Welcome to Vista Banter. You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact support. |
|
Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security) |
|
LinkBack | Thread Tools | Display Modes |
|
|||
Vista clients and EAP-TLS authentication - problem with certificates
We have half a dozen Cisco 1240AG wireless access points that are set up to
use 802.1x EAP-TLS for authentication and TKIP encryption. To do the authentication we have a pair of Windows Server 2003 R2 SP2 servers running IAS and also as an MS certificate authority (AD Integrated root and subordinate). This works perfectly for all sorts of laptops running windows XP however we have recently bought a few Dell Laptops running Vista and they don't want to connect. The problem is that when we try and request a new digital certificate for the user from the CA we get warnings about it not being compatible with this version of windows so we can't request a certificate directly. I have read the instructions on how to amend the CA's web interface with code from Longhorn Server but haven't yet done this (No longhorn machines for a start) , and as a work round we thought we can just request the cert using an XP machine then export it and import into vista. I don't think the wireless connection setup is as good on Vista as XP (it seems to be overly simplified and the advanced settings are too well hidden) but I have configured a client with the same settings as XP and when I try and connect it informs me that I don't have a certificate , yet it's sat there in my personal certificates store. If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then I can connect OK as you'd expect. So , is there any workround for this or something that I could be doing wrong when I try and export the certificates from an XP to Vista machine? Any suggestions gratefully appreciated. -- Alex New laptop - Sig missing |
|
|||
Vista clients and EAP-TLS authentication - problem with certificat
Do you have EAP-TLS set up to authenticate both the computer and the user?
That would explain why you are failing the authentication. You don't have a computer cert. That also means that you cannot work around the problem by exporting certs from an XP machine unless that XP machine has the same name as the Vista machine you are putting the certs on. The enrollment problem likely stems from the new security infrastructure in Internet Explorer. You need an updated web enrollment tool to acquire certificates using IE7 on Vista. It blocks the common ways to do it on XP. The better solution is to use an autoenrollment solution though. It is completely automatic and obviates the need for the web enrollment altogether. It works just fine on Vista against a Server 2003 CA. This doc tells you how to configure it: http://www.microsoft.com/technet/net...i/ed80211.mspx --- Your question may already be answered in Windows Vista Security: http://www.amazon.com/gp/product/047...otectyourwi-20 "Dr Zoidberg" wrote: We have half a dozen Cisco 1240AG wireless access points that are set up to use 802.1x EAP-TLS for authentication and TKIP encryption. To do the authentication we have a pair of Windows Server 2003 R2 SP2 servers running IAS and also as an MS certificate authority (AD Integrated root and subordinate). This works perfectly for all sorts of laptops running windows XP however we have recently bought a few Dell Laptops running Vista and they don't want to connect. The problem is that when we try and request a new digital certificate for the user from the CA we get warnings about it not being compatible with this version of windows so we can't request a certificate directly. I have read the instructions on how to amend the CA's web interface with code from Longhorn Server but haven't yet done this (No longhorn machines for a start) , and as a work round we thought we can just request the cert using an XP machine then export it and import into vista. I don't think the wireless connection setup is as good on Vista as XP (it seems to be overly simplified and the advanced settings are too well hidden) but I have configured a client with the same settings as XP and when I try and connect it informs me that I don't have a certificate , yet it's sat there in my personal certificates store. If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then I can connect OK as you'd expect. So , is there any workround for this or something that I could be doing wrong when I try and export the certificates from an XP to Vista machine? Any suggestions gratefully appreciated. -- Alex New laptop - Sig missing |
|
|||
Vista clients and EAP-TLS authentication - problem with certificat
"Jesper" wrote in message
... Do you have EAP-TLS set up to authenticate both the computer and the user? No , just user accounts. That would explain why you are failing the authentication. You don't have a computer cert. That also means that you cannot work around the problem by exporting certs from an XP machine unless that XP machine has the same name as the Vista machine you are putting the certs on. The enrollment problem likely stems from the new security infrastructure in Internet Explorer. You need an updated web enrollment tool to acquire certificates using IE7 on Vista. It blocks the common ways to do it on XP. The better solution is to use an autoenrollment solution though. It is completely automatic and obviates the need for the web enrollment altogether. It works just fine on Vista against a Server 2003 CA. This doc tells you how to configure it: http://www.microsoft.com/technet/net...i/ed80211.mspx Thanks , I'll try setting that up tomorrow -- Alex New laptop - Sig missing |
|
|||
Vista clients and EAP-TLS authentication - problem with certificat
"Dr Zoidberg" wrote in message
... "Jesper" wrote in message ... Do you have EAP-TLS set up to authenticate both the computer and the user? No , just user accounts. That would explain why you are failing the authentication. You don't have a computer cert. That also means that you cannot work around the problem by exporting certs from an XP machine unless that XP machine has the same name as the Vista machine you are putting the certs on. The enrollment problem likely stems from the new security infrastructure in Internet Explorer. You need an updated web enrollment tool to acquire certificates using IE7 on Vista. It blocks the common ways to do it on XP. The better solution is to use an autoenrollment solution though. It is completely automatic and obviates the need for the web enrollment altogether. It works just fine on Vista against a Server 2003 CA. This doc tells you how to configure it: http://www.microsoft.com/technet/net...i/ed80211.mspx Thanks , I'll try setting that up tomorrow Just tried to work through this and though I can create a new template with the appropriate settings , when I go to step 14. "On the Action menu, point to New, and then click Certificate to Issue. " it's not there in the list to select - just the other unused predefined ones. Any suggestions? -- Alex New laptop - Sig missing |
|
|||
Vista clients and EAP-TLS authentication - problem with certificat
On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote:
Just tried to work through this and though I can create a new template with the appropriate settings , when I go to step 14. "On the Action menu, point to New, and then click Certificate to Issue. " it's not there in the list to select - just the other unused predefined ones. Any suggestions? That means that your CA is running the Standard Edition SKU and can only issue v1 templates. When you modify an existing template the new template is a v2 and only a CA running Enterprise or Datacenter can issue certificates based on v2 templates. -- Paul Adare MVP - Virtual Machines http://www.identit.ca Downtime: Coffee breaks, lunch, or Friday mentality in the office. |
|
|||
Vista clients and EAP-TLS authentication - problem with certificat
"Paul Adare" wrote in message
... On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote: Just tried to work through this and though I can create a new template with the appropriate settings , when I go to step 14. "On the Action menu, point to New, and then click Certificate to Issue. " it's not there in the list to select - just the other unused predefined ones. Any suggestions? That means that your CA is running the Standard Edition SKU and can only issue v1 templates. When you modify an existing template the new template is a v2 and only a CA running Enterprise or Datacenter can issue certificates based on v2 templates. Thanks , that'll be it -- Alex New laptop - Sig missing |