Re: [SPAM POSSIBILITY] Re: VPN PPTP clients using EAP certificates

• From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 16 Feb 2005 08:50:48 -0800

If a stand-alone CA, then you'll have to manually enroll and establish root trust of the certs. I'm assuming your stand-alone ca allows you to export the private keys, but it has been a very long time since I've messed around with stand-alone ca configurations. Enterprise CA is the way to go for a number of reasons-- That way you can copy and edit cert templates to ensure the certificate properties meet with your goals. You can also use Group Policy to automatically create machine certificates which are automatically trusted by the domain.

t

----- Original Message ----- From: Mark Wrightson
To: [ISAserver.org Discussion List]
Sent: Wednesday, February 16, 2005 7:27 AM
Subject: [isalist] [SPAM POSSIBILITY] Re: VPN PPTP clients using EAP certificates

http://www.ISAserver.org

Yes the 2004 box is a member of the domain. For test purposes I've used a stand alone CA to generate the certificates. Is this allowed or does it have to be an enterprise CA and thus linked to Active Directory and Active Directory Users

thor@xxxxxxxxxxxxxxx 2/16/2005 3:15:49 PM >>>

http://www.ISAserver.org

The 2004 box is a member of the domain and thus trusts the root cert, right?

----- Original Message ----- From: "MW" <mark.wrightson@xxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, February 16, 2005 4:49 AM
Subject: [isalist] VPN PPTP clients using EAP certificates

http://www.ISAserver.org

Trying to get certifiace based Eap authentication working for PPTP VPN
client
on ISA 2004 from a windows 2000 professional PC. Have followed
instructions
in Toms books. Seems very straightforward. Have used a stand alone CA on a
win 2000 server.

Have put machine cert on ISa 2004
Configures ISA 2004 for Eap
Done Eap user mapping
Issued Cert to remote VPN win 2000 client

All certs look OK but I get the following error messages in the isa2004
event
log when I try and connect. The first message appears the first time I try
and
connect after a re-boot. Subsequent connection attempts always generate
the second
message.

Message 1

Because no certificate has been configured for clients dialing in with
EAP-TLS,
a default certificate is being sent to user
northgatevhnet\mark_wrightson_nmh.
Please go to the user's Remote Access Policy and configure the Extensible
Authentication Protocol (EAP).

For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.

Message 2

The user mark_wrightson_nmh connected from 195.171.160.45 but failed an
authentication attempt due to the following reason: A certification chain
processed
correctly, but one of the CA certificates is not trusted by the policy
provider.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Any ideas

MW

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: mark.wrightson@xxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

**********************************************************************************
This e-mail and its attachments are intended for the above named only and may be confidential. They are intended to be used by the addressee solely for the purpose of conducting business with Northgate Plc and its associated companies. If they have come to you in error you must delete them, take no action based on them, nor must you copy or show them to anyone.

Security Warning:

Please note that this e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. You acknowledge that you understand and take account of this lack of security when e-mailing us.

Viruses:

Although we have taken steps to ensure that this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free and Northgate Plc accepts no liability for such viruses.

Data Protection

From time to time we may wish to send you information relating to our products and services by email. Your email address will be for sole use by our company and companies within the Northgate plc group of companies and will not be passed out to any third parties. If you do not wish to receive information by email then please reply to this email with the word 'remove' in the subject line. Please include your exact email address and company name. We will remove you immediately from our mailing list.

Northgate Plc
Norflex House
Allington Way
Darlington
Co Durham
DL1 4DY
Registered in England No. 53171
**********************************************************************************
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » RE: [SPAM POSSIBILITY] Re: VPN PPTP clients using EAP certificates
• » Re: [SPAM POSSIBILITY] Re: VPN PPTP clients using EAP certificates

1. Home
2. isalist
3. Archive
4. 02-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---