Need for NPS server certificate with PEAP-MS-CHAPv2

Hi,
I have a question about a small setup I'm currently testing. In a Wireless access with 802.1X authentication based on PEAP/MS-CHAPv2, and a NPS server (MS server 2012R2), I've noted reading technet documentation that the NPS server or other RADIUS server
do have a certificate (issued by a 3rd party CA or by an AD CS environment).
However, it remains for me a point I would like to clarify (sorry I surely have a bad understanding of documentation). If my client is configured for not "validate server certificate", do I still need to have a certificate on the NPS server ?
Well, I know it is not secured, but this will permit me to test without configuring an AD CS, and without buying a certificate.
Many thanks in advance for your answer.
Regards,
Fabrice

You also need a server certificate in this case as the protection in Protected EAP is due to the encryption of the TLS session.
Not validating the server certificate just means that no additional check of the name is done, so the client would be able to connect to any RADIUS server - given that its certificate chain is valid. But the certificate chain as such is checked as in every
SSL handshake.
You don't need a certificate issued by a commercial CA though - you could use an inhouse PKI. For tests you could use a self-signed certificate as well.
Edit: If you want to test self-signed certificates the easiest way is probably to install the web server role and use its built-in option to create a self-signed certificate.
Elke

Similar Messages

  • JNDI Lookup for multiple server instances with multiple cluster nodes

    Hi Experts,
    I need help with retreiving log files for multiple server instances with multiple cluster nodes. The system is Netweaver 7.01.
    There are 3 server instances all instances with 3 cluster nodes.
    There are EJB session beans deployed on them to retreive the log information for each server node.
    In the session bean there is a method:
    public List getServers() {
      List servers = new ArrayList();
      ClassLoader saveLoader = Thread.currentThread().getContextClassLoader();
      try {
       Properties prop = new Properties();
       prop.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sap.engine.services.jndi.InitialContextFactoryImpl");
       prop.put(Context.SECURITY_AUTHENTICATION, "none");
       Thread.currentThread().setContextClassLoader((com.sap.engine.services.adminadapter.interfaces.RemoteAdminInterface.class).getClassLoader());
       InitialContext mInitialContext = new InitialContext(prop);
       RemoteAdminInterface rai = (RemoteAdminInterface) mInitialContext.lookup("adminadapter");
       ClusterAdministrator cadm = rai.getClusterAdministrator();
       ConvenienceEngineAdministrator cea = rai.getConvenienceEngineAdministrator();
       int nodeId[] = cea.getClusterNodeIds();
       int dispatcherId = 0;
       String dispatcherIP = null;
       String p4Port = null;
       for (int i = 0; i < nodeId.length; i++) {
        if (cea.getClusterNodeType(nodeId[i]) != 1)
         continue;
        Properties dispatcherProp = cadm.getNodeInfo(nodeId[i]);
        dispatcherIP = dispatcherProp.getProperty("Host", "localhost");
        p4Port = cea.getServiceProperty(nodeId[i], "p4", "port");
        String[] loc = new String[3];
        loc[0] = dispatcherIP;
        loc[1] = p4Port;
        loc[2] = null;
        servers.add(loc);
       mInitialContext.close();
      } catch (NamingException e) {
      } catch (RemoteException e) {
      } finally {
       Thread.currentThread().setContextClassLoader(saveLoader);
      return servers;
    and the retreived server information used here in another class:
    public void run() {
      ReadLogsSession readLogsSession;
      int total = servers.size();
      for (Iterator iter = servers.iterator(); iter.hasNext();) {
       if (keepAlive) {
        try {
         Thread.sleep(500);
        } catch (InterruptedException e) {
         status = status + e.getMessage();
         System.err.println("LogReader Thread Exception" + e.toString());
         e.printStackTrace();
        String[] serverLocs = (String[]) iter.next();
        searchFilter.setDetails("[" + serverLocs[1] + "]");
        Properties prop = new Properties();
        prop.put(Context.INITIAL_CONTEXT_FACTORY, "com.sap.engine.services.jndi.InitialContextFactoryImpl");
        prop.put(Context.PROVIDER_URL, serverLocs[0] + ":" + serverLocs[1]);
        System.err.println("LogReader run [" + serverLocs[0] + ":" + serverLocs[1] + "]");
        status = " Reading :[" + serverLocs[0] + ":" + serverLocs[1] + "] servers :[" + currentIndex + "/" + total + " ] ";
        prop.put("force_remote", "true");
        prop.put(Context.SECURITY_AUTHENTICATION, "none");
        try {
         Context ctx = new InitialContext(prop);
         Object ob = ctx.lookup("com.xom.sia.ReadLogsSession");
         ReadLogsSessionHome readLogsSessionHome = (ReadLogsSessionHome) PortableRemoteObject.narrow(ob, ReadLogsSessionHome.class);
         status = status + "Found ReadLogsSessionHome ["+readLogsSessionHome+"]";
         readLogsSession = readLogsSessionHome.create();
         if(readLogsSession!=null){
          status = status + " Created  ["+readLogsSession+"]";
          List l = readLogsSession.getAuditLogs(searchFilter);
          serverLocs[2] = String.valueOf(l.size());
          status = status + serverLocs[2];
          allRecords.addAll(l);
         }else{
          status = status + " unable to create  readLogsSession ";
         ctx.close();
        } catch (NamingException e) {
         status = status + e.getMessage();
         System.err.println(e.getMessage());
         e.printStackTrace();
        } catch (CreateException e) {
         status = status + e.getMessage();
         System.err.println(e.getMessage());
         e.printStackTrace();
        } catch (IOException e) {
         status = status + e.getMessage();
         System.err.println(e.getMessage());
         e.printStackTrace();
        } catch (Exception e) {
         status = status + e.getMessage();
         System.err.println(e.getMessage());
         e.printStackTrace();
       currentIndex++;
      jobComplete = true;
    The application is working for multiple server instances with a single cluster node but not working for multiple cusltered environment.
    Anybody knows what should be changed to handle more cluster nodes?
    Thanks,
    Gergely

    Thanks for the response.
    I was afraid that it would be something like that although
    was hoping for
    something closer to the application pools we use with IIS to
    isolate sites
    and limit the impact one badly behaving one can have on
    another.
    mmr
    "Ian Skinner" <[email protected]> wrote in message
    news:fe5u5v$pue$[email protected]..
    > Run CF with one instance. Look at your processes and see
    how much memory
    > the "JRun" process is using, multiply this by number of
    other CF
    > instances.
    >
    > You are most likely going to end up on implementing a
    "handful" of
    > instances versus "dozens" of instance on all but the
    beefiest of servers.
    >
    > This can be affected by how much memory each instance
    uses. An
    > application that puts major amounts of data into
    persistent scopes such as
    > application and|or session will have a larger foot print
    then a leaner
    > application that does not put much data into memory
    and|or leave it there
    > for a very long time.
    >
    > I know the first time we made use of CF in it's
    multi-home flavor, we went
    > a bit overboard and created way too many. After nearly
    bringing a
    > moderate server to its knees, we consolidated until we
    had three or four
    > or so IIRC. A couple dedicated to to each of our largest
    and most
    > critical applications and a couple general instances
    that ran many smaller
    > applications each.
    >
    >
    >
    >
    >

  • API for setting Access points with PEAP programmatically

    Dear Godly developers,
    Would like to find out if there is any APIs for setting Access points with PEAP programmatically?
    Regards
    hAoZ

    Thanks for your response. We don't have the Wireless LAN Controller installed and have only configured directly through the AP's, which don't seem to have any configuration changes regarding Aironet IE's. Is there a config change that needs to be made just on the AP's? Or is the Wireless LAN Controller software necessary to make this change?
    Thanks again.

  • BAdI needed for transfer order split with the maxi.of 5 item level

    Hi,
    BAdI needed for transfer order split with the maximum of 5 item level.
    If a transfer order contains 12 item level, three separate transfer order should be created with item level 5,5 and 2.
    This transfer order is for the material which bound to flow to production from warehouse.
    Can anyone explain the step by step procedure to implement this BAdI?
    It would be great if the procedure is for New BAdI.
    Thanks.

    http://www.esnips.com/doc/e06e4171-29df-462f-b857-54fac19a9d8e/ppt-on-badis.ppt
    http://www.esnips.com/doc/10016c34-55a7-4b13-8f5f-bf720422d265/BADIs.pdf
    http://www.esnips.com/doc/43a58f51-5d92-4213-913a-de05e9faac0d/Business-Addin.doc
    http://www.esnips.com/doc/1e10392e-64d8-4181-b2a5-5f04d8f87839/badi.doc
    www.sapgenie.com/publications/saptips/022006%20-%20Zaidi%20BADI.pdf
    http://www.sapdevelopment.co.uk/enhance/enhance_badi.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/04/f3683c05ea4464e10000000a114084/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/e6/d54d3c596f0b26e10000000a11402f/content.htm
    http://help.sap.com/saphelp_nw2004s/helpdata/en/c2/eab541c5b63031e10000000a155106/frameset.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/04/f3683c05ea4464e10000000a114084/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/e6/63ee7f486cc143a560799d8803ce29/content.htm
    https://www.sdn.sap.com/irj/sdn/wiki?path=/display/srm/badi-general+information&
    http://www.esnips.com/doc/e06e4171-29df-462f-b857-54fac19a9d8e/ppt-on-badis.ppt
    http://www.esnips.com/doc/10016c34-55a7-4b13-8f5f-bf720422d265/BADIs.pdf
    http://www.esnips.com/doc/43a58f51-5d92-4213-913a-de05e9faac0d/Business-Addin.doc
    http://www.esnips.com/doc/1e10392e-64d8-4181-b2a5-5f04d8f87839/badi.doc
    www.sapgenie.com/publications/saptips/022006%20-%20Zaidi%20BADI.pdf
    http://www.sapdevelopment.co.uk/enhance/enhance_badi.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/04/f3683c05ea4464e10000000a114084/content.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/e6/d54d3c596f0b26e10000000a11402f/content.htm
    http://help.sap.com/saphelp_nw2004s/helpdata/en/c2/eab541c5b63031e10000000a155106/frameset.htm
    The specified item was not found.
    http://help.sap.com/saphelp_erp2005/helpdata/en/73/7e7941601b1d09e10000000a155106/frameset.htm
    http://support.sas.com/rnd/papers/sugi30/SAP.ppt
    http://www.sts.tu-harburg.de/teaching/sap_r3/ABAP4/abapindx.htm
    http://members.aol.com/_ht_a/skarkada/sap/
    http://www.ct-software.com/reportpool_frame.htm
    http://www.saphelp.com/SAP_Technical.htm
    http://www.kabai.com/abaps/q.htm
    http://www.guidancetech.com/people/holland/sap/abap/
    http://www.planetsap.com/download_abap_programs.htm
    http://help.sap.com/saphelp_nw04/helpdata/en/c8/1975cc43b111d1896f0000e8322d00/content.htm
    http://www.allsaplinks.com/badi.html
    https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3430https [original link is broken] [original link is broken] [original link is broken]:///people/alwin.vandeput2/blog/2006/04/13/how-to-search-for-badis-trace-it
    /people/thomas.weiss/blog/2006/04/18/how-to-implement-a-badi-and-how-to-use-a-filter--part-4-of-the-series-on-the-new-enhancement-framework /people/thomas.weiss/blog/2006/05/03/source-code-enhancements--part-5-of-the-series-on-the-new-enhancement-framework
    http://www.esnips.com/doc/e06e4171-29df-462f-b857-54fac19a9d8e/ppt-on-badis.ppt
    http://www.esnips.com/doc/10016c34-55a7-4b13-8f5f-bf720422d265/BADIs.pdf
    http://www.esnips.com/doc/43a58f51-5d92-4213-913a-de05e9faac0d/Business-Addin.doc
    http://www.esnips.com/doc/1e10392e-64d8-4181-b2a5-5f04d8f87839/badi.doc
    http://www.esnips.com/doc/3b7bbc09-c095-45a0-9e89-91f2f86ee8e9/BADI-Introduction.ppt

  • What version of iphoto do i need for my 2004 powermac with 10.5.8 and where do i get it

    what version of iphoto do i need for my 2004 powermac with 10.5.8 and where do i get it

    iLife 04 through 09, which are available from places such as eBay or Amazon.
    (79729)

  • SP2 for SQL Server 2012 with SP1 is failed with Error result: -2067529723

    SP2 for SQL Server 2012 with SP1 is failed when start the installtion from command prompt and thorws below errors in Passive node of the cluster.No other errors logged in eventviewer, temp folder and not created any log files in bootstarp folder.An error occurred during the SQL Server 2012 Setup operation.
    Error result: -2067529723
    Result facility code: 1220
    Result error code: 5
    For more information, review SQL Server 2012 Setup logs in your temp folder.It is not allowing to run the sql core setup to uninstall the cluster node and gives same error.Can any one got into the same issue and please help?ThanksPetchikumar

    Hi,
    Can you post summary.txt below link will help you locate it
    https://msdn.microsoft.com/en-us/library/ms143702%28v=sql.110%29.aspx
    Please mark this reply as answer if it solved your issue or vote as helpful if it helped so that other forum members can benefit from it
    My Technet Wiki Article
    MVP

  • HT5012 Why should I click the accept button for a server certificate at every initial time although it is listed as a trusted root CA on iOS6?

    I'm now using a root CA which was listed above.
    But when I try to connect WLAN via EAP with RADIUS initially, I should click the accept button for the certificate of the RADIUS Server.
    Why should it work?

    Hi,
    I'm still looking for the reason.
    Isn't there any way which can avoid the verification for a public certificate of authentication server using EAP-TLS.
    Why should I click the accept button in initial step for authenticating with RADIUS server using EAP-TLS although the root CA of the server certificate is listed in the default trusted CA on iOS?

  • Need for administration server in a cluster

    Hello everybody,
              I'm working on a project where we intend on having a weblogic cluster with an undetermined number of nodes. When deploying to the production environement, all weblogic domain configuration is handled using templates and homemade scripts. The weblogic instances are running on different servers and each of them has all the domain configuration installed, including applications to deploy. Now on the initial startup of the system, it seems that none of the cluster nodes will start up the first time without the administration server running, even though the msi-config.xml file exist for each node. I get an error indicating that it cannot perform authentification using boot.properties (non encrypted username/password at this point). If I start the admin server, then all nodes can start and will then subsequently start without the admin server running. Is there no way to configure a weblogic cluster so it is able to start up the first time without the admin server running?
              In this project, monitoring of the each weblogic server instance is performed by an in house product. The need for the administration server at the first startup complicates things for us. I should mention that the domain configuration works fine when not running in a cluster.
              We are using Weblogic 8.1.4.
              Best regards,
              Anders

    The API is not public.
              This non rmi object that is living in JNDI, sounds like out of band data.
              If this object doesn't contain any state you can bind it from all the
              servers but don't replicate the bindings.
              Hope this helps.
              --- Prasad
              Mario Briggs wrote:
              > Hi,
              > Looks like this question was asked indirectly earlier.
              >
              > I see that when 1 server is a cluster goes down, the others servers get
              > a 'weblogic.rjvm.PeerGoneException'.
              > Is there a way by which i can subscribe to the
              > 'weblogic.rjvm.PeerGoneEvent' using 'EventRegistrationDef'.
              >
              > I am using 5.1 and looking for a way at solving the isssue of Weblogic
              > removing my non RMI Object from all other servers (JNDI tree) when the
              > host server goes down.
              >
              > Thanks
              > Mario
              

  • Schannel Returns "SEC_E_CERT_UNKNOWN" for Valid Server Certificate

    Hello,
    I'm implementing 802.1x security solution and everything works execpt that when I enable "verify server cerificate" on client I get
     Reason-Code = 23
     Reason = Unexpected error. Possible error in server or client configuration.
    in event viewer.
    From RASTLS.LOG I got:
    [408] 15:42:10:002: EapTlsMakeMessage(test\pbr)
    [408] 15:42:10:002: >> Received Response (Code: 2) packet: Id: 192, Length: 17, Type: 13, TLS blob length: 7. Flags: L
    [408] 15:42:10:002: EapTlsSMakeMessage
    [408] 15:42:10:002: MakeReplyMessage
    [408] 15:42:10:002: SecurityContextFunction
    [408] 15:42:10:002: AcceptSecurityContext returned 0x80090327
    [408] 15:42:10:002: State change to SentFinished. Error: 0x80090327
    And then from kb:
    http://support.microsoft.com/kb/288100/en-us
    I almost sure it's the same problem, but there is only hotfix for win2000.
    Any ideas??
    Regards,
    Piotr Bratkowski

    Hi there, i have the same problem with an Windows CE 5 Handheld.
    NPS Error 23
    Network Policy Server denied access to a use. Reason Code 23. Reason: An error occured dring the Network Policy Server use of the Extensible Authentication Protocol (EAP).
    [3024] 04-01 11:16:28:791: AcceptSecurityContext returned 0x80090327
    [3024] 04-01 11:16:28:791: State change to SentFinished. Error: 0x80090327
    [3024] 04-01 11:16:28:791: Negotiation unsuccessful
    The private Key is in the client cert, also the root cert in trusted authorities. When i disable the checkbox "verify server cert" it works!
    ON the nps server, crl checking is disabled. you recommend "CERTUTIL -urlfetch -verify you-server-certiifcate.cer" but i can´t do this on my psion ce 5 handheld.
    any ideas? :-)
    thx

  • Which airport card do i need for a imac g3 with mac os x 10.1?

    I have a imac g3 with mac os x 10.1.What airport card will i need?

    Hello puckey12345. Welcome to the Apple Discussions!
    I have a imac g3 with mac os x 10.1.What airport card will i need?
    The iMac G3s with a clock speed of 400 MHz or faster, has an internal slot for the original AirPort card. The AirPort card adapter is also required to use the card in an iMac G3. The AirPort Extreme card is NOT compatible.
    (ref: Apple Support - Specifications)

  • Permissions needed for sql server job to execute stored procedure on linked server?

    Hi all
    I have a job step which attempts to call a stored procedure on a linked server.
    This step is failing with a permission denied error. How can I debug or resolve this?
    The job owner is sysadmin on both servers so should have execute permission to the database/proc I'm calling, right?
    The error is:
    The EXECUTE permission was denied on the object 'myProc', database 'myDatabase', schema 'dbo'. [SQLSTATE 42000] (Error 229).  The step failed.
    My code is:
    EXEC [LinkedServer].myDatabase.dbo.myProc
    Also tried:
    SELECT * FROM OPENQUERY([LinkedServer], 'SET FMTONLY OFF EXEC myDatabase.dbo.myProc')
    With the same result.
    Any help appreciated.

    The job owner may be sysadmin on the remote server. The service account for SQL Server Agent may not. And it is the latter that counts, since the it the service accounts that logs in and impersonates the job owner. But the impersonation inside SQL Server
    does not count much in Windows, and it is through Windows connection is made to the other site.
    One way to resolve this is to set up a login mapping for the job owner. The login mapping must be for an SQL login on the remote server.
    You can verify the theory, but running this query from the job:
       SELECT * FROM OPENQUERY([LinkedServer], 'SELECT SYSTEM_USER')
    By the way, putting SET FMTONLY OFF in OPENQUERY is a terrible idea. This has the effect that the procedure is executed twice. (Unless both servers are SQL 2012 or higher in which case FMTONLY has no effect at all.)
    Erland Sommarskog, SQL Server MVP, [email protected]

  • JDBC driver for SQL Server 2000 with windows authentication

    Does anyone know of a JDBC driver for SQL Server 2000 that supports Windows Authentication, that is that a username and password does not need to be supplied when connecting to the database.

    You can use the JDBC-ODBC-Bridge.
    ODBC provides windows-authentication.
    Hope it helps.
    Freddy

  • Is it possible to use single ssl certificate for multiple server farm with different FQDN?

    Hi
    We generated the CSR request for versign secure site pro certificate
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
    And the same message when trying to access https://www.abc.com from Google Chrome.
    "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
    so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
    Now my question is
    1. Is is possible to  remove above errors doing some ssl configuration on ACE?
    2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
    Thanks
    Waliullah

    If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
    Hope this helps,
    Sean

  • Licensing help needed for datacenter server with vm running windows server 2012 essentials and ten virtual desktops for remote access

    NPO wants to get windows server 2012 r2 datacenter as the main operating system and then windows server 2012 r2 essentials plus 10 windows 8.1 as virtual desktops.  Each desktop for one remote user running office 2013.  Is there a better configuration?
     In either case what licenses does the NPO need to purchase?
    Bob

    Hi,
    For license related questions we recommend you contact Microsoft licensing specialist.
    http://support.microsoft.com/kb/141850/en-us
    Regards.
    Vivian Wang

  • SSL Server socket: controlling the alias for the server certificate ?

    Hi,
    Could anyone please clear up the following ?
    When you create an SSL server socket, it needs a certificate (to prove its identity), and for this it relies on a keystore:
    System.setProperty("javax.net.ssl.keyStore", "c:/mystore");
    My question is, what if the keystore contains several certificates ?
    Eg:
    keytool -import -alias AAA -file cert1.cer -keystore mystore
    keytool -import -alias BBB -file cert2.cer -keystore mystore
    Which certificate would the server use ?
    And is there a way to control the alias it would use ?
    Thanks :)

    This is a very good question and one that should be described in the Guide to Features. See javax.net.ssl.X509KeyManager.chooseServerAlias(). It does a search looking for aliases of a given key type, i.e. one of the ones the peer understands, & which are trusted by the peer. Any alias which the peer can accept will do.

Maybe you are looking for