05-18-2010 05:26 AM - edited 03-10-2019 05:08 PM
Hi.
I have set up a Windows 2003 Certificate Server to use in AutoEnrollment for machine and user 802.1x authentication, but has run into a few problems.
The steps are something like this:
I configured the CA Server.
I requested a certificate from the CA server inside the ACS 5.1, and installed it.
I downloaded the root certificate from the CA server, and installed it on the client (WinXP SP3).
So far so good, and the web authentication part (when I log in to the ACS itself) works fine.
But when I try to authenticate a client, both on wireless and wired, this message pops up:
If I click OK, it seems to work fine, but the point was to have no user interaction at all.
The certificate and the chains seems to be ok:
Why does this pop up?
Is there a way to avoid this?
Are there some flags missing in the certificate?
Can we configure every thing about 802.1x authentication in clients from, say, Active Directory Group Policies?
First I tried to set this up by buying a Certificate from Godaddy.com, since they are certified.
I installed it under System Administration > Configuration > Local Server Certificates > Local Certificates.
But exactly the same popup and result there.
Is it this way it is supposed to be?
Isn't the point with buying Certificates and / or Autoenrollment to have no user interaction at all?
What could be wrong?
Thanks.
05-24-2010 02:39 PM
I assume from the screenshots you're using the XP native .1x supplicant
Have you defined the Trusted Root Certification Authorities on the client devices interface? The client needs to know which CAs to trust when validating the server certficate
Note also the following from http://support.microsoft.com/kb/814394
You can configure clients to validate server certificates by using the Validate server certificate
option on the Authentication tab in the Network Connection properties. When a client uses PEAP-EAP-MS-Challenge Handshake Authentication Protocol (CHAP) version 2 authentication, PEAP with EAP-TLS authentication, or EAP-TLS authentication, the client accepts the server's certificate when the certificate meets the following requirements:
Hope that helps
Andy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: