a  .cer file which you then copy back to the device.
9.      Using certificates mmc, import into Local Machine, personal  store or alternatively, use cmdline:
certreq -accept dmz14.cer

0
Terry-CrossinAuthor Commented:
Hi Experts,

Sorry for the delayed response, I have been concentrating on other tasks.

Boilermaker85, thanks for your input. THis is the same process I used to generate the request, approve and install the certificate, except for saving the file in unicode. I have since tried this again, using unicode format for th inf, whith no success.

Tomago, I have viewed this article, and tried assigning a certificate to a user (using web enrollment, authenticating as the user), and imported this certificate into the client. I have also change the registry to allow use of user certificates (and also tried the windows default setting), and then set the WLan connection to use certificate authentication. The message that I get at this point is 'Windows was unable to find a certificate to log you onto the network [wireless_network_name]'. I have tried changing a few of the connection options, with no success.

Does anyone have any further ideas?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Terry-CrossinAuthor Commented:
Hi Experts,

Is someone able to give some advice on this subject, how to successfully connect to a WPA2 Enterprise WLan, using computer certificates on non-domain members. There must be something that is not quite right that is stopping this from working.

Any ideas please.
0
Terry-CrossinAuthor Commented:
Hi,

I would like this question to remain so that I can obtain an answer to this. There has to be some way of achieving this.
0
Jakob DigranesSenior ConsultantCommented:
Could you please post screen shots of your remote access policies?
There's no problem getting non-domain members connected to wireless. i have 200 iPhone and iPads connected with certificates.

Also - i could be helpful to look in System log for warnings or errors with source IAS. Please post here
0
Terry-CrossinAuthor Commented:
Sure thing. I will post some screenshots of my IAS policies when I am in at work tomorrow. 200 iPads & iPhones connected with certs; looks promising :-).
0
Terry-CrossinAuthor Commented:
Thanks for expanding the zones admin, and for asking some experts to review this :-)

Here are some screenshots of the Remote Access Policy (domain names have been modified).

The Dial-in Constraints tab has no settings and the Multilink tab has the default options set.

Let me know your thoughts.
TestWlan-Policy-Img1.gif
TestWlan-Policy-Img2.gif
TestWlan-Policy-Img3.gif
TestWlan-Policy-Img4.gif
TestWlan-Policy-Img5.gif
TestWlan-Policy-Img6.gif
TestWlan-Policy-Img7.gif
TestWlan-Policy-Img8.gif
0
Jakob DigranesSenior ConsultantCommented:
if you look in event viewer, are there any errors in Ssytem log - Source IAS?
0
Terry-CrossinAuthor Commented:
This is one of the errors I see when I try to connect using Computer Certificates. This is using the cert that I created using certreq.
(Note, the name of my domain has been changed to MyDomain)

User 37831b9a-d293-4c0c-a96a-6eb1a1923335 was denied access.
 Fully-Qualified-User-Name = MyDomain\37831b9a-d293-4c0c-a96a-6eb1a1923335
 NAS-IP-Address = 10.3.7.10
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = Test Wireless AP
 Client-IP-Address = 10.3.7.10
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = <not present>
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = EAP
 EAP-Type = <undetermined>
 Reason-Code = 8
 Reason = The specified user account does not exist.

When I tried to use a certificate assigned to a user  (as per post by tomago), this is what I get (username is 'Mobile Imaging'.

User host/Mobile Imaging was denied access.
 Fully-Qualified-User-Name = MyDomain\host/Mobile Imaging
 NAS-IP-Address = 10.3.7.10
 NAS-Identifier = <not present>
 Called-Station-Identifier = <not present>
 Calling-Station-Identifier = <not present>
 Client-Friendly-Name = Test Wireless AP
 Client-IP-Address = 10.3.7.10
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = <not present>
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = EAP
 EAP-Type = <undetermined>
 Reason-Code = 8
 Reason = The specified user account does not exist.
0
Jakob DigranesSenior ConsultantCommented:
as it says, no user account exists for that certificate.
Create a "dummy" user account for tablets - and request a certificate using that account - export that certificate and enroll onto tablets
0
Terry-CrossinAuthor Commented:
I had already created this one. This was the 'Mobile Imaging' one you saw above. I have exported the certificate for this user via ADUC (as a cer file).

I have placed this certificate, as well as the CA certificate into a profile, and installed this on my iPhone. I can see the 2 certificates when I go into the profile details.

When I try to create a wireless connection to the visible Wlan, I select EAP-TLS mode, but the identty section does not show me any of the certificates I installed via the profile. Does the cert need to be p7b?

One of the requirements of this wireless is to have some systems that run Windows XP connect to this, but I am unable to make these domain members, as they are propietary systems (however I can install USB wireless adapters on them).

I have a Windows XP SP3 machine that I am using to try to connect to the wireless. I have installed the 'Mobile Imaging' certificate onto this, and I have added a Wlan profile using the following:

Type: WPA2
Encryption: AES
EAP Type: Protected EAP
Authentication Method: Smart Card or other Certificate
Certificate Properties: Use Certificate on this computer and Use simple certificate selection
Fastconnect: disabled

When I try to connect with this computer, it tells me it was 'Unable to find a certificate to lof me onto TestWLAN'. What store should the cert be in? Nothing shows in IAS when trying to connect either.

Also, when I connect to the WLan using a domain member laptop (Windows 7 though), it connects properly.

Is there something I am missing?
0
Jakob DigranesSenior ConsultantCommented:
You probably have the wrong usage on your certificate. see more here.
http://technet.microsoft.com/en-us/library/cc731363.aspx

Open certificate - look at properties and make sure it has at least this object identifier: 1.3.6.1.5.5.7.3.2

You can create a new template that has only client authentication as intended purpose
0
Terry-CrossinAuthor Commented:
I have tried to create and submit a certreq using the following inf:

[Version]
Signature = "$Windows NT$"
[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
MachineKeySet = FALSE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
Subject="CN=mobileimaging"
UseExistingKeySet = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = "Computer Wlan"

However I get the error "The requested certificate template is not supported by this CA.... Denied policy module 0x80094800. The request was for a certificate template that is not supported by the certificate services policy: Computer Wlan/Computer Wlan.

I am getting a bit lost here. It has been almost a month since I last did any work on this, and I have only just started creating certificates and using CAs (so typically I end up using google a lot). Are you able to let me know how to create a certificate that I can use to connect devices. Initially this will be to connect computers running Windows XP, and connecting prior to a user logging onto the device.
0
Jakob DigranesSenior ConsultantCommented:
try the following (short version)

on CA - start MMC and add Certificates Snap-in, Certification Authority Snap-in and Certificate Templates Snap-in.
Go to Certificate Templates - find User template (i think it's called) - Right Click and choose COPY - rename certificate template to UserCertWireless (or similar) and make sure intended purpose is only cient authentication (extensions - application ......) , and make sure that you choose security and at least allow administrators to enroll.
Then - back in Authority Snap in - choose certificate templates - choose new template to deploy (pusblish...) and choose the template you just created.  
Then you template is enrollable

Then log on to a client computer with the actual user account - start mmc - add certificate snap-in - personal user store. Go top Personal and choose new task - and choose request new certificate from online.... there your new template should be ready to be enrolled
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Terry-CrossinAuthor Commented:
Thanks. I have followed that. I now have a cert that states that its enhanced key usage is Client Auth (1.3.6.1.5.5.7.3.2). When I put this onto my iPhone, it is still not available for use.

When I add this cert to the XP machine, I still come up with the same issue, 'Unable to find a certificate to log me onto TestWLAN'. I have placed the certificate into the user store, under Personal, trusted people, and then the trusted root CA store, with the same result.

Is there something on IAS that is wrong?
0
Jakob DigranesSenior ConsultantCommented:
could be --- what do the IAS event viewer say this time ... Those logs are your most valuable troubleshooting tools in IAS world !
0
Terry-CrossinAuthor Commented:
The PC trying to connect does not show in the System log for some reason. I have removed the preffered network prifile on the PC and had it try to reconnect, but no luck. When I try to connect using my iPhone (with a cert that is not correct) then I see an event ID2 relating to this. It can talk to IAS though, because if I add EAP-MSCHAP v2 to the IAS profile, I can connect to the wireless network from the XP pc using the credentials for the 'mobileimaging' user.
0
Jakob DigranesSenior ConsultantCommented:
Sorry ... I meant event viewer on IAS server. They tend to include a rather straightforward explanation for the problems
0
Terry-CrossinAuthor Commented:
Yes, this is where I am looking. On the IAS System log, I can see the domain member laptop I have (Windows 7) connecting successfully, I can see IAS event ID2 entries when the iPhone fails to connect, and I can see the IAS event ID1 when using EAP-MSCHAP v2, using the 'mobileimaging' user.

It looks like the XP PC is not even trying to attempt a connection, because it cannot find a certificate to use to attempt the connection.

What store should the cert be in on this PC?

Also, do you know why this cert does not show as being available on m iPhone? I have also installed the root CA cert on the phone, so that the cert is trusted.
0
Jakob DigranesSenior ConsultantCommented:
you must also configure wireless settings on PC to PEAP - with inner method EAP-TLS (ONLY) to force certificate authentication

The exported certificate is not available on iPhone? Can you see it in settings - profiles?
0
Terry-CrossinAuthor Commented:
The wireless settings on the PC are: PEAP --> Smart Card or Other Certificate --> Use Certificate on this computer --> Use Simple Certificate selection (I have included some screenshots

On the iPhone, when I go into settings - general - profiles, I can see the cert there (along with the root CA cert). The mobileimaging cert properties on the iPhone shows its purpose is for Client Auth.
PC-Settings1.gif
PC-Settings2.gif
PC-Settings3.gif
PC-Settings4.gif
0
Terry-CrossinAuthor Commented:
I found what the issue was. I was exporting the certificate from the wrong interface. I needed to export the certificate including the private key. The only place to do this is from the client. Saving the cert to file from ADUC does not allow you to export the private key as well.

With this information, plus some of the information you provided, I was also able to setup computer certificate authentication. I will post more information so that others can use this. This will be in the next couple of days, when I get back to work.
0
Jakob DigranesSenior ConsultantCommented:
ah ... of course. Forgot to tell you to check certificate validity. You always need to
import certificate to computer where you created request, and export with private key to use with other units ---

Excellent ! Good Work
0
Terry-CrossinAuthor Commented:
Thanks Jakob,

I will award points on Monday when I am back at work, and I will also post a full description of what I have done.

When I created the template 'Computer Wlan', based on the computer template, I set it to allow the private key to be exportable. I found that this was the cause of the error I was getting "The requested certificate template is not supported by this CA.... Denied policy module 0x80094800. The request was for a certificate template that is not supported by the certificate services policy: Computer Wlan/Computer Wlan."

Do you know how to set a new computer template so that the private key can be exported?
0
Terry-CrossinAuthor Commented:
To get a non-domain computer to connect using certificates, I have done the following (note this is using an enterprise CA on 2003 Enterprise, MS IAS and AD):

In IAS, add the following:

Add a new Radius Client using the following setting
Name:                                                 Give a Name
Address:                                              Address of your AP
Client-Vendor:                                     RADIUS Standard
Request must contain Authenticator:      No
Shared Secret:                                    Note your shared secret. You will need this for your AP.

Add a new Remote Access Policy, using the following settings
Name:                                                 Give a Name
Policy Conditions – NAS-IP-Address:      Address of your AP
Action:                                                 Grant Access
Profile – Dial-in constraints:                  Leave all unchecked
Profile – IP – IP Assignment:                Server settings determine IP
Profile – Multilink:                                Leave as default
Profile-  Authentication:                        Leave all unchecked, use ‘EAP Methods’
Profile-  EAP Type:                                SmartCard or other Certificate
Profile-  Proof of identity certificate:      Uses the certificate of your server (Note: Your IAS server needs to have a ‘RAS and IAS Server’ certificate from your CA.)
Profile-  Encryption:                                Strongest encryption (128 bit)
Profile-  Advanced:                                Leave as default

Add a new Connection Request Policy
Name:                                                   Give a Name
Policy Conditions – NAS-Port-Type:       Wireless – IEEE 302.11
Profile:                                                Leave as default

Setup your AP to use:
WPA2 Enterprise – AES
Enter the IP of your Radius (IAS)
Enter the shared secret as you entered into IAS.

On the CA, open CA management, right click certificate templates, and manage.  Right click the 'Computer' template and duplicate. In the new template, use the following settings (leave all other settings as default):

-General tab
Name:                        ComputerCertWireless
Publish in AD:                  No

-Request tab
Minimum key size:                  2048
Allow private key to be exported:      No

-Subject name tab
Supply in the request

-Extensions tab
Application policies:                  Client Authentication only

Back in CA management, right click 'Certificate templates' and select new - certificate template to issue. Choose the template you just created (ComputerCertWireless)

In AD, create a computer account for your Client (IAS will look for this later), and replicate. Now, using ADSI Edit, find the computer account you just created, and open its properties. Find the servicePrincipalName field, edit this and create an entry of ‘HOST/replace_me_with_comuter_name’ (e.g. HOST/ITLAPTOP). Close the properties & replicate.

Now create a cert request on the non-domain member (Client) by doing the following:

On the Client, create a ClientName.inf file containing (place the computer name in the 2 fields mentioned):

[Version]
Signature = "$Windows NT$"
[NewRequest]
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
Subject="CN=replace_me_with_comuter_name" (e.g. itlaptop)
UseExistingKeySet = FALSE
UserProtected = FALSE
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.2
[RequestAttributes]
CertificateTemplate = " ComputerCertWireless"
SAN = "dns= replace_me_with_comuter_name " (e.g. dns=itlaptop)

At the Client, run:
CERTREQ -new "ClientName.inf" "ClientName.req" (you might have to copy certreq.exe from a server to the client)

At CA Server, run:
CERTREQ -submit -config "CAHostName\CA Name" "ClientName.req"
- Make a note of the request ID, e.g. "117"

If you are prompted to save the cer file, save the file as ClientName.cer

If you are not prompted, do the following:
At CA Server, accept the certificate request
then run:
CERTREQ -retrieve -config "CAHostName\CA Name" 117 "ClientName.cer"

At CA Server, retrieve the CA Signing Certificate and Chain. Run:
CERTUTIL -ca.chain -v "CA_Chain.p7b"

Copy the cer and p7b files to the client.
At Client, run:
CERTREQ -accept "ClientName.cer"

Now install the p7b certificate.

You can verify the computer certificate is installed by opening mmc, adding the certificates snap-in, and selecting 'Computer Account'. The certificate will be in the Personal store. The certification path should also list the CA.

You can now setup a wireless connection, with the SSID of your AP. For authentication, select WPA2-AES. For EAP, use ‘Smart Card or other certificate authentication’. In settings (or properties), select ‘Use cert on this computer’ and ‘use simple cert selection’. Untick ‘Validate server certificate’, as I have found that with this ticked, I get a ‘Signature was not verified’ error in IAS when trying to connect. The article http://support.microsoft.com/kb/838502, method 1, deals with this (method 2 had no effect)

On Windows 7, click ‘Advanced settings’, and set ‘specify authentication mode’ to ‘computer authentication’.

On Windows XP, change the following registry settings to set computer authentication (http://support.microsoft.com/kb/929847/no)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
Change AuthMode value to 2 (if not there, add this as a new DWORD value)
(You need to reboot Windows XP after making this change)

Your non-domain client should now connect to your AP, and authenticate .

If you still have any issues, review the IAS System logs, looking at IAS Event ID2.

Hope this helps someone.
0
Terry-CrossinAuthor Commented:
The solution by jakob pointed me in the right direction for using user certificates. Following this I was able to work out how to connect a non-domain computer using computer certificates.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.