Authenticating Non domain machines on a RADIUS wireless system using IAS.

[maniac]

I've got RADIUS authentication successfully working on our domain now, and it's been happily managing our wireless system for the last 3 months now. However, one of the things I've been unable to do is to get non-domain devices to authenticate to the wireless system using certificates or simelar, because quite honestly I have no idea how to get this to work!

At the moment our RADIUS system is using IAS on windows 2000 to provide it's authentication and the clients are set up to use WPA/TKIP and PEAP for authentication. It works flawlessly as it is, but obviously that type of authentication is no good if the devices aren't part of the domain.

Is there a guide anywhere that someone could point me to that will tell me to also use a certificate authentication using IAS so I can authenticate non-domain machines to allow me to add a few items to the wireless system that I need to? I've tried googling, but I can't find the right information, I'm assuming of course that this is possible, if it isn't then so be it, but I'm sure it is.

Many thanks,

Mike.

P.S I don't want to turn on user authentication on IAS as it would then allow kids with wi-fi enabled devices to connect to our system without us knowing. I want to find a way of using certificates if possible so we can control who has access.

[Boon72]

i have a Radius setup at the school im in now, it has a WPA key which i just add to anything not on the domain when i need it to access the network as you would normally.

my laptop in used in all my schools to i enter the WPA key for each school so i can use the network etc, it's no different in the Radius school, it just see's the wireless network and ask's for the key(for new devices).

[jsnetman]

We have just setup WPA/IAS Radius with certificates My techie was a bit miffed that he couldn't access the network from his phone/pda to retrieve emails. A bit of digging around for that particular phone and how to import certs to it solved the problem. Basially each device needs to be able to import the cert and normally this will have to be done manually.

[maestromasada]

ey guys, I know this post is 3 years old, but I've got exactly the same problem as described by maniac: my non-domain laptops cant' authenticate to our WPA-TPKI wireless network, how do you fix it? I have manually imported the certificate from the trusted CA into the machine, but the IAS still gives access denied to the non-domain laptops saying that the specified user account does not exist (I'm using machines authentication only)

Any help you could provide will be greatly appreciated, this thing is driving me mad!!

[tadavis]

In order to join non-domain devices to your network, you have to achieve one of the following:

1. Supply the certificate used for authentication and install it in the "trusted root certification authorities" store if it's a windows device.

2. Uncheck the box that says "Validate Server Certificate" in the PEAP settings... Make sure you're using Microsoft: Protected EAP(PEAP) and not "smartcard or other certificate".

Thanks,
Tony

[maniac]

I gave up with this in the end, and created a new user group for 'guest wireless users' and setup a new rule in IAS to auththenticate this group without the use of certificates. Not quite a high security, but it works.

We only have a few users requesting this access so it was the easiest option in the end.

Thanks for your reply thou @tadavis.

Mike.