Autoridade de Certificação - RADIUS / WPA

1

Nós temos um problema com nossa Autoridade de Certificação, ele exclui seu próprio Certificado de Computador no dia-a-dia. Eu implemento uma segurança sem fio WPA através do padrão RADIUS com o uso desse computador. Então, todos os dias eu tenho que renovar o certificado de computador. Quando verifico o Visualizador de Eventos, três registros são mostrados como:

Source : IAS Event ID : 3

Access request for user User1 was discarded. Fully-Qualified-User-Name = domain.com/Users/User1 NAS-IP-Address = 192.168.0.66 NAS-Identifier = Wireless Called-Station-Identifier = 001d.45d3.4190 Calling-Station-Identifier = 0023.df15.1483 Client-Friendly-Name = Wireless Client-IP-Address = 192.168.0.66 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 5113 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows
Authentication-Server = Reason-Code = 23 Reason = Unexpected error. Possible error in server or client configuration.

Source : IAS Event ID : 20168

Could not retrieve the Remote Access Server's certificate due to the following error: Cannot find object or property.

Source : IAS Event ID : 20168

Because no certificate has been configured for clients dialing in with EAP-TLS, a default certificate is being sent to user Domain\User1. Please go to the user's Remote Access Policy and configure the Extensible Authentication Protocol (EAP).

O que poderia causar o problema?

    
por Serdar Karahanoglu 22.02.2010 / 11:16

2 respostas

1

Aqui está a solução real.

To describle the process of duplicating the template and issuing the certificate more clearly, I would like to provide a more precise action plan as following.

  1. On CA, create a duplicate of the "RAS and IAS Server certificate template". Type RAS and IAS Server Authentication into the Template display name field on the General tab of the new template's properties.

  2. On the Extensions tab, ensure that the application policies only include Server Authentication (OID 1.3.6.1.5.5.7.3.1).

  3. Also on the Extensions tab, edit the Issuance policies and add the Medium Assurance policy.

  4. On the Subject Name tab, select Build from this Active Directory information. Also, ensure that Subject name format is set to Common name and that only DNS anme is selected under include this information in subject alternative name.

  5. On the Request Handing tab, click the CSPs button, ensure that Request must use one of the following CSPs is selected, and that only the Microsoft RSA SChannel Cryptographic Provider is selected.

  6. On the Security tab, add the AutoEnroll RAS and IAS Server Authentication Certificate security group with Read, Enroll, and Autoenroll permissions.

  7. Add certificate templates to the CA.

  8. From the Certification Authority MMC snap-in, right-click the Certificate Templates folder, select New and then Certificate Template to Issue. Selectthe following certificates, and then click OK.

"RAS and IAS Server Authentication"

  1. Log on to the IAS server as a member of the local Administrators group.

  2. Open the MMC, and then add the Certificates snap-in. When prompted, select the Computer account option, and then select Local Computer.

  3. Select Certificates (Local Computer) from the console tree, select All Tasks from the Action menu, and then click Automatically Enroll Certificates

    
por 26.02.2010 / 10:45
1

Funciona. Algum argumento?

most likely the certificate is deleted by some application. Sometimes the certificate is not deleted, but rather archived. To verify, please run certmgr.msc and open the certificate snap-in. Then click Certificates->View->Options and select Archive Certificates. the certificates show up again.

It could be the Live Sync program that deletes/archive the certificate. To verify, please try not to use the program on the machine and monitor if the certificate gets deleted/archived. I also found that the software FolderShare can also cause this kind of problem. If you have this software installed, please remove or disabled this software. Thank you.

To troubleshot it, I recommend we operate a clean boot the problematic machine and check it again.

To perform a clean boot, please follow these steps.

  1. Type MSCONFIG to open system configuration console.

  2. Go to Services tab, click the option to hide all Microsoft Services and then click the Disable All button.

  3. Go to Startup tab, click the Disable All button.

  4. Restart the computer.

    
por 23.02.2010 / 14:06

Tags