Certificate Authentificatoin won't run on IAS

Certificate Authentificatoin won't run on IAS

Post by Bjoern And » Thu, 11 Aug 2005 16:16:36


I have a problem with Certificate Logins on my Radius Server.

Radius Server:
Windows 2003
Service Pack 1

Windows 2003
Mail-Server (Exchange)

Winodws XP
Service Pack 1
Authentificates with computer, or user certificate

The CA is in all certificate-stores of the Client and the Server, except
the untrusted store.

If I turn on the Client, with an valid computer certificate, I get the
following error message on the IAS-System Log:

User XXXX@XXXXX.COM was denied access.
Fully-Qualified-User-Name = fhe.intern/Users/Benutzer
NAS-IP-Address =
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-0C-6E-6D-66-5A
Client-Friendly-Name = FH07D3
Client-IP-Address =
NAS-Port-Type = Ethernet
NAS-Port = 313
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Cert-login
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.

But the funny thing is, when I turn on the PEAP-Authentification, I
don't get any problem.

I also tried to re-request a new certificate for the client and the
Server and it did'nt help.

I use Certificates to authentificate, because Microsoft is unable to
make a Group Policy for the 802.1x Authentification, i would like to use
PEAP for all my clients but I don't like doing the same thing around 500

Thanks for your help

Bjoern A. Hoefer

Certificate Authentificatoin won't run on IAS

Post by Mark Gamac » Fri, 12 Aug 2005 02:17:41

It sounds like your user certificate is the problem, seeing how PEAP works.
Are the AIA and CRL that are listed in the user cert available to the IAS
server? Is your NAS an access point or a switch?

Mark Gamache
Certified Security Solutions


Certificate Authentificatoin won't run on IAS

Post by Bjoern And » Fri, 12 Aug 2005 16:13:27

Mark Gamache schrieb:

It works now!

I have installed a sub-CA on the IAS-Server and now it works... I almost
don't know why, but it works now and its good...

The AIA and CRL looked good, befor I installed it.

My NAS is a switch (3Com Superstack 3 4400 - Firmware 6.00s)