locked
Configure NAP Enforcement for 802.1X Wired with NPS VeriSign Certificate RRS feed

All replies

  • To refrase:

     

    I’m trying to deploy wired NAP with 802.1X enforcement and Windows 2008 NPS and VeriSign server certificate for PEAP-MS-CHAP v2 Wired Authentication. I’ve found document about how to obtain VeriSign certificate for wireless authentication http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-408d-bd97-139afc60996b&DisplayLang=en. I’ve bought and install this certificate and it comes with Intermediate CA name  “ VeriSign Class 3WLAN Secure Server CA”  I don't have this VeriSign Root CA in the certificates store on the Windows XP clients and I’m getting  error on NPS server

    Network Policy Server denied access to a user. Reason Code: 262 Reason: The supplied message is incomplete.  The signature was not verified.”

     

    This tells me that The Trusted Root CA certificate is not installed on the client computer and I have to install it. I have thousands of clients and reason I bought VeriSign cert is to not to install Root CA on client machines otherwise I could install self signed certificate for free. Some clients do not belong to domain and I can't install cert using GPO

     

    Is there anyone who deployed Wired NAP with 802.1x enforcement and Windows 2008 NPS service with VeriSign server certificate? Is this right things to do or there is better solution?

     

    Any help will be greatly appreciated

    Tuesday, June 1, 2010 9:27 PM
  • Hi,

    Try this KB article.

    http://support.microsoft.com/kb/838502/en-us

    You could setup a IIS server for the non-domain clients to download CA certificate.

     

    Wednesday, June 2, 2010 9:59 AM
  • NPS runs on Windows 2008 and I don't have IIS installed. According to MS  article root cert should be already installed but for some reason I got it under different name "VeriSign Class 3WLAN Secure Server CA"

    "The root CA certificate of the issuing CA of the VeriSign WLAN Server Certificate is already installed on computers running Windows XP, Windows Server 2003, and Windows 2000 SP4. The root CA certificate for VeriSign WLAN Server Certificate can be viewed in the Trusted Root Certificate Authorities\Certificates folder of the Certificates snap-in. It has the friendly name of VeriSign Class 3 Primary CA (as listed in the Friendly Name column) and the expiration date of 8/1/2028."

    Wednesday, June 2, 2010 3:01 PM