Wireless clients not trusting well-known Certificate Authorities by default??
I'm using PEAP-MSCHAPv2 for wireless authentication. The radius server is a Windows 2008 server running NPS. The clients consist of a bunch of laptops (mostly running Windows). Not all of these laptops are members of Active Directory. So, pushing any type of policy out to all clients isn't feasible (ie. using a private PKI and using AD to push the server cert and wireless config to all domain members). So we decided to use a public PKI and obtained a certificate for our radius server through a well known CA. So far, so good.
When clients to go connect, they still get a nasty warning saying:
--START--
The credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to security risk by a possible rogue server.
Details
Radius Server: $radius
Root CA: $ca
The server "$radius" presented a valid certificate issued by "$ca", but "$ca" is not configured as a valid trust anchor for this profile. Further, the server "$radius" is not configured as a valid NPS server to connect to for this profile.
--STOP--
(I replaced the actual radius server name with $radius and the CA with $ca).
Doing a little digging, it appears this is just the expected behavior of the Windows wireless client??? What's the point of getting a signed cert by a well-known CA if the client is still going to get a nasty warning like this?
Web browsers certainly don't behave like this. The only difference between a web browser and the wireless client is with a browser, you're always going after a URL (ie, you can match what the browser wants to connect to versus what the CN on the server's cert comes back with) whereas on the wireless client, you generally won't know the radius server you're going to authenticate against. But, in either scenario, the server's cert is signed by a well known CA.
I found a nice post that mentions this, but no solution:
http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/26886f09-e424-48da-9ecc-cf7efd9dccc0
Well, I suppose a solution is to manually configure the client to trust certs issued by the CA and/or configure my radius server in the connection profile. But that requires configuring each client. And there's no way we can use AD to push a policy/cert to all clients.
So my questions are:
-is this really the expected behavior?
-so browsers generally trust the default CAs whose certs are stored on the OS by default but the wireless adapters don't?
This is a limitation of the Windows wireless client.
http://support.microsoft.com/kb/2518158
Somewhere was an artical the described that Microsoft wirless client does not trust public root CAs by default. Using a 3rd party utility like Intel Pro Set trusts all the 3rd party root CAs by default so you dont get this message.
Please respond to Microsoft and voice your problem maybe they will fix their wireless client to trust public root CAs.
Justin.
Similar Messages
-
Airport wireless clients not seeing airport ethernet clients.
I have a problem with airport wireless clients not being able to see airport ethernet clients on the same base station - bonjour does not work for this, appletalk does not work for this, and Remote Desktop does not work for this either. Is there a way around this? Is this normal or a bug? I can change the last surviving ethernet machine to wireless but I if I can avoid the cost that would be good.
Miklos.It's ok, I got it working. I just reset the second airport, went through the "easy" set up, reset, went into manual config, changed the network to a WDS (to match the main base station) and changed the setting that allows further distribution of the network, and it's working perfectly now!!
Hooray!!
I have to say, of all my Apple experiences, the base station set up was the least "Apple", it was confusing, complex, and somewhat erratic, but now that I have the config perfect, it seems to be working without a hitch. I just hope they can include network templates in the next software (for other people since I'm good to go now anyway) - that would be more Apple - so that people can just go bang I have this config, and perhaps for the more obscure set ups a fine tune would work off a template to get people set up faster and easier and with less confusion.
Miklos. -
Enterprise subordinate CA does not show up in certificate authorities list
After much discussion I decided the best approach was to clean eveything up and start over. I went through the KB on decommissioning an enterprise CA and Subordinate CA, install a new standalone root, and a new enterprise subordinate CA. Everything appeared
to be working with one exception. The new Enterprise Subordinate does not show up in the Certificate Authorities section of Public key services in AD Sites&Services. It does show up in AIA, CDP and Enrollment services. The standalone root is trusted and
I set up group policy with the certificate of the Enterprise Subordinate as a trusted intermediate. The templates were configured also as well as autoenrollment for computers but so far only the DCs and my workstation has received certificates. I am sure I
am missing something but after 100s of pages and artcle after article I don't see it. I ran the certutil -viewstore query and it doesn't see it either and it doesn't tell me how to fix it. Also, what is the deal with case; it seems no matter how careful I
was with upper and lower case letter AD did what it wanted and my published CA name looks like I can't figure out hows caps lock works.
Thanks in advance
[email protected]yes, it is possible. However, you will need to make some modifications on root CA:
certutil -setreg ca\dsconfig "AD Configuration naming context"
certutil -setreg ca\dsconfigdn "AD Configuration naming context"
certutil -setreg ca\dsdomaindn "AD Forest root domain DN"
AD configuration naming context is (usually) CN=Configuration, DC=rootdomainname, DC=domainsuffix.
To extend Root CA CRL validity, in the Certification Authority MMC, select properties of Revoked Certificates folder and specify validity period (something about 6-12 months). Make sure that Delta CRLs are NOT enabled. Save settings and restart certificate
services.
Then you should republish all CRLs and publish CRL to Active Directory:
certutil -dspublish -f path\RootCAcrl.crl
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki -
Make client to trust server's certificate?
hi,
I am new to SSL, and I ran into this problem:
I have a simple https server (written in java) which gives out certificate to its https client (written
in C++, Win Inet API). Server certificate is generated using java keytool command:
"keytool -genkey -keystore certs -keyalg rsa -alias jamie -storepass serverkspw -keypass serverpw"
Each time the client gets a certificate, a "security alert" window pops up saying "The certificate issuer
for this site is untrusted or unknown. Do you wish to proceed?" with "YES", "NO", ... choices.
Is there a way to get rid of this pop up window? So the client can "trust" the https server??
Any ideas/comments welcome.
Thanks .
jkYes - you need to get your certificate signed by one of the Certificate Authorities (CAs) whose root certs are in your client's "trusted certificate" storage. The general approach is to ask a CA (like, say, Verisign or Thawte) to sign your server-cert. You do this by generating your cert, and then then generating a CSR (Cert Signing Request) and sending the CSR to the CA. The CA sends your cert back with their root-cert at the top of the cert-chain. The client will then trust your cert, because it trusts the CA.
The other way to achieve this is to arrange for your client to store your cert in their "trusted store". Specific steps depend on the client. I don't recall where the Inet API looks for its trusted-cert storage.
Grant -
All devices listed as wireless clients not showing up.
I have an airport extreme (newest version) I have my apple tv, computer and ipad showing up listed as wireless clients, however my iphone does not show up. It is connected to my network. I have tested with another iphone (same version 4S and same iOS) it shows up but not Mine.
Do u know why it is not showing up?remove power cord from the PSU and >>Clear CMOS Guide<<
if the wifi card is removable, try to reseat it
also install latest killer drivers from:
http://www.msi.com/support/mb/X99S-GAMING-9-ACK.html#down-driver&Win8.1 64
[try older version as well if needs] -
We're trying to get a silverlight app up and running in a Lync 2013 CWE. We have a Lync 2010 server on it's own domain, which is not the same domain as the 2013 client machine. Clients on the different domains communicate perfectly.
The silverlight app is hosted on our own webserver, which is in the same domain as the 2013 client machine. We tried hosting it on the other domain, with the same result.
YES, we've added the domain to our trusted sites in registry, but still we get the exception.
The line that fails:
_conversation = (Conversation)LyncClient.GetHostingConversation();
How to get the app to work in our client?Please check “How to: Install a CWE application in Lync SDK” at
http://msdn.microsoft.com/en-us/library/office/jj933101.aspx
As the problem is related with Lync client development, please post your question in the following forum:
http://social.msdn.microsoft.com/Forums/lync/en-US/home?forum=communicatorsdk
Lisa Zheng
TechNet Community Support -
[INFO] Not so well known things about LR keyboard shortcuts
Hi,
There are a few things that you should know about keyboard shortcuts in LR.
I already posted information about this last year for non english speaking
users but I had to be more accurate because this is of interest for english
speaking users as well.
This information can help solve some problems encountered if
- you are using an english version of LR with a non-english keyboard layout
- you are using a non english version of LR
- you want to change some keyboard shortcuts even when using the english
version
- you want to fix some bugs in the localized keyboard shortcuts
Here we go...
1. When using a non english version of LR, the translations are read from a
file named \Program Files\Adobe\Adobe Photoshop Lightroom
2\Resources\fr\TranslatedStrings.txt. The localized keyboard shortcuts are
also described in this file.
2. For the english version \Program Files\Adobe\Adobe Photoshop Lightroom
2\Resources\en\TranslatedStrings.txt doesn't exist by default because the
default values for texts and keyboard shortcuts are hard-coded.
3. Any change in TranslatedStrings.txt, including changes related to
keyboard shortcuts, will be taken into account after reloading LR. These
changes will also be reflected in the Help Panel that is displayed when you
use the Help | Shortcuts command.
5. So if you are using a localized version or the english version of LR (see
next point), you'll be able to change the default keyboard shortcuts.
4. Some keyboard shortcuts of the english version are unreachable when using
a keyboard with a foreign layout. You're not stuck, however. Nothing
prevents you from creating a TranslatedStrings.txt file in \Program
Files\Adobe\Adobe Photoshop Lightroom 2\Resources\en. This file doesn't need
to be the full translation file. It just has to include all the lines ending
with Key=xxxxx + a few additional ones (or just the lines related to the
shortcuts that you want to change). You can download a full sample with
french shortcuts from http://www.mainsoft.fr/Files/LR/TranslatedStrings.txt
. Just create the file, edit the shortcuts as you want and reload LR. I
don't know how you can add comments to this file.
5. Attn french users: there's a bug described in the thread titled "Missing
shortcut in Lightroom 2.2 french". You'll be able to fix it by using the
information above (this is also described in the thread itself).
So that's it. LR doesn't offer you a keyboard shortcut editor - something
unexpected for a software at that price level - but you can edit them
anyway.
Enjoy!
PatrickHi,
This post is still valid for LR3. It's a pity that this new version
still doesn't have a built-in keyboard customization feature.
I shoul add a few additional details, though.
- You have to create the \en subfolder yourself. Once created and once you have also created the TranslatedStrings.txt file, it will be taken into account.
- It appears that the TranslatedStrings.txt files corresponding to each supported language do not contain the same commands. For some languages, some commands do not have any shortcut (or the translator was not concentrating on his job and the quality assurance dpt. just missed the point). So if you don't find the line(s) related to the shortcut that you want to customize in the file corresponding to your language, look for it in the other files.
- Some characters can't be used for customizing a shortcut, even if they are not already used for another shortcut. It depends on each local keyboard. I guess this is due to the very same problem that exists since LR 1.0: the program uses its own keyboard handler and fails to adapt to keyboards that are not corresponding to the selected language. From the beginning, many of us european users have told to Adobe that a user can select in LR a working language that is not corresponding to the keyboard and country settings used on the system. This is a common situation. They are just ignoring the problem. -
Guest Wireless client not getting IP addresses
WLC 5508 as anchor running 7.0.116.0 locally configured DHCP scope. Scope has been enabled. There are 2 Foreign controllers in different locations Mobility ggroups have been configured and there is communication between them I am able to ping , mping and eping. I have gone through my configuration but can't find what is missing.
I am pasting the debug and show wlan info below the first is for the foreign controller
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
*apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
*DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
WLAN Identifier.................................. 1
Profile Name..................................... calguest
Network Name (SSID).............................. calguest
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
1 10.12.130.114 Up
Next is for the anchor
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
*apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
*apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
*apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
*apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
*apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
*apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
*DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
*DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
*DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
WLAN Identifier.................................. 1
Profile Name..................................... calguest
Network Name (SSID).............................. calguest
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 2
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ management
Multicast Interface.............................. Not Configured
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Enabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status
1 10.12.130.114 Up -
E1200 Wireless Client List will not display and causes web UI to temporarily stop responding
I picked up an E1200 and set it up successfully. I am using wireless MAC filtering, and decided to pull up the list of connected wireless clients (Wireless >> Wireless MAC Filter >> push "Wireless Client List" button).
When I do so, it immediately throws this back:
Immediately after this the Web UI of the E1200 becomes inaccessible. It still routes traffic, and the router remains pingable, but it will not allow access to the Web UI for several minutes. The error that appears upon attempt to access the Web UI during this time window is similar to the above, but reads "Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection."
I have tried this in Google Chrome, Firefox 4, and MSIE on two separate computers. Each browser displays the error a bit differently (MSIE, for example, just says it can't display the page and gives no further detail) but the net results are always the same. I have tried resetting the device to factory defaults in addition to re-downloading the firmware from the Cisco/Linksys website and installing it. No improvement.
I have also noted that the Log (Administration >> Log; and yes, I have it enabled) doesn't appear to be picking up anything at all. In fact, the Security log, which supposedly (according to the Help) "displays the login information for the Router’s browser-based utility," is also blank.
Is this a bug, or should I head back to the retailer and swap this device?Ok - I nailed this down, I think, and it looks like a firmware bug.
Short version is that a factory reset cleared the issue, but during stepwise reconfiguration the problem came back. Through a bunch of iteration I figured out that if I have the E1200's DHCP server disabled *and* have wireless clients connected to it, the problem I described appears.
Turn the DHCP server back on and the problem goes away. Turn it off and the problem comes back. Turn it back on and it goes away. You get the idea.
If I had to pose a theory here, it's that the initial display of the Wireless Client List, which uses "IP Address" as the default sort, somehow implodes if the E1200 isn't actually assigning those IP addresses to the clients.
When this happens it appears to crash the Web UI wholesale. Just for grins, while the Web UI was unresponsive, I pinged the router it as before - still pingable - then ran nmap against it - no open ports found on the router. When the Web UI is functional, though, nmap detects port 80 quite easily. I have not timed how long it takes for the Web UI to come back up, but it is longer than 5 minutes, and I presume some sort of watchdog process has to detect that it has gone kaput and start it up again.
Final test was to restore my saved configuration from before the factory reset (note that the saved config was done under the same firmware version, and in this config, the DHCP server is disabled). Boom, problem. Wait for the Web UI to come back, turn on the DHCP server. Problem goes away. Turn the DHCP server off. Boom, problem comes back.
So, there you go.
Would be interesting if someone could verify this via a test against another E1200. It may be worth noting that in my baseline test I was also using Manual wireless setup (vs. Wi-Fi Protected Setup), and WPA2. Didn't make any other setting changes from the factory defaults. I did not actually have to turn the Wireless MAC Filter on to do the test. All one needs to do is click Enable on the Wireless MAC Filter tab, and then do *not* click Save Settings - just clicking Enable will light up the Wireless Client List button, which you can then push to get the list. That is how I handled testing to ensure that neither specific entries, nor the Prevent/Permit setting, nor having the filter enabled in saved configuration were involved in the problem.
Separately, no explanation for the lack of entries in the security log, but that pretty much looks like a firmware bug to me as well. -
Verisign certificate not trusted by Nokia phones..
Hi there,
I have E71 and E72 with latest firmwares, but when I go to web site using HTTPS, I got certificate warning (not trusted) if the certificate is signed by:
"verisign class 3 international server ca - g3"
How this can be happened?
I got this also with my old WM6.5 device.
Solved!
Go to Solution.Few Nokia devices like X-Series , Asha series ,have the VeriSign Class 3 certificate expired or not present,so when the application tries to access a secure server where VeriSign Class 3 International Server CA - G3 certificate is present.The application fails to make secure connection and the message displayed is verification failed Certificate Type: X.509 type 3.
So how can the user uses any secure application launched in year 2012 in these devices. -
Can I use ASA to be a DHCP Server use in WLC wireless Client
I want to use ASA to be a DHCP Server for Wireless Client not it can't.
I check the debug log in WLC, I confirm the WLC have send the request to ASA.
In the ASA, it don't have any hits in the rule when the WLC send the DHCP relay request.
I have try don't use dhcp relay in WLC but don't success. Anybody have the same case with me? And Is the ASA can't support DHCP relay agent to request to get the IP Addr.
P.S. In the Network Design limitation so I can't use WLC to be DHCP Server.
Equipment:
ASA5510
WLC4402
How can I fix it.
Thank you very muchThe issue is that the ASA doesn't accept DHCP requests from a relay agent, only broadcast DHCP requests. In the 4.2 version for the controllers there is now an option so you can change the way the controller forwards DHCP requests so that it is sent as a broadcast and not from a relay agent.
-
WRT600N Doesn't show any entries in the Wireless Client List
Hi, my WRT600N is on firmware 1.01.35 build 3. When I check the wireless client list from the Wireless MAC Filter page, it is empty, even though I know I have 3 clients connected. They are all using 802.11g, as I don't have any N devices yet. When I go to the Status page and check the DHCP Client Table, both of my wired clients are there, but only 1 wireless client appears. The DHCP Client Log file is useless, as it only appears to log the ip address it receives from my isp. There are no entries of the ip addresses it has given out. Is my WRT600N defective, or is there firmware in the works to correct this?
Another thing I've notice, is that the DHCP client table is showing the 2.4 wireless devices as LAN interfaces. Shouldn't it show the frequency, like it does my one 5GHz device? Things have changed, because the Wii is now showing in both the Wireless Client List, as well as the DHCP Client table. It shows as a LAN interface though, which is wrong, it should be 2.4GHz. My one pc that is a 5GHz N device, is also showing in both the Wireless Client List, & the DHCP Client table. Neither the wireless 2.4 gaming adapter, or the HR20 connected to it show up in either list. Neither does a laptop which is 2.4GHz. This is really a concern, because I've caught 2 neighbors stealing my bandwidth in the past, and I can't stop them if I can't see them.
-
Dear Experts,
I have tried mutual authentication with sample website as per below link:
http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
1. Created a Root certificate, client and server certificate based on this root certificate by using Makecert command as per below link:
2. Import these certificates in Trusted Root Certification authority of both the stores (Local and Current user)
3. Created a sample website with HTML page
4.Hosted this website in IIS with HTTPS binding and selected the above server certifcate
5. Enabled "Require SSL" and selected "Require" under SSL settings of website
6. Exported the client certificate in base64 format --> Edited in notepad --> made the key into single line
7. Placed the above key under Configuration editor --> system.webServer/security/authentication/iisClientCertificateMappingAuthentication --> one to one mapping with user credentials.
8. I tried to access the website
But, I ended with below error :(
HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
Detailed Error Information:
Module IIS Web Core
Notification BeginRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x800b0109
Requested URL https://localhost:443/
Physical Path E:\SampleRoot
Logon Method Not yet determined
Logon User Not yet determined
Could you please let me know what I missed here.
Note:
I am using windows8, IIS8.0.
Thanks in advance.
Regards,
M. Prasad Reddy.Hi Prasad,
As per this case, I have been shared the corresponding details below
1.First of all,make sure that you import the certificate whether it belongs to Trusted RootCertification or not .
If that is the case ,Goto Microsoft Management Console (MMC), open the Certificates snap-in.
For instance, the certificate store that WCF is configured to retrieve X.509 certificates from, select the Trusted RootCertification Authoritiesfolder. Under the Trusted Root Certification Authorities folder, right-click the Certificatesfolder,
point to All Tasks, and then click Import.
2.you configured the server certificate as well, But check the client certificate whether have root certificate or not by following command?
makecert -pe -n "CN=SSLClientAuthClient"
-eku 1.3.6.1.5.5.7.3.2 -is root -ir localmachine -in WebSSLTestRoot
-ss my -sr currentuser -len 2048
3. Also check the Service Certificate whether its configured on the WCF Service side
4.Make sure that you followed all the steps are done correctly from your given referred link below
http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
5.Besides, please try to set the require SSL as ignore to see if you can access the website.
If the above details cannot able to resolve this issue, please post your config file here. -
ISE Certificate Chain Not Trusted By WLAN Clients
We are running ISE 1.1.3 using Entrust cert signed by Entrust sub CA L1C, which is signed by Entrust.net 2048, which is in all major OS stores as trusted (Windows, Android, iOS).
We have installed a concatenated PEM file with all of the certificates from the chain, as described in the ISE User Guides. The ISE GUI shows all of the certs in the chain individually after the import (i.e. the chain works and is good). However, we are not sure if the ISE is sending the entire chain to the WLAN clients during EAP authentication or just the ISE cert because of the error message we get on ALL client types which state that the certifiicate is not trusted.
So the question is if the ISE is really sending the whole chain or just its own cert with out the rest of the certs in the chain (which would explain why the WLAN clients complain about the certificate trust.)
Anyone out there know if the ISE code is not up to sending the cert chain in version 1.1.3 yet or if there is some other explanation? Screenshot attached of iPhone prompting for cert verification.Thanks hardiklodhia, your post confirms what we are seeing - the Windows clients have no issue as long as they are set to either NOT validate the EAP server cert or they are set to trust the signing CA cert from the local store by specifically selecting the signing CA (i.e. tick next to "Validate Serverr Certificate" and then another tick next to the signing CA cert in the box below.)
The iOS clients ALWAYS prompt for verification (thanks Apple.)
Note: we are using 1.1.3 and the cert chain import using a concatenated PEM file with ALL of the certs in the chain works fine. We are seeing the whole chain on the clients and the ISE extracts each PEM file into its local store.
The PEM file format is not adequately described in the user guides rather a vague description of cert order is provided.
The file should look like this:
-------------------------Top of page-----------------------------
Root CA PEM FILE
Intermediate CA 1 PEM FILE
Intermediate CA 2 PEM FILE
ETC
ISE CERT PEM FILE
------------------------Bottom of page-------------------------
By "PEM FILE" I mean the actual base64 encoded PEM output from openssl when you convert a .crt or .der file to PEM, including the words "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for each PEM FILE above,
e.g.
-----BEGIN CERTIFICATE-----
MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEnzCCBAigAwIBAgIERp6RGjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
VeSB0RGAvtiJuQijMfmhJAkWuXAwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX
8+1i0BowGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQAD
gYEAj2WiMI4mq4rsNRaY6QPwjRdfvExsAvZ0UuDCxh/O8qYRDKixDk2Ei3E277M1
RfPB+JbFi1WkzGuDFiAy2r77r5u3n+F+hJ+ePFCnP1zCvouGuAiS7vhCKw0T43aF
SApKv9ClOwqwVLht4wj5NI0LjosSzBcaM4eVyJ4K3FBTF3s=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgIETA6MOTANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
EN551lZqpHgUSdl87TBeaeptJEZaiDQ9JifPaUGEHATaGTgu24lBOX5lH51aOszh
DEw3oc5gk6i1jMo/uitdTBuBiXrKNjCc/4Tj/jrx93lxybXTMwPKd86wuinSNF1z
/6T98iW4NUV5eh+Xrsm+CmiEmXQ5qE56JvXN3iXiN4VlB6fKxQW3EzgNLfBtGc7e
mWEn7kVuxzn/9sWL4Mt8ih7VegcxKlJcOlAZOKlE+jyoz+95nWrZ5S6hjyko1+yq
wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFKjCCBBKgAwIBAgIETB9GEzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
yhHR/hYfdVM88hBXXypACgrxBv/JFlKzSEDwKydJeT1tcP//nG4jv1WWgLk6O2Mi
0oE0fnGmuf9fTX4+CdapG2gTDFJ29Chv3kavJDNtB85A7CK8oWI8Qav78Rvaz7nA
LiRMLBQ1RkqUrQFL2WHx4mJkCddPXzOeOVJlUTGJ
-----END CERTIFICATE-----
The last PEM output (the one directly above) is the ISE cert in PEM format. The first PEM output (the one at the top) is the Root CA cert in PEM format. The ones in the middle are intermediate signing CAs in order (from root to leaf). -
Error code 265: The certificate chain was issued by an authority that is not trusted.
We are in the process of trying to set up a wireless network that uses NPS servers to authenticate domain users with computers that are not on our domain (BYOD).
We are using a valid, wildcard SSL (with intermediate certificates) to authenticate via PEAP. The certificate was issued by Godaddy.
When trying to connect, we are getting the authentication request.
The result of a connection attempt is no connection with an event log error code of - “265: The certificate chain was issued by an authority that is not trusted.”
We have tried ensuring that the certificates are in the correct containers on the respective NPS servers: “Certificates\Personal\Certificates” With the intermediate certificates located: “Certificates/Intermediate Certification Authorities”
All these attempts have proven fruitless. Any assistance or direction would be very much appreciated.Hi,
Do you import the intermediate certificate in the right account? It should be imported in the Computer Account.
Have you imported the intermediate certificate in your client? Client need it to validate the certificate of your NPS server.
Here is a similar thread in which Greg has explained this issue in detail.
http://social.technet.microsoft.com/Forums/en-US/b770fcf6-d1e9-4aac-9005-62cb5ff6d485/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted?forum=winserverNAP
Hope this helps.
Steven Lee
TechNet Community Support
Maybe you are looking for
-
Outlook for mac, message HTTP error resource not found 18596
outlook for mac, message HTTP error resource not found 18596 really strange and outlook is connected and as soon as you send a mail you suddenly get the message, really annoying actually, seems to be an old problem!!! Help appreciated!!!!!!!!
-
How to send picture by bluetooth
How could I send picture stored in my iPhone4 to hand free car set.
-
MBP suddenly SLOW wifi connect!! help
All of a sudden the wifi speeds on my MBP are very, very slow. Like 100-300kbps when on the very same home wifi network my iPhone gets 3mbps down. Is there any thing on my MBP I can check, config settings??? thanks for any help!!
-
ARE 1 does not update Educ cess & Higher edu cess
Dear SD gurus. Today when I was posting Excise to ARE1 I found that Edu cess & higher EDu Cess is not getting updated. We are using ECC 6.0. Is there any kind of Note to be applied? or there is any setting required for this. Kindly help Regards Sreek
-
HT5457 How can I use the Siri in my iPad 3?
How can I use Siri in iPad 3?