Vista clients and EAP-TLS authentication - problem with certificates - Wireless

This is a discussion on Vista clients and EAP-TLS authentication - problem with certificates - Wireless ; We have half a dozen Cisco 1240AG wireless access points that are set up to use 802.1x EAP-TLS for authentication and TKIP encryption. To do the authentication we have a pair of Windows Server 2003 R2 SP2 servers running IAS ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Vista clients and EAP-TLS authentication - problem with certificates

  1. Vista clients and EAP-TLS authentication - problem with certificates

    We have half a dozen Cisco 1240AG wireless access points that are set up to
    use 802.1x EAP-TLS for authentication and TKIP encryption.
    To do the authentication we have a pair of Windows Server 2003 R2 SP2
    servers running IAS and also as an MS certificate authority (AD Integrated
    root and subordinate).

    This works perfectly for all sorts of laptops running windows XP however we
    have recently bought a few Dell Laptops running Vista and they don't want to
    connect.

    The problem is that when we try and request a new digital certificate for
    the user from the CA we get warnings about it not being compatible with this
    version of windows so we can't request a certificate directly. I have read
    the instructions on how to amend the CA's web interface with code from
    Longhorn Server but haven't yet done this (No longhorn machines for a start)
    , and as a work round we thought we can just request the cert using an XP
    machine then export it and import into vista.

    I don't think the wireless connection setup is as good on Vista as XP (it
    seems to be overly simplified and the advanced settings are too well hidden)
    but I have configured a client with the same settings as XP and when I try
    and connect it informs me that I don't have a certificate , yet it's sat
    there in my personal certificates store.

    If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then
    I can connect OK as you'd expect.

    So , is there any workround for this or something that I could be doing
    wrong when I try and export the certificates from an XP to Vista machine?

    Any suggestions gratefully appreciated.

    --
    Alex

    New laptop - Sig missing


  2. RE: Vista clients and EAP-TLS authentication - problem with certificat

    Do you have EAP-TLS set up to authenticate both the computer and the user?
    That would explain why you are failing the authentication. You don't have a
    computer cert. That also means that you cannot work around the problem by
    exporting certs from an XP machine unless that XP machine has the same name
    as the Vista machine you are putting the certs on.

    The enrollment problem likely stems from the new security infrastructure in
    Internet Explorer. You need an updated web enrollment tool to acquire
    certificates using IE7 on Vista. It blocks the common ways to do it on XP.

    The better solution is to use an autoenrollment solution though. It is
    completely automatic and obviates the need for the web enrollment altogether.
    It works just fine on Vista against a Server 2003 CA. This doc tells you how
    to configure it: http://www.microsoft.com/technet/net...i/ed80211.mspx

    ---
    Your question may already be answered in Windows Vista Security:
    http://www.amazon.com/gp/product/047...otectyourwi-20


    "Dr Zoidberg" wrote:

    > We have half a dozen Cisco 1240AG wireless access points that are set up to
    > use 802.1x EAP-TLS for authentication and TKIP encryption.
    > To do the authentication we have a pair of Windows Server 2003 R2 SP2
    > servers running IAS and also as an MS certificate authority (AD Integrated
    > root and subordinate).
    >
    > This works perfectly for all sorts of laptops running windows XP however we
    > have recently bought a few Dell Laptops running Vista and they don't want to
    > connect.
    >
    > The problem is that when we try and request a new digital certificate for
    > the user from the CA we get warnings about it not being compatible with this
    > version of windows so we can't request a certificate directly. I have read
    > the instructions on how to amend the CA's web interface with code from
    > Longhorn Server but haven't yet done this (No longhorn machines for a start)
    > , and as a work round we thought we can just request the cert using an XP
    > machine then export it and import into vista.
    >
    > I don't think the wireless connection setup is as good on Vista as XP (it
    > seems to be overly simplified and the advanced settings are too well hidden)
    > but I have configured a client with the same settings as XP and when I try
    > and connect it informs me that I don't have a certificate , yet it's sat
    > there in my personal certificates store.
    >
    > If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then
    > I can connect OK as you'd expect.
    >
    > So , is there any workround for this or something that I could be doing
    > wrong when I try and export the certificates from an XP to Vista machine?
    >
    > Any suggestions gratefully appreciated.
    >
    > --
    > Alex
    >
    > New laptop - Sig missing
    >
    >


  3. Re: Vista clients and EAP-TLS authentication - problem with certificat

    "Jesper" wrote in message
    news:6E79207A-62E1-4719-A1DC-388E6C56BEA3@microsoft.com...
    > Do you have EAP-TLS set up to authenticate both the computer and the user?


    No , just user accounts.

    > That would explain why you are failing the authentication. You don't have
    > a
    > computer cert. That also means that you cannot work around the problem by
    > exporting certs from an XP machine unless that XP machine has the same
    > name
    > as the Vista machine you are putting the certs on.
    >
    > The enrollment problem likely stems from the new security infrastructure
    > in
    > Internet Explorer. You need an updated web enrollment tool to acquire
    > certificates using IE7 on Vista. It blocks the common ways to do it on XP.
    >
    > The better solution is to use an autoenrollment solution though. It is
    > completely automatic and obviates the need for the web enrollment
    > altogether.
    > It works just fine on Vista against a Server 2003 CA. This doc tells you
    > how
    > to configure it:
    > http://www.microsoft.com/technet/net...i/ed80211.mspx
    >

    Thanks , I'll try setting that up tomorrow
    --
    Alex

    New laptop - Sig missing


  4. Re: Vista clients and EAP-TLS authentication - problem with certificat

    "Dr Zoidberg" wrote in message
    news:5lagjlF7anp2U1@mid.individual.net...
    > "Jesper" wrote in message
    > news:6E79207A-62E1-4719-A1DC-388E6C56BEA3@microsoft.com...
    >> Do you have EAP-TLS set up to authenticate both the computer and the
    >> user?

    >
    > No , just user accounts.
    >
    >> That would explain why you are failing the authentication. You don't have
    >> a
    >> computer cert. That also means that you cannot work around the problem by
    >> exporting certs from an XP machine unless that XP machine has the same
    >> name
    >> as the Vista machine you are putting the certs on.
    >>
    >> The enrollment problem likely stems from the new security infrastructure
    >> in
    >> Internet Explorer. You need an updated web enrollment tool to acquire
    >> certificates using IE7 on Vista. It blocks the common ways to do it on
    >> XP.
    >>
    >> The better solution is to use an autoenrollment solution though. It is
    >> completely automatic and obviates the need for the web enrollment
    >> altogether.
    >> It works just fine on Vista against a Server 2003 CA. This doc tells you
    >> how
    >> to configure it:
    >> http://www.microsoft.com/technet/net...i/ed80211.mspx
    >>

    > Thanks , I'll try setting that up tomorrow



    Just tried to work through this and though I can create a new template with
    the appropriate settings , when I go to step 14.


    "On the Action menu, point to New, and then click Certificate to Issue. "
    it's not there in the list to select - just the other unused predefined
    ones.

    Any suggestions?

    --
    Alex

    New laptop - Sig missing


  5. Re: Vista clients and EAP-TLS authentication - problem with certificat

    On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote:

    > Just tried to work through this and though I can create a new template with
    > the appropriate settings , when I go to step 14.
    >
    >
    > "On the Action menu, point to New, and then click Certificate to Issue. "
    > it's not there in the list to select - just the other unused predefined
    > ones.
    >
    > Any suggestions?


    That means that your CA is running the Standard Edition SKU and can only
    issue v1 templates. When you modify an existing template the new template
    is a v2 and only a CA running Enterprise or Datacenter can issue
    certificates based on v2 templates.

    --
    Paul Adare
    MVP - Virtual Machines
    http://www.identit.ca
    Downtime: Coffee breaks, lunch, or Friday mentality in the office.

  6. Re: Vista clients and EAP-TLS authentication - problem with certificat

    "Paul Adare" wrote in message
    news:chl2767dlf1x.210ellnumuj5.dlg@40tude.net...
    > On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote:
    >
    >> Just tried to work through this and though I can create a new template
    >> with
    >> the appropriate settings , when I go to step 14.
    >>
    >>
    >> "On the Action menu, point to New, and then click Certificate to Issue. "
    >> it's not there in the list to select - just the other unused predefined
    >> ones.
    >>
    >> Any suggestions?

    >
    > That means that your CA is running the Standard Edition SKU and can only
    > issue v1 templates. When you modify an existing template the new template
    > is a v2 and only a CA running Enterprise or Datacenter can issue
    > certificates based on v2 templates.
    >


    Thanks , that'll be it

    --
    Alex

    New laptop - Sig missing


+ Reply to Thread