I have the need to connect a few mobile medical devices to my network, for the purpose of backing up critical data. After some investigation, the easiest solution for this requires setting up and connecting to a wireless network. I am most of the way down the track with this, having the wireless network setup, and connected to a VLAN.
These devices run Windows XP, and I need to be able to have these devices connect using computer certificates. I do not want to use PEAP for the connection. I have been able to get Windows XP SP3 domain members to successfully connect to the wireless using requested computer certificates, however I cannot obtain the correct certificate for the non-domain members to be able to connect.
Here are the details of what I am using:
Windows 2003 Enterprise Domain Enrolled CA
- Certificate issued to 2003 IAS Server (DC)
- Computer (Machine) certificate issued to domain members
Windows 2003 IAS
- Setup for EAP auth, using the DC cert. Policy condition set to the IP of the AP
WPA2-AES setup on the AP
- Setup with the IP of the IAS, and shared secret according to the RADIUS Client setup
Windows XP Client
- Configured to use Computer Authentication as per http://support.microsoft.com/kb/929847
- Wlan profile configured to use simple certificate selection
I have been using a test PC for this. As I mentioned, when the client is a domain member, I can request a computer cert, and then the Wlan profile uses this cert to connect, and the computer connects to the Wlan at boot up time, without a logon required. However when I remove the client from the domain, and request a cert from the CA, it fails to connect. I have created duplicate of the Computer template (ComputerWlan), and created a new certificate to issue based on this template. I set this template to supply the subject name in the request, and then used certreq from the client to create a request, using an inf file. This is what the inf file contained:
Signature = "$Windows NT$"
EncipherOnly = FALSE
Exportable = FALSE
KeyLength = 1024
KeySpec = 1
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
Silent = TRUE
UseExistingKeySet = FALSE
UserProtected = FALSE
OID = 18.104.22.168.22.214.171.124.1
OID = 126.96.36.199.188.8.131.52.2
CertificateTemplate = "ComputerWlan"
SAN = "dns=evo"
I was able to submit this request to the CA, and then install the subsequent certificate on the client, however the client is unable to connect to the Wlan using this certificate.
Does anyone know how to get a non-domain member to connect to the Wlan using computer certificate authentication?