| DrSpook 2006-01-13, 10:26 pm |
| We have some new 3com 3870 switches that support 802.1x network access
authentication.
* I've set up 2 w2k3SP1Enterprise DCs with an enterprise root CA on DC1 &
IAS on both. I also entered their IPs in the 3870's radius settings & did
shared secret etc.
* I've auto-enrolled the default IAS & RAS Server certificate on both DCs
* I've setup IAS as per the "deploying IAS for wired 802.1x" MS guide.
* I've set a GPO to add the rootCA to the trusted roots on client pcs
(imported the c:\rootca.crt file into the policy for this).
* I've set up a xpsp2 client to require 802.1x with MS-PEAP_CHAPv2, verify
server cert & supply windows user & pw. I also verfied that the rootCA was i
nthe trusted roots on the client.
Here's what happens when logging onto the xpsp2 client as "domain\fred"
where fred is a valid user:
1. if i set a remote access policy to deny access to (valid) user fred then
fred is denied access & an IAS "access denied" event is generated on the IAS
server's event log.
2. If I grant fred remote access then no events are generated in the event
log & fred can't access the network
3. if i change the default connection policy to allow all connections rather
than "authenticate on this server" then fred can access the network & an "IAS
access granted" event is generated on the IAS server.
4. in the above scenario, but with "send windows user & pw" unticked on the
client, I can supply any password at all & fred gets network access.
I've reinstalled my test environment twice & am now far too close to see the
wood for the trees. Any help would be greatfully received.
Thanks in advance & hoping I've not done something daft....
Andy Booth, Senior Network Support Officer, Royal National Institute of the
Blind (UK)
|