A Windows Vista forum. Vista Banter

Welcome to Vista Banter.

You are currently viewing our boards as a guest which gives you limited access to view most discussions, articles and access our other FREE features. By joining our free community you will have access to ask questions and reply to others posts, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today!

If you have any problems with the registration process or your account login, please contact contact support.

Go Back   Home » Vista Banter forum » Microsoft Windows Vista » Security and Windows Vista
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Security and Windows Vista A forum for discussion on security issues with Windows Vista. (microsoft.public.windows.vista.security)

Vista clients and EAP-TLS authentication - problem with certificates



 
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old September 18th 07, 02:12 PM posted to microsoft.public.windows.networking.wireless,microsoft.public.windows.vista.security
Dr Zoidberg
external usenet poster
 
Posts: 4
Default Vista clients and EAP-TLS authentication - problem with certificates

We have half a dozen Cisco 1240AG wireless access points that are set up to
use 802.1x EAP-TLS for authentication and TKIP encryption.
To do the authentication we have a pair of Windows Server 2003 R2 SP2
servers running IAS and also as an MS certificate authority (AD Integrated
root and subordinate).

This works perfectly for all sorts of laptops running windows XP however we
have recently bought a few Dell Laptops running Vista and they don't want to
connect.

The problem is that when we try and request a new digital certificate for
the user from the CA we get warnings about it not being compatible with this
version of windows so we can't request a certificate directly. I have read
the instructions on how to amend the CA's web interface with code from
Longhorn Server but haven't yet done this (No longhorn machines for a start)
, and as a work round we thought we can just request the cert using an XP
machine then export it and import into vista.

I don't think the wireless connection setup is as good on Vista as XP (it
seems to be overly simplified and the advanced settings are too well hidden)
but I have configured a client with the same settings as XP and when I try
and connect it informs me that I don't have a certificate , yet it's sat
there in my personal certificates store.

If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then
I can connect OK as you'd expect.

So , is there any workround for this or something that I could be doing
wrong when I try and export the certificates from an XP to Vista machine?

Any suggestions gratefully appreciated.

--
Alex

New laptop - Sig missing

  #2 (permalink)  
Old September 18th 07, 04:10 PM posted to microsoft.public.windows.networking.wireless,microsoft.public.windows.vista.security
Jesper
external usenet poster
 
Posts: 839
Default Vista clients and EAP-TLS authentication - problem with certificat

Do you have EAP-TLS set up to authenticate both the computer and the user?
That would explain why you are failing the authentication. You don't have a
computer cert. That also means that you cannot work around the problem by
exporting certs from an XP machine unless that XP machine has the same name
as the Vista machine you are putting the certs on.

The enrollment problem likely stems from the new security infrastructure in
Internet Explorer. You need an updated web enrollment tool to acquire
certificates using IE7 on Vista. It blocks the common ways to do it on XP.

The better solution is to use an autoenrollment solution though. It is
completely automatic and obviates the need for the web enrollment altogether.
It works just fine on Vista against a Server 2003 CA. This doc tells you how
to configure it: http://www.microsoft.com/technet/net...i/ed80211.mspx

---
Your question may already be answered in Windows Vista Security:
http://www.amazon.com/gp/product/047...otectyourwi-20


"Dr Zoidberg" wrote:

We have half a dozen Cisco 1240AG wireless access points that are set up to
use 802.1x EAP-TLS for authentication and TKIP encryption.
To do the authentication we have a pair of Windows Server 2003 R2 SP2
servers running IAS and also as an MS certificate authority (AD Integrated
root and subordinate).

This works perfectly for all sorts of laptops running windows XP however we
have recently bought a few Dell Laptops running Vista and they don't want to
connect.

The problem is that when we try and request a new digital certificate for
the user from the CA we get warnings about it not being compatible with this
version of windows so we can't request a certificate directly. I have read
the instructions on how to amend the CA's web interface with code from
Longhorn Server but haven't yet done this (No longhorn machines for a start)
, and as a work round we thought we can just request the cert using an XP
machine then export it and import into vista.

I don't think the wireless connection setup is as good on Vista as XP (it
seems to be overly simplified and the advanced settings are too well hidden)
but I have configured a client with the same settings as XP and when I try
and connect it informs me that I don't have a certificate , yet it's sat
there in my personal certificates store.

If I switch the client and RADIUS server to use PEAP instead of EAP-TLS then
I can connect OK as you'd expect.

So , is there any workround for this or something that I could be doing
wrong when I try and export the certificates from an XP to Vista machine?

Any suggestions gratefully appreciated.

--
Alex

New laptop - Sig missing


  #3 (permalink)  
Old September 18th 07, 05:35 PM posted to microsoft.public.windows.networking.wireless,microsoft.public.windows.vista.security
Dr Zoidberg
external usenet poster
 
Posts: 4
Default Vista clients and EAP-TLS authentication - problem with certificat

"Jesper" wrote in message
...
Do you have EAP-TLS set up to authenticate both the computer and the user?


No , just user accounts.

That would explain why you are failing the authentication. You don't have
a
computer cert. That also means that you cannot work around the problem by
exporting certs from an XP machine unless that XP machine has the same
name
as the Vista machine you are putting the certs on.

The enrollment problem likely stems from the new security infrastructure
in
Internet Explorer. You need an updated web enrollment tool to acquire
certificates using IE7 on Vista. It blocks the common ways to do it on XP.

The better solution is to use an autoenrollment solution though. It is
completely automatic and obviates the need for the web enrollment
altogether.
It works just fine on Vista against a Server 2003 CA. This doc tells you
how
to configure it:
http://www.microsoft.com/technet/net...i/ed80211.mspx

Thanks , I'll try setting that up tomorrow
--
Alex

New laptop - Sig missing

  #4 (permalink)  
Old September 19th 07, 10:06 AM posted to microsoft.public.windows.networking.wireless,microsoft.public.windows.vista.security
Dr Zoidberg
external usenet poster
 
Posts: 4
Default Vista clients and EAP-TLS authentication - problem with certificat

"Dr Zoidberg" wrote in message
...
"Jesper" wrote in message
...
Do you have EAP-TLS set up to authenticate both the computer and the
user?


No , just user accounts.

That would explain why you are failing the authentication. You don't have
a
computer cert. That also means that you cannot work around the problem by
exporting certs from an XP machine unless that XP machine has the same
name
as the Vista machine you are putting the certs on.

The enrollment problem likely stems from the new security infrastructure
in
Internet Explorer. You need an updated web enrollment tool to acquire
certificates using IE7 on Vista. It blocks the common ways to do it on
XP.

The better solution is to use an autoenrollment solution though. It is
completely automatic and obviates the need for the web enrollment
altogether.
It works just fine on Vista against a Server 2003 CA. This doc tells you
how
to configure it:
http://www.microsoft.com/technet/net...i/ed80211.mspx

Thanks , I'll try setting that up tomorrow



Just tried to work through this and though I can create a new template with
the appropriate settings , when I go to step 14.


"On the Action menu, point to New, and then click Certificate to Issue. "
it's not there in the list to select - just the other unused predefined
ones.

Any suggestions?

--
Alex

New laptop - Sig missing

  #5 (permalink)  
Old September 19th 07, 11:17 AM posted to microsoft.public.windows.networking.wireless,microsoft.public.windows.vista.security
Paul Adare
external usenet poster
 
Posts: 142
Default Vista clients and EAP-TLS authentication - problem with certificat

On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote:

Just tried to work through this and though I can create a new template with
the appropriate settings , when I go to step 14.


"On the Action menu, point to New, and then click Certificate to Issue. "
it's not there in the list to select - just the other unused predefined
ones.

Any suggestions?


That means that your CA is running the Standard Edition SKU and can only
issue v1 templates. When you modify an existing template the new template
is a v2 and only a CA running Enterprise or Datacenter can issue
certificates based on v2 templates.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Downtime: Coffee breaks, lunch, or Friday mentality in the office.
  #6 (permalink)  
Old September 19th 07, 05:31 PM posted to microsoft.public.windows.networking.wireless,microsoft.public.windows.vista.security
Dr Zoidberg
external usenet poster
 
Posts: 4
Default Vista clients and EAP-TLS authentication - problem with certificat

"Paul Adare" wrote in message
...
On Wed, 19 Sep 2007 11:06:57 +0100, Dr Zoidberg wrote:

Just tried to work through this and though I can create a new template
with
the appropriate settings , when I go to step 14.


"On the Action menu, point to New, and then click Certificate to Issue. "
it's not there in the list to select - just the other unused predefined
ones.

Any suggestions?


That means that your CA is running the Standard Edition SKU and can only
issue v1 templates. When you modify an existing template the new template
is a v2 and only a CA running Enterprise or Datacenter can issue
certificates based on v2 templates.


Thanks , that'll be it

--
Alex

New laptop - Sig missing

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 07:14 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.Search Engine Optimization by vBSEO 3.0.0 RC6
Copyright ©2004-2024 Vista Banter.
The comments are property of their posters.