07-17-2012 02:38 AM
I want to use IAS and AD for authentication without using anycertificate or CA, is it possible please share help or configuration with me.
I read different articles but they all include CA for authentication.
07-17-2012 08:35 AM
If you want to to 802.1x authentication (whether with client certificates or just username/password), you'll still need a certificate on the RADIUS/IAS side. This can be a cert purchased from a public trusted authority, one issued from an internal PKI (for example a Microsoft PKI), or a self-signed certificate. Either way, you'll want to either make sure your clients trust the certificate (can be pushed through AD if you use a self-signed certificate) or tell the clients not to validate the server certificate (typically not recommended).
I usually use makecert.exe to do self-signed certificates. You just need to ensure it has the Server Authentication purpose. A sample is:
makecert.exe -n "CN=dc.mydomain.local" -sr LocalMachine -ss my -r -pe -eku 126.96.36.199.188.8.131.52.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 -e 01/01/2025
This will create the certificate and iinstall it to the Local Machine's certificate store; you can then reference it in your IAS policies.
Other options for makecert:
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX