RADIUS \ EAP-TLS \ Ruckus
This is beginning to drive me nuts so hoping someone can help shed some light on the matter :p
I'm trying to set up wireless laptops via RADIUS so we can have effectively the same look and feel as a desktop machine i.e. automatic logon to the domain, applying GPOs, profiles etc. Have been trying to get my head around the numerous ways of defining PEAP etc and seem to see two methods...
EAP-TLS... machine certificate used for authentication cert is auto-enrolled via Group Policy
PEAP-MSCHAPv2... uses the user credentials to connect (although there seems to be a Computer Account option as well)
There also seems to be PEAP-EAP-TLS, which as far as I understand is a slightly more secure version of EAP-TLS?
Have been trying the EAP-TLS method but not having much joy :(
- created Enterprise CA
- set up auto enrolment for clients and the NPS server as per NPS Server Certificate: Configure the Template and Autoenrollment and Deploy Client Computer Certificates
- create a GPO for the wireless settings, used "Microsoft: Smart Card or other Certificate" as the authentication method (I believe this is EAP-TLS?)
- set up the NPS server using the wizard, matched the Network Policy to use the same "Microsoft: Smart Card or other Certificate" authentication method
- set up Ruckus AAA server as "RADIUS" and configured NPS with the ZoneDirector IP address and shared secret
Logged in as Local Admin on one laptop and tried to connect to the wireless, logic being it should connect as it's authenticating as the machine doing the auth... just sits there saying "Attempting to Authenticate". On the XP SP3 laptop packets go back and forth but on the Win7 it's 0 sent \ 0 received.
Checking certificates store on both laptops shows machine certificate in Machine\Personal store and CA cert in Machine\Trusted Root Certification Authorities
Annoyingly I'm seeing very little in log files on the NPS server or on the client, seems like you have to dig quite deep to get anything of use... time for Wireshark? Also noticed this when using machine authentication, do I really need to make these changes just to get EAP-TLS to connect? http://support.microsoft.com/kb/929847
Any ideas for where I'm going wrong as I can't see it at the moment?