EAP-TLS CA Authentication issue

EAP-TLS CA Authentication issue

Post by TWF0dC1TbW » Fri, 27 Apr 2007 00:16:03

We are trying to develope a pilot EAP-TLS authenticate 802.11 network. I
have a 2003 IAS server running on a system with a 2003 standalone CA
installed. I have installed certificates on both the IAS server and a client
using the same standalone CA. I have checked the Client CA snapin and see
the Cert in the local machine personal certs store and I also see the user
cert in the user cert store as well. When I try to authenticate the IAS
server reports the following error:

4/24/2007 3:12:36 PM IAS Warning None 2 N/A MDTARADIUS1 User
XXXX@XXXXX.COM was denied access.
Fully-Qualified-User-Name = MDTA\arcserve
NAS-IP-Address =
NAS-Identifier =
Called-Station-Identifier = 000B8641BBE0
Calling-Station-Identifier = 0012F08D4497
Client-Friendly-Name = mdta-fskpol-wswt1
Client-IP-Address =
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = MdTA-TLS
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 295
Reason = A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider.

How can the IAS server not trust a Cert issued by the same CA that issued
its own installed server cert?

EAP-TLS CA Authentication issue

Post by gstrible » Sat, 28 Apr 2007 03:17:35

Is the root CA certificate installed in the Trusted Root Certificate
Authorities store on both the server and the client? Each side will
need this in order to trust the other's certificate and to mutually


EAP-TLS CA Authentication issue

Post by TWF0dC1TbW » Wed, 02 May 2007 02:14:06

yes. I have verified that the Root CA is on both the client and the IAS
server and shows up in the trusted root store for the local machines. What
is odd is that the error appears to me that the IAS server sees that the
certificate for the client is valid however still does not trust it do to
"policy". I am wondering if this is some kind of 2003 AD Policy issue with
respect to AD based trusted roots.

EAP-TLS CA Authentication issue

Post by FenderAx » Fri, 04 May 2007 09:39:57

=?Utf-8?B?TWF0dC1TbWl0aA==?= < XXXX@XXXXX.COM >

Sounds like the certificate templates are not configured correctly -- they
have to meet the minimum cert requirements described in the IAS Help.


EAP-TLS CA Authentication issue

Post by TWF0dC1TbW » Fri, 04 May 2007 20:15:00

I checked all the EKU's in the certs and they have all the proper OIDs so the
templates were ok. We ended up opening a case with support and found out
that since the CA we were using was a standalone root CA and not an
enterprise CA you need to register it with the AD domain as a trusted root
server even though the IAS server had the root CA in its local machine
trusted store. We followed the following procedures to post this change:

http://www.yqcomputer.com/ ;EN-US;Q295663

We had tried this fix before opening the case but apparently we did not wait
long enough for the change to replicate throughout our AD forest becuase the
clients were still not authenticating 2 hours later. In frustration we
de-installed CA services and re-installed it to start from scratch so all the
original certs were no longer valid (we removed the old certs from the IAS
server). At any rate we appear to be working now and the lesson learned from
our point is sometimes you have to wait a while for a "fix" to work;-) Also
it would appear that 2003 changes the way IAS servers verifiy Root CA trust.
Simply placing the root CA into the trusted root machine store is not enough
if the server is part of an AD domain.