Home > IT Answers > Microsoft Windows > eap-tls failing with domain certificates and ...
Help

Question

Asked:
Asked By:
May 17 2007   5:51 PM GMT
astronomer   0 pts.

eap-tls failing with domain certificates and 1200 APs


Active Directory, Wireless

Using WPA TKIP with windows domain controller as certificate server. The IAS server is also a domain controller. Native 2003 domain configured to give out certificates automatically.
This worked in my lab environment using a single 2003 box built to do all server functions. Cisco debug shows "server response: FAIL" Later, "failed: EAP reason 1"
Logs on IAS server show:
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 5/17/2007
Time: 2:06:33 PM
User: N/A
Computer: IAS-server
Description:
Access request for user myaccount@our.domain was discarded.
Fully-Qualified-User-Name = my/fully/qualified/name
NAS-IP-Address = xxx.yyy.209.231
NAS-Identifier = SoAcad_40447
Called-Station-Identifier = 0019.a979.1a30
Calling-Station-Identifier = 0016.6f36.28dd
Client-Friendly-Name = south 231
Client-IP-Address = xxx.yyy.209.231
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 299
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 20168
Date: 5/17/2007
Time: 2:06:33 PM
User: N/A
Computer: IAS-server
Description:
Could not retrieve the Remote Access Server's certificate due to the following error: Cannot find object or property.

I checked and the IAS server has a certificate, (I had to add domain controllers to CERTSVC_DCOM_ACCESS for this to work). The laptop has certificates for computer and user. One interesting thing is the NAS-IP-Address = xxx.yyy.209.231 is a different AP from the one I am trying to associate with.
Any suggestions?
Thanks.
rt

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: May 17 2007  6:37 PM GMT  by astronomer   0 pts.




Additional information.
Under IAS/remote access policies/"properties of the policy I am using"/edit dial-in profile/authentication tab/EAP methods I find smart card or other certificates. When I click edit, the message is: certificate could not be found that can be used with extensible authentication protocol
I experienced this during my lab tests, rebuilt the server from scratch, and the problem went away. Unfortunately, this is a much less acceptable option for the existing college domain.
Suggestions?
rt
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Microsoft Windows and Networking.

Looking for relevant Microsoft Windows Whitepapers? Visit the SearchEnterpriseDesktop.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

astronomer   0 pts.  |   May 22 2007  7:34PM GMT

I used mmc to request another certificate. Now I have two certificates listed for authentication. Still have the same error in IAS.
I’m starting to think I may have to use the same method that worked in my lab tests. In the lab, IAS had this problem and I tried removing and re-installing this service. It didn’t help.
Finally, I blew the DC, (and the domain), away. After installing the OS from scratch, I created the domain, installed IIS, installed CA, then installed IAS.
At this point it worked. I believe the issue is IAS was installed before the certificate server and knew nothing about certificates. When the certificate server was installed later, IAS didn’t know how to bind to it. When I installed IAS after the certificate server, It seamlessly incorporated the certificate which was already there.
The problem with this method is we already have IAS installed on our main domain controllers so pix VPNs can be authenticated.
I really don’t want to rebuild my domain controllers so if anyone knows how to get IAS to see the certificate, I would appreciate hearing about it.

 

astronomer   0 pts.  |   May 25 2007  11:43AM GMT

After three and a half hours with microsoft support, here is the answer:
Go to the web site on the certificate server with the browser of the IAS server, click request certificate, click advanced certificate request, click create and submit a request for this ca. On the next page under certificate template: select “web server”. Type in something for identifying information. In the “key options” section click the check box for “store certificate in the local computer certificate store”. Click submit and then install the certificate.
Once the certificate is installed, restart the IAS service and it will see the new certificate.
After doing this, I was able to use the certificate based SSID without errors.
rt