IAS : Only validate certificate, not AD account !

IAS : Only validate certificate, not AD account !

Post by gbrau » Sat, 01 Dec 2007 01:45:20


Hello,

I would like to use IAS & EAP/TLS to authenticate COMPUTERS (not
users !) connecting to my wireless network. These computers are not in
my AD domain. They got computers certificates generated with my
standalone CA.
These computers do NOT have AD accounts, they are like "hotspot"
computers.

IAS will only be use to validate the revocation state of the computer
certificate trying to connect to the network.
If the certificate is revoked, the client cannot connect to the
network. If the certificate is valid, access is granted.

But IAS is not so friendly with me ...I have just set an EAP / "Wireless
connection type" access policy rule in IAS, nothing relating domain
user/group.

The problem is that IAS is still trying to authenticate the
certificate name as a user through Active Directory (IAS is on a
domain controller).
And the username is quite strange : host/CertificateName (the "host/"
is part of the username, it is not a domain prefix. It seems to be
telling that it is a computer authentication)... And as I don't have a
user like this (and in any ways, I cannot create a user with a "/" in
the username), IAS denied the connection request.

Do you know how to get rid of this windows authentication and only
validate the certificate revocation state ?

Thanks for all,

Guillaume