none
NPS Radius PEAP using 3rd Party Certificate

    질문

  • Hello all, I hope someone can help.

    We have just implemented Wifi and are in the process of setting up 2008 NPS as our Radius server using PEAP.

    Firstly - We do not have a PKI or internal CA and this is not an option. 

    So far I have it working well using a self signed cert to test it. I have now purchased a 3rd part cert and again, this works fine for XP SP3 clients. However, when Windows 7 clients try to connect it pops up an alert that states:

    The server "blah" presented a valid certificate issued by "AddTrust External CA Root", but "AddTrust External CA Root" is not configured as a valid trust anchor for this profile.

    I have researched this at great length and seem to simply end up going round in circles with no definitive answer.

    I have added the AddTrust External CA Root certificate to the Enterprise NTAuth Store as per http://support.microsoft.com/kb/295663 using certutil, but this has made no difference.

    I should point out that all machines belong to the same domain and this is purely for internal use.

    Where am I going wrong?

    Thanks

    2012년 5월 18일 금요일 오후 1:41

답변

  • Ok, so I've reviewed everything and it turns out I was importing the wrong certificate into the enterprise NTAuth store on the root of the forest!

    I followed the Enterprise PKI instructions on KB 295663 logged in as our enterprise admin and added the COMODO High-Assurance Secure Server CA certificate to the NTAuthCertificates tab. The link to the Microsoft KB is here: http://support.microsoft.com/kb/295663

    This resolved the 'not configured as a valid trust anchor for this profile' error for all Windows 7 machines once they had been rebooted whilst connected to the domain to pick up the change.



    • 편집됨 [Malco] 2012년 5월 24일 목요일 오후 3:40
    • 답변으로 표시됨 [Malco] 2012년 5월 24일 목요일 오후 3:40
    2012년 5월 24일 목요일 오후 3:39

모든 응답

  • Hi,

    Firstly, please verify that the Add Trust External CA Root was trusted in all clients. On the problematic computer, run the gpupdate /force to apply the domain policy. If the error still persists, run the following command to manually import the CA as trusted root certification authorities.

    certutil -enterprise -addstore NTAuth CA_CertFilename.cer

    For more detailed information, please check the following KB article:

    Windows Security Alert appears when connecting to a wireless network on a workgroup machine

    http://support.microsoft.com/kb/2518158

    In addition, you may also use group policy to distribute certificate to all clients in domain.

    Use Policy to Distribute Certificates

    http://technet.microsoft.com/en-us/library/cc772491.aspx

    Best Regards,

    Aiden


    Aiden Cao

    TechNet Community Support

    2012년 5월 21일 월요일 오전 9:06
  • Thanks for the info Aiden but as per my original post:

    All the machines are internal and on the same domain.

    I have added the certificate to the Trusted Root Certificate store.

    I have already imported the CA as a trusted root certification authority using certutil -enterprise -addstore NTAuth CA_CertFilename.cer on the machine

    I still get the "...not configured as a valid trust anchor for this profile" prompt.

    I haven't distributed the certificate through GP as I want to get it working on a test machines first.

    The only way I have found to stop the prompt on connect is to create a manual profile in Manage Wireless Networks and in Protected EAP Properties tick AddTrust External CA Root from the list of Trusted Root Certification Authorities.

    My dilemma is that we do not want to push the wifi config through group policy as we only want certain people to have it based on AD security group.

    The goal is that we simply want the users to be able to click on the wifi network when it becomes available and connect as seamlessly as possible.

    Is there a better way of doing this?

    2012년 5월 22일 화요일 오전 7:28
  • Ok, so I've reviewed everything and it turns out I was importing the wrong certificate into the enterprise NTAuth store on the root of the forest!

    I followed the Enterprise PKI instructions on KB 295663 logged in as our enterprise admin and added the COMODO High-Assurance Secure Server CA certificate to the NTAuthCertificates tab. The link to the Microsoft KB is here: http://support.microsoft.com/kb/295663

    This resolved the 'not configured as a valid trust anchor for this profile' error for all Windows 7 machines once they had been rebooted whilst connected to the domain to pick up the change.



    • 편집됨 [Malco] 2012년 5월 24일 목요일 오후 3:40
    • 답변으로 표시됨 [Malco] 2012년 5월 24일 목요일 오후 3:40
    2012년 5월 24일 목요일 오후 3:39
  • Hi all,

    I am looking to build a WLAN with a similar layout.

    Do not I need certificates for Win7 workstations if I do not have internal CA and got only commercial CA certificate?

    By other words would a certificate bought from VerySign be enough to roll out NPS/Radious WLAN with PEAP v2 encryption?

    Regards, Ilkin

    P.S.

    Please ignore my question as I've just noticed PEAP-MS-CHAP v2 authentication method does not require the deployment of user and client computer certificates.
    • 편집됨 Ilkin Jamalli 2012년 9월 24일 월요일 오전 11:01
    2012년 9월 24일 월요일 오전 10:54