dogmeat
02-21-2006, 12:25 PM
Greetings wi-fi planet,
First, heres what I have:
A gemplus smart card with logon credentials on them.
A Windows 2003 server running IAS, with it's own cert from the same CA as the smart card.
A Client running windows 2000.
The protocol: PEAP
Active Directory is on a different server than the IAS one.
What I want to eventually have happen:
1. Client doesn't matter at this point, but I want the client to see the AP.
2. I want the client to then trigger the middleware ( gemplus ) and ask for a pin to unlock the card ( so it can send the certs off of the card )
3. I want the client to send the required information from the card to the IAS server using PEAP - EAP-TLS ( not mschapv2 ).
4. I need to have the CRL list checked to make sure the cert isn't revoked.
5. I want the cert information to be checked in AD and either authenticate or deny the request.
6. Once authentication happens, grab a ip via DHCP and be on it's merry little way.
Right now what I have going:
I've set up my server so that it can authenticate via PEAP + MSCHAPv2 by manually typing in the credential information that will be checked with AD, and I have successfully gotten an IP, authenticated, etc.. All I have left to do is get my certs to authenticate.
At this point in time, the only real problem I have is when configuring IAS policies, EAP-TLS doesn't show up under PEAP, only MSCHAPv2 and smart card or other credentials. I've read on the internet something about setting up a sub CA on the IAS server so that EAP-TLS shows up, but I'm sure theres a way to do it, that doesn't involve setting up an un-necessary component on my server.
I'm waiting on new certs due to a technicality, but I was trying to find other people on this site that have accomplished what I'm trying to accomplish, even if it's with SBR, ACS, or some other radius solution.
I would like to know:
What clients people have gotten to work with this kind of setup.
What servers people have gotten to work with this kind of setup.
Any config secrets for IAS, or other radius servers/clients.
Any other information you think could help me.
Thanks for any future responses,
Kevin Collins
First, heres what I have:
A gemplus smart card with logon credentials on them.
A Windows 2003 server running IAS, with it's own cert from the same CA as the smart card.
A Client running windows 2000.
The protocol: PEAP
Active Directory is on a different server than the IAS one.
What I want to eventually have happen:
1. Client doesn't matter at this point, but I want the client to see the AP.
2. I want the client to then trigger the middleware ( gemplus ) and ask for a pin to unlock the card ( so it can send the certs off of the card )
3. I want the client to send the required information from the card to the IAS server using PEAP - EAP-TLS ( not mschapv2 ).
4. I need to have the CRL list checked to make sure the cert isn't revoked.
5. I want the cert information to be checked in AD and either authenticate or deny the request.
6. Once authentication happens, grab a ip via DHCP and be on it's merry little way.
Right now what I have going:
I've set up my server so that it can authenticate via PEAP + MSCHAPv2 by manually typing in the credential information that will be checked with AD, and I have successfully gotten an IP, authenticated, etc.. All I have left to do is get my certs to authenticate.
At this point in time, the only real problem I have is when configuring IAS policies, EAP-TLS doesn't show up under PEAP, only MSCHAPv2 and smart card or other credentials. I've read on the internet something about setting up a sub CA on the IAS server so that EAP-TLS shows up, but I'm sure theres a way to do it, that doesn't involve setting up an un-necessary component on my server.
I'm waiting on new certs due to a technicality, but I was trying to find other people on this site that have accomplished what I'm trying to accomplish, even if it's with SBR, ACS, or some other radius solution.
I would like to know:
What clients people have gotten to work with this kind of setup.
What servers people have gotten to work with this kind of setup.
Any config secrets for IAS, or other radius servers/clients.
Any other information you think could help me.
Thanks for any future responses,
Kevin Collins