IAS 802.1x Certificate verification failing


  • Hi

    I am having a problem with 802.1x authentication. The old CA structure is just 1 Enterprise CA on Windows 2003.(SHA1, 1024)

    I have a new CA structure....Offline standalone root, Subordinate Enterprise CA. Root Cert is SHA256RSA and 2048. Subca is the same. patched to enable them to handle SHA2). The server has 2 certificates on it 1 from the old CA server which the IAS policies are currently using and I have implemented one from the new SubCA.(Duplicated the "RAS and IAS Certificate", Windows 2003 Enterprise, key length 2048, SHA256RSA.) I published the new Root Certificate and the CRL(valid for 12months) into AD. Group Policy has deployed the new Root and subordinate Certs to the workstations.

    The workstations are Windows XP SP3.

    I have validated from the IAS server and the workstations using both certutil -verify {cert file} and PKIView.msc that both the CRLs and AIA's for the server cert, Subordinate Cert and the Root Cert are valid and passing.

    However when I change the Wireless IAS policy to use the new certificate(restart IAS service), set the workstation Wireless to "Verify Server Certificate". Authentication fails.

    1. The workstations have the authmode=2

    I have enabled logging(netsh ras set tracing * enable) on both server and workstation and in svchost_RASTLS.log file, the below error occurs:

    "CertVerifyCertificationChangePolicy succeeded but returned 0x800b0112.Continuing with root has matching". Which from my research is -2146762478 and means CERT_E_UNTRUSTEDCA. A certificate Chain processed correctly but one of the CA Certificates is not trusted by the policy provider.

    I only have 2 CAs, the root and the subordinate....and in testing they are both valid and verified. The Root CA is installed in the computers "Trusted Root CA" container and the subordinate is in the "Intermediate CA". The physical stores are "Enterprise Stores". Which Certificate is failing? How do I find out?

    I have tried manually installing both certificates into the Computers appropriate containers but this hasn't made a difference. I think I am on the right track....but need a little extra light.

    Thanks for any and all assistance.

    quarta-feira, 21 de março de 2012 21:00

Todas as Respostas