Wireless Networks Thread, Wireless Access Authentication using PKCS#12 certificate in Technical; This one has me scratching my head, and that's not a good thing as it's rubbing off what little hair ...
Wireless Access Authentication using PKCS#12 certificate
This one has me scratching my head, and that's not a good thing as it's rubbing off what little hair I have left!
We have a HP MSM-750 Wireless Access controller (formerly a Colubris MSC-5500). As part of it's functionality you can get it to authenticate by Active Directory Username and Password to issue a wireless connection.
Steps as follows:
1. User boots laptop
2. Logon screen displayed
3. User enters AD username/password combo
4. Laptop pre-authenticates to wireless using AD username/password combo
5. If AD username/password correct then issue IP address and then pass logon request over to AD to perform logon on the machine as normal.
However, the machine has to have two certificates on it to accomplish this, one is the Trusted Root Authority Certificate, this has been put on.
The second one is a PKCS#12 certificate which it asks for in the name of the controller and to be issued by the Trusted Root Authority. My root authority is my MS Enterprise CA. Can I get this beast to issue a PKCS#12 certificate - in your (or my) dreams!
I have tried creating a template and issuing it to the Certification Authority and then generating a custom certificate request in the name of my controller ( wireless.school.local for arguments sake) but the CA responds with the following error:
The DNS name is unavailable and cannot be added to the Subject Alternate Name. 0x8009480f (-2146875377) Denied by policy module.
This is a lot of hours work and the sum total is at present a fairly irritating error message!
So, what I'm asking is:
1. Anyone got one of these beasts and made it work successfully in this mode rather than giving up and using a RADIUS server?
2. Anyone know how to generate a PKCS#12 certificate using MS Enterprise CA and not get annoying error messages?
3. Anyone want to buy a lightly used Wireless Controller???
4. Anyone got a walkthrough they found out on the great unwashed web that explains things more clearly than the HP MSM-750 manual which is translated from the Serbo-Croat by a goat?
5. Anyone here able to say - "You dummy - don't do that - do this!"
Scratch number three but any help on any of the others would be gratefully received.
I don't even have machines connecting at the moment never mind lack of GPO's. Without getting this certificate sorted I can't even make a wireless connection...
Can you please elaborate on how this is all setup at the moment? are you using a radius server? what kind of authentication and encryption have you got set for 802.1x authentication? i.e. PEAP with MSCHAP v2? or TLS?
No, not using a RADIUS server at the moment, the MSM-750 can be joined as a member server to the domain so effectively it can perform an AD login for wireless authentication purposes.
What I can't do is generate the appropriate machine certificate for the MSM-750....
When you create a VSC (Virtual Service Controller) under the wireless protection settings you can specify local or remote authentication - under the remote tab you have the option of RADIUS or Active Directory but the access controller is failing to be trusted by the DC because it doesn't have an appropriate machine certificate generated for it.
What I can't do is get my CA to generate this certificate. Hope that makes sense.
The option do do authentication this way isn't one I have come across before I have only ever used RADIUS before.