This is killing me, need help badly

[vage]

Ok so no joke, I have been trying to get this to work for 2 weeks now, with absolutely NO progress. I am trying to create a Windows 2003 RADIUS server.

Installed AD, DNS, Enterprise CA root authority, IIS, and IAS on a Windows 2003 Server machine. Configured IAS for PEAP authentication with wireless clients. Configured the wireless AP to use WAP encryption with said RADIUS server.

Everything is working as it should but for the life of me certificates are just kicking my ass all day long. I need an IN DEPTH guide of what to do because nothing I can find on the internet is helpful in the least.

What do I request from my CA for my IAS server and how do I do it? What do I request from my wireless clients and how do I do it? What certificates do I need total and how do I do it?

Seriously I have been having trouble with these certificates for so long now, I guess I completely fail to understand the concept or something because nothing I've tried has worked. Please I am begging the [H] networking community to just help me with this and get it out of my fricken way.

 

[Josh_B]

Create a group policy that auto-pulls certs from your CA, which also needs to become a trusted root authority.

Use the web interface for the CA to install the cert as a trusted root, then you also need to make sure the server template supports 'server auth'. I actually found that 2000 AS is easier to setup for RADIUS, then I upgraded to 2003 Svr and the first time you start the CA, it asks if you want to upgrade the templates. Say yes, and away you go with a 2003 CA and 2003 Radius server. 2008 is totally different again!

I got this working some time ago, but it's been awhile. If I can find my notes, I'll pass them along.

 

[Slackmaster_Flex]

Man, I feel your pain. I farted around with this for at least a week solid a couple of years ago, and I spent tons of time reading all kinds of documentation from MS on the correct way to configure certificates for authenticating wired and wireless users.

And I got it working. Sort of......

There are user certificates, and computer certificates. I was able to get authentication working using user certificates, by logging into website of the certificate server, and downloading one. This worked just fine and let me authenticate to my AP and switches useing PEAP and 801.2x, but this isn't what I wanted. I was also able to get LEAP w/MS-CHAP working, but that also was not what I wanted.

I wanted authentication using computer certificates. Since I was running in a domain environment, I needed my computers to authenticate themselves to the network BEFORE user login, so that all of my group policies would still run.

I was able to get this working as well...... sort of. On a workstation, I could run the local MMC snapin for certificates, and make a request for a certificate to the server, and it would give me one, and everything would work just fine! Oddly, I would have to be logged in locally instead of to the domain for this to work, cuz if I was logged into the domain as a user, it would only let me request a user certificates through the local MMC snapin.

So I guess my problem came down to not being able to automatically enroll computer certificates through the domain. Since I couldn't do this, I left of altogether with the project. I was not about to go to over 1000 workstations and make a local certificate request. This would not be manageable.

So that's my story. Hope it helps in some way, if not technically then at least for the morally.