Troubleshooting Password-Based Validation

Previous page
Table of content
Next page

Troubleshooting Password-Based Validation

Troubleshooting password validation with PEAP-MS-CHAP v2 authentication consists of verifying the wireless client s username and password credentials and the computer certificates of the IAS servers.

Validating the Wireless Client s Credentials

When you are using PEAP-MS-CHAP v2 for authentication, the name and password as sent by the wireless client must match the credentials of a valid account. The successful validation of the MS-CHAP v2 credentials by the IAS server depends on the following:

  • The domain portion of the name corresponds to a domain that is either the domain of the IAS server or a domain that has a two-way trust with the domain of the IAS server.

  • The account portion of the name corresponds to a valid account in the domain.

  • The password is the correct password for the account.

To verify user account credentials, have the user of the wireless client log on to their domain using a computer that is already connected to the network, such as with an Ethernet connection (if possible). This process demonstrates whether there is a problem with the user s credentials or if the problem lies in the configuration of the authentication infrastructure.

Validating the IAS Server s Certificate

In order for the wireless client to validate the certificate of the IAS server for PEAP-MS-CHAP v2 authentication, the following must be true for each certificate in the certificate chain sent by the IAS server:

  • The current date must be within the validity dates of the certificate.

    When certificates are issued, they are issued with a range of valid dates, before which they cannot be used and after which they are considered expired.

  • The certificate has a valid digital signature.

    CAs digitally sign certificates they issue. The wireless client verifies the digital signature of each certificate in the chain, with the exception of the root CA certificate, by obtaining the public key from the certificate s issuing CA and mathematically validating the digital signature.

Additionally, the IAS server computer certificate must have the Server Authentication EKU (OID 1.3.6.1.5.5.7.3.1). To view the EKU for a certificate in the Certificates snap-in, double-click the certificate in the contents pane, click the Details tab, and then click the Enhanced Key Usage field.

Finally, to trust the certificate chain offered by the IAS server, the wireless client must have the root CA certificate of the issuing CA of the IAS server certificate installed in its Trusted Root Certification Authorities Local Computer store.


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Oracle Developer Forms Techniques
Java for RPG Programmers, 2nd Edition
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy