Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PEAP with MSChapV2

Status
Not open for further replies.

Larsdemo

Technical User
Sep 6, 2003
291
NL
Good morning tech's

My question today is about wireless security.
I have installed a test domain and a test access point.
Testdomain: test.com dc and certificate server. global group named ggwirelesscomputers and ggwirelessusers. testuser: wirelessuser member of ggwirelessusers computer member of wirelesscomputers. Made a policy on the ias server and granted the user access based on the groupmemberships. Did a autoenrole for the sertivicate and when member trys to access the wirless accesspoint the accesspoint gets to the radius (ias) server and looks if the computer has a sertvicate. All works fine so far.
problem: user from other office (domain) comes working at my office computer is no member of the domain and has no access to this access point but needs access to my local network resourses. How can i connect this computer? I cant enrole a sertivicate and even if i install it manualy it has no computer account in ad that i can make member of the ggwirelesscomputers group.

Hope someone can help me out here.

best regards lars
Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003



Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Lars,

The old "Catch 22"..You've got your wireless security setup properly so no one without a domain computer account can connect. If you want outside users to have access you'll have to remove your PEAP authentication ( defeating the whole purpose) or setup a seperate WAP with different authentication methods. I'd give them a network cable myself.

John
 
I have this configured at home and I use an XP Pro Laptop from work. The workstation can connect to the Wireless network and Authenticate. I have tested both EAP-TLS and PEAP - EAP-TLS requires a Client Certificate, PEAP doesn't. For EAP-TLS I have manually requested a certificate from the CA and used a user account from my home domain. You also need to add the Root certificate to the list of Trusted CA's on the Client.
If the workstation attempts to access a server it is prompted to provide user credentials.

HTH

Andy

 
Ok, sounds good can you please tell me in detail how i need to do this. I want to use PEAP in the first place. What i have tried so far is export the root certivicate from the ca to the client and imported it on the client. I still cant connect it keeps saying "validating identity"

regards Lars

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
OK now i have done this:

if you also using MS-CHAP v2 try this on you clients

Under the wireless properties

Go to the Authentication Tab

Set the EAP Type to Protected EAP(PEAP)

Clicking the properties button

Uncheck Validate server certificate

At the bottom make sure Secured password (EAP_MSCAP v2 is selected)

Click the configure button and uncheck “Automaticcaly use my Windows log

on name and password………….. click ok

Click OK to all this

Try to connect to the network, a notice should pop up say if you wish to

use a different login click on the pop up and a login box with appear.

Just have you users type in the login info

also make sure that the IAS has the correct groups applied to the access

policy

When i now try to connect i get prompted for user credentials. I still can not connect but i am almost there.
I need to edit the policy on the ias server and make a user that is member of the right groups to get access.

Be back to tell you what happend soon.

regards lars


Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Guys thanxs for the help, all workes fine now the computer certivicate is exported to the client and and the guest wireless user is added to the right Global Groups witch has the right access policy's on the ias server. When i connect now the computers gets prompted for credentials and wheb i type them i am connected.
Realy great stuff, now i need to figure out how to secure the enterprise root CA and how to get a certivicate that only can be used to access the accesspoint.

Any tips are welcome !

regards lars

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top