Hey Alvin, If you have installed ISS along with the CA at your Microsoft server. They clients can apply for a client certificate on the http://ca/certsrv webpage on CA. They use their Windows credentials to logon and appy for a certificate.
I did some extended testing on CSSC and EAP-TLS authentication some weeks ago. First this youtube link is preety good: http://www.youtube.com/watch?v=UBE5s6qY5xY&feature=related It is Microsoft client but the process of applying for a client certificate is the same. What I realised in the process for CSSC is that the template does indeed make a difference and also to check if the cert is supposed to be machine or user. When I did the user cert I could make this work and the CSSC popped up and prompting the user to select the certificate. For the computer cert I check the correct box when applying for a cert to use. I also use the mmc certificate snapin on the client to verify if the certificate is either going into the user cert folder or local computer account when I want computer authentication for EAP-TLS. You have to tell the certificate what user is authenticating even though you are not authenticating as a user, but by a PKI certificate of course. The user has to exist on the ACS in order for this to work (even though it is connected to AD and sending unknown user requests to the AD) so in CSSS somewhere you need to say that the identity is [email protected] or whatever your domain is. This exact user has to exist in ACS. Just my 5 cents, but ping again if you need greater detail, I have some notes. But I am not gonna spoil the fun for you just yet, I had a lot of fun doing this at the time :D regards. Kristjan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: 7. apríl 2011 16:00 To: [email protected] Subject: CCIE_Wireless Digest, Vol 25, Issue 5 Send CCIE_Wireless mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. Generating machine/computer certificates ([email protected]) ---------------------------------------------------------------------- Message: 1 Date: Thu, 07 Apr 2011 14:21:59 +0800 From: [email protected] To: [email protected] Cc: [email protected] Subject: [CCIE Wireless] Generating machine/computer certificates Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Hi, I've tried looking for information on this but most led me to use auto cert enrollment policy in the GPO for Active Directory. This means that when a new machine joins the AD, it will receive a certificate stored in the local computer certificate store. But, what about computers already joined to the AD but did not receive any cert because the policy was not enabled then? How does one generate a machine cert? What type of cert are we requesting from the CA? Also, what is the user credential we use to access the CA when we want to request a new cert from web cert enrolment (http://ca/certsrv)? I tried generating a user cert and importing into the Personal store of the "local computer" cert store but when I tried to use CSSC to perform a machine (EAP-TLS) and user login (any eap methods), i never see the machine trying authentication with the ACS. If i enable MAR with "no-access" for failed machine authentication, naturally i will not be able to pass authentication. But i also don't see any failed attempts from my machine in the ACS logs. I've tried user authentication only with EAP-TLS/PEAP/FAST and all worked flawlessly. I've also configured all the necessary ACS settings at the external database (windows database) configurations which allows EAP-TLS for machine authentication. I suspect my cert in concern for machine authentication is not correct hence machine authentication does not even take place. Any directions to that is appreciated. Alvin B ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 25, Issue 5 ******************************************** _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
