This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Configure NAP Enforcement for 802.1X Wired with NPS VeriSign Certificate

Question
0

Sign in to vote

I’m trying to deploy wired NAP with 802.1X enforcement with Windows 2008 NPS and VeriSign Certificate. I can't find document Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-CHAP v2 Wired Authentication. I found document about wirless http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-bd97-139afc60996b&DisplayLang=en but i'm not sure will this cert work with wired.

Any help will be appreciated

Tuesday, June 1, 2010 5:18 PM

All replies

0

Sign in to vote

To refrase:

I’m trying to deploy wired NAP with 802.1X enforcement and Windows 2008 NPS and VeriSign server certificate for PEAP-MS-CHAP v2 Wired Authentication. I’ve found document about how to obtain VeriSign certificate for wireless authentication http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-bd97-139afc60996b&DisplayLang=en. I’ve bought and install this certificate and it comes with Intermediate CA name “ VeriSign Class 3WLAN Secure Server CA” I don't have this VeriSign Root CA in the certificates store on the Windows XP clients and I’m getting error on NPS server

“Network Policy Server denied access to a user. Reason Code: 262 Reason: The supplied message is incomplete. The signature was not verified.”

This tells me that The Trusted Root CA certificate is not installed on the client computer and I have to install it. I have thousands of clients and reason I bought VeriSign cert is to not to install Root CA on client machines otherwise I could install self signed certificate for free. Some clients do not belong to domain and I can't install cert using GPO

Is there anyone who deployed Wired NAP with 802.1x enforcement and Windows 2008 NPS service with VeriSign server certificate? Is this right things to do or there is better solution?

Any help will be greatly appreciated

Tuesday, June 1, 2010 9:27 PM
0

Sign in to vote

Hi,

Try this KB article.

http://support.microsoft.com/kb/838502/en-us

You could setup a IIS server for the non-domain clients to download CA certificate.

Wednesday, June 2, 2010 9:59 AM
0

Sign in to vote

NPS runs on Windows 2008 and I don't have IIS installed. According to MS article root cert should be already installed but for some reason I got it under different name "VeriSign Class 3WLAN Secure Server CA"

"The root CA certificate of the issuing CA of the VeriSign WLAN Server Certificate is already installed on computers running Windows XP, Windows Server 2003, and Windows 2000 SP4. The root CA certificate for VeriSign WLAN Server Certificate can be viewed in the Trusted Root Certificate Authorities\Certificates folder of the Certificates snap-in. It has the friendly name of VeriSign Class 3 Primary CA (as listed in the Friendly Name column) and the expiration date of 8/1/2028."

Wednesday, June 2, 2010 3:01 PM