Security

In my setup the coltroller terminates the authentication and sends the username (obtained from the user certificate) to my radius serrver (IAS 2003). However, the user is not able to connect and the following error appears on the radius.

-----------------------------------------

Event Type:    Warning
Event Source:    IAS
Event Category:    None
Event ID:    2
Date:        4/13/2012
Time:        3:14:18 PM
User:        N/A
Computer:    IDBE1-BCK-LT2P
Description:
User testuser was denied access.
 Fully-Qualified-User-Name = dir.random.com/blah blah blah
 NAS-IP-Address = 10.13.31.10
 NAS-Identifier = <not present>
 Called-Station-Identifier = 000B866DCC84
 Calling-Station-Identifier = 183DA28613EC
 Client-Friendly-Name = 10.13.31.10
 Client-IP-Address = 10.13.31.10
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = WPOLICY_NET
 Authentication-Type = Unauthenticated
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....    
-------------------------------------------------

In your remote access policy on the server, do you have "smartcard or other certificate" selected/enabled?

Yes,

the "smartcard or other certificate" is selected. 

Please see the attached screenshot.

Are those machine or user certificates?  Do they exist in that group specified in your remote access policy?

Those are user certificates. The user is part of the group in the AD as specified in the remote access policy. I am stuck in the part where the controller is supposed to send the Authorization to the Radius.

The 6.1 user guide says that:

"The client certificate is verified on the controller (the client certificate must be signed by a known CA) before the user name is
checked on the authentication server."

What is going on between the controller and the radius? If the controller termination is not used, the authentication happens between the Supplicant and the Authentication Server without any problem.

Ok.  You are using Termination on the Controller.  Did you turn on TLS guest Access and set your Guest TLS role in the 802.1x profile to see if termination will work without Authorization first?  If not, you should try that.

I believe the controller will initiate a RAIDUS Authorize-Only request (given there is no password associated with this request) when trying to verify the authorization of the username contained in the certificate CN contents. There is a strong possibility that this is why the IAS is complaining about the authentication method being used.

Hope this helps

Cam.

Found a way for authorization:

EAP-TLS support one-way authorization. Hence, enabling "Unauthenticated Access" under Authentication tab works. By default the guest account under windows is used(can be changed using registry edits). This feature is primarily used in microsoft implementation for issuing user/ca certificates to the client.

Can someone confirm if there is security concern by using this method.

thanks

RF