Certificates On Wireless Client Computers; Configuring Proxy Server Settings - Extreme Networks Summit WM Technical Reference Manual

Creating the Windows Security Infrastructure
Additionally, the root CA certificates of the CAs that issued the wireless client computer and user
certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification
Authorities\Certificates folder.

Certificates on Wireless Client Computers

For the user and computer certificates installed on wireless client computers, the following must be
true:
They must have a corresponding private key.
●
They must contain the Client Authentication EKU (OID "1.3.6.1.5.5.7.3.2")
●
Computer certificates must be installed in the Local Computer certificate store.
●
Computer certificates must contain the FQDN of the wireless client computer account in the Subject
●
Alternative Name property.
User certificates must be installed in the Current User certificate store
●
User certificates must contain the universal principal name (UPN) of the user account in the Subject
●
Alternative Name property.
Additionally, the root CA certificates of the CAs that issued the IAS server computer certificates must be
installed in the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates or
Certificates (Current User)\Trusted Root Certification Authorities\Certificates folder.

Configuring Proxy Server Settings

Certificates issued from third-party CAs, such as VeriSign, Inc., can contain a certificate revocation list
(CRL) uniform resource locator (URL) that points to an Internet Web site. If the IAS server cannot reach
the Internet Web site to perform certificate revocation checking, it cannot validate the certificates of
wireless clients for EAP-TLS authentication.
Many enterprise networks use a proxy server, such as Microsoft Internet Security and Acceleration
Server (ISA), to access Internet services. Configuration of proxy server settings is normally done
through Dynamic Host Configuration Protocol (DHCP) options. However, many IAS servers have a
static IP address configuration and therefore might not be properly configured with the appropriate
proxy server settings to access the Internet. The result is that IAS servers cannot perform certificate
revocation checking for its own local computer certificate or wireless client certificates and
authentication can fail for all wireless connections.
To configure an IAS server with the appropriate proxy server settings so that it can access Internet
services, do the following:
1 On the IAS server, login using an account that has local administrator permissions.
2 Open a command prompt.
3 At the command prompt, type time and press ENTER.
4 At the Enter the new time: prompt, press ENTER.
5 At the command prompt, type at [time+1 minute]/interactive "cmd.exe" and press ENTER. For
example, if the current time from step 4 is 13:31, the command is at 13:32/interactive "cmd.exe".
6 After a minute, a new command prompt opens. Commands run from this command prompt execute
in the local system security context. IAS also runs in the local system security context. Therefore, you
must configure proxy server settings from the local system security context so that they apply to IAS.
56
Summit WM Technical Reference Guide, Software Version 5.1