eap-tls failing with domain certificates and 1200 APs

15 pts.
Tags:
Active Directory
Wireless
Using WPA TKIP with windows domain controller as certificate server. The IAS server is also a domain controller. Native 2003 domain configured to give out certificates automatically. This worked in my lab environment using a single 2003 box built to do all server functions. Cisco debug shows "server response: FAIL" Later, "failed: EAP reason 1" Logs on IAS server show: Event Type: Error Event Source: IAS Event Category: None Event ID: 3 Date: 5/17/2007 Time: 2:06:33 PM User: N/A Computer: IAS-server Description: Access request for user myaccount@our.domain was discarded. Fully-Qualified-User-Name = my/fully/qualified/name NAS-IP-Address = xxx.yyy.209.231 NAS-Identifier = SoAcad_40447 Called-Station-Identifier = 0019.a979.1a30 Calling-Station-Identifier = 0016.6f36.28dd Client-Friendly-Name = south 231 Client-IP-Address = xxx.yyy.209.231 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 299 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Reason-Code = 23 Reason = Unexpected error. Possible error in server or client configuration. Event Type: Error Event Source: IAS Event Category: None Event ID: 20168 Date: 5/17/2007 Time: 2:06:33 PM User: N/A Computer: IAS-server Description: Could not retrieve the Remote Access Server's certificate due to the following error: Cannot find object or property. I checked and the IAS server has a certificate, (I had to add domain controllers to CERTSVC_DCOM_ACCESS for this to work). The laptop has certificates for computer and user. One interesting thing is the NAS-IP-Address = xxx.yyy.209.231 is a different AP from the one I am trying to associate with. Any suggestions? Thanks. rt
ASKED: May 17, 2007  5:51 PM
UPDATED: May 25, 2007  11:43 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Additional information.
Under IAS/remote access policies/”properties of the policy I am using”/edit dial-in profile/authentication tab/EAP methods I find smart card or other certificates. When I click edit, the message is: certificate could not be found that can be used with extensible authentication protocol
I experienced this during my lab tests, rebuilt the server from scratch, and the problem went away. Unfortunately, this is a much less acceptable option for the existing college domain.
Suggestions?
rt

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    I used mmc to request another certificate. Now I have two certificates listed for authentication. Still have the same error in IAS. I'm starting to think I may have to use the same method that worked in my lab tests. In the lab, IAS had this problem and I tried removing and re-installing this service. It didn't help. Finally, I blew the DC, (and the domain), away. After installing the OS from scratch, I created the domain, installed IIS, installed CA, then installed IAS. At this point it worked. I believe the issue is IAS was installed before the certificate server and knew nothing about certificates. When the certificate server was installed later, IAS didn't know how to bind to it. When I installed IAS after the certificate server, It seamlessly incorporated the certificate which was already there. The problem with this method is we already have IAS installed on our main domain controllers so pix VPNs can be authenticated. I really don't want to rebuild my domain controllers so if anyone knows how to get IAS to see the certificate, I would appreciate hearing about it.
    15 pointsBadges:
    report
  • Astronomer
    After three and a half hours with microsoft support, here is the answer: Go to the web site on the certificate server with the browser of the IAS server, click request certificate, click advanced certificate request, click create and submit a request for this ca. On the next page under certificate template: select "web server". Type in something for identifying information. In the "key options" section click the check box for "store certificate in the local computer certificate store". Click submit and then install the certificate. Once the certificate is installed, restart the IAS service and it will see the new certificate. After doing this, I was able to use the certificate based SSID without errors. rt
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following