Enabling the check server cert has been very hit and miss for me. It has depended on mostly on the client drivers. Some wouldn't auth until it was checked.
For domain computers, I created a group that we add all wireless computer objects too, and that group is then in the IAS policy. The less secure way is to add the group "Domain computers". By default all Domain Computers are added to this group. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Friday, April 11, 2008 2:43 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2 Where is your publicly recognized certificate? On your IAS server? AD Server? I have our certificate servers setup and IAS servers but can't enable the option to check the server's certificate. If I uncheck that option in the wireless configuration settings it works. Also how does everyone handle domain computers? I issued all computers certificates and told the system to authenticate as the computer if possible so they could hit active directory to authenticate. Thanks, Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Tuesday, April 08, 2008 2:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2 I don't run redundant certificate authorities. I also only have 1 IAS server because we are in the beginning stages of our deployment (so far a high of about 90 clients). I am planning to expand to a 2nd IAS server this fall. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Tuesday, April 08, 2008 1:42 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2 Do you run redundant Certificate Authorities? Or if your certificate authority goes down is your wireless out until you rebuild and restore? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Lee Weers Sent: Thursday, April 03, 2008 1:50 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2 I have IAS working with Cisco 4404 controllers, an Aruba 2400, and an HP WESM. We are using Peap and MS-CHAPv2 with a WLAN certificate from Verisign. The documents I used to setup the IAS server is here. http://support.microsoft.com/kb/325725/en-us http://www.microsoft.com/technet/security/guidance/cryptographyetc/peap_ 1.mspx Our wireless setup document is here http://www.central.edu/itservices/Wireless%20Network%20Setup.PDF CAVEATS I have found. You do need to authenticate the computer accounts for domain joined computers' login scripts to run. That was a big gotcha I found. Then on personally owned computers you need to turn off use computer credentials. Also PDA's I have yet to get working. They say they work with PEAP-MS-CHAP-v2, but they still want a personal certificate. I don't know why they still want a personal cert. So if someone wants to help me with that problem or help me dig up the info to enable EAP-TLS on an IAS server I'd be glad to hear from you. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Bennett Sent: Wednesday, April 02, 2008 7:30 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] WiSM, Radius, WPA & WPA2 Does anyone have experience setting up a Cisco WiSM with IAS Radius and Encryption. Basically I want to have our WiSM authenticate wireless users to our Active Directory, which we can do directly. I also want the wireless secured through WPA and/or WPA2 encryption without having to email the key to everyone. I know it can be done but can't find out how to do this. The process I want: 1. Computer connects to AP 2. Encryption key is passed to computer and transmission is now secured 3. Internet Browser redirected to login page 4. AD credentials are entered 5. Authenticate 6. Internal IP issued and good to go. We have 1,3,4,5,6 done. Step 2 we have working by putting the key into the computers but that is a pain. Any suggestions? Daniel R. Bennett CompTIA Security+ Information Technology Security Analyst Pennsylvania College of Technology One College Ave Williamsport, PA 17701 (P) 570.329.4989 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.