Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: PEAP based 802.1x LAN authentication

from [Rodrigo Blanco] Network Security [Permanent Link]
Subject: Re: PEAP based 802.1x LAN authentication
Date: Thu, 7 Apr 2005 11:30:08 +0200 
Hello again,

I have checked: 

- that the RSA key is 1024 bits long : OK 
- that the usage "Server auth" : OK
- the server certificate is now stored in "Personal (Local Computer)"
(it has a corresponding private key) and the CA certificate is
installed on "Trusted Root CAs (Local Computer)". : OK

It still does give the same error message. :-/

In 
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx?pf=true,
I have read that server certificates from a non-MS CA must accomplish:

- "They must contain the fully qualified domain name (FQDN) of the
computer account of the IAS server computer in the Subject Alternative
Name property.".

I have created the certificate so that this property is DNS:<FQDN of
the server> this is correctly interpreted on Windows cert. repository.

- "The cryptographic service provider for the certificates supports SChannel." 

I have no idea what this means (it is something related to the
schannel.dll) and how it affects to the certificate creation. Any
clues on this? I really see no other errors in the configuration.

Thanks again and best regards,

Rodrigo.

On Apr 7, 2005 1:27 AM, Menicucci, Dan <dan0@pitt.edu> wrote:

Hi Rob,

We do it wih a Verisign certificate.  The trusted root needs to be on
the client machines and the certificate needs to be installed under the
Personal folder of the Computer section of the certificate snapin.

Thanks,
Dan

-----Original Message-----
From: Won, Henry # PHX [mailto:henry.won@ndchealth.com]
Sent: Wednesday, April 06, 2005 3:13 PM
To: Rodrigo Blanco; focus-ms@securityfocus.com
Cc: rodrigob@myway.com
Subject: RE: PEAP based 802.1x LAN authentication

We are using MS CA with IAS and only enhanced key usage listed is server
authentication. If I remember correctly the RSA key size had to be 1024
bits long. If it is bigger, try generating a new certificate with 1024
bits instead.

-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Wednesday, April 06, 2005 8:42 AM
To: focus-ms@securityfocus.com
Cc: rodrigob@myway.com
Subject: PEAP based 802.1x LAN authentication

Hello list,

I am currently trying to configure an Active Directory (w2K server) both
for windows auth and also as RADIUS server (IAS) for LAN 802.1x
authentication. I have successfully tried 802.1x with auth methods such
as PAP, CHAP... and now am trying to move to PEAP so I can have joint
AD/802.1x auth. with a single logon.

According to
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S
erverHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx
I should install MS CA and generate a certificate for the win2K server
acting as AD/IAS.

I do not want to use this CA, but openssl instead (XCA, in fact). With
this, I have created a certificate with key usage = Server auth and
installed both the CA certificate and this certificate through the
browser.

When I try to configure PEAP in the IAS Dial-in profile, I get an error
message stating: "A certificate could not be found that can be used with
this Extensible Authentication Protocol". I think some key usage or
extended key usage attributes must be missing, or that I have created /
installed the certificate wrong, but did not find the problem.

Any help or ideas would be more than welcome.

Thanks in advance,
Rodrigo.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

This E-mail message is for the sole use of the intended recipient(s) and
may contain confidential and privileged information.  Any unauthorized
review, use, disclosure or distribution is prohibited.  If you are not
the intended recipient, please contact the sender by reply E-mail, and
destroy all copies of the original message.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: PEAP based 802.1x LAN authentication, Rui Francisco
Next by Date:  RE: PEAP based 802.1x LAN authentication, Neal
Previous by Thread:  RE: PEAP based 802.1x LAN authentication, Menicucci, Dan
Next by Thread:  Re: PEAP based 802.1x LAN authentication, Rodrigo Blanco
Indexes:  [Date] [Thread] [Top] [All Lists]