none
NPS验证跳过证书问题 RRS feed

  • 问题

  • 近期发现一个NPS的问题,和各位讨论。

    没有安装证书的计算机上启用“网络验证服务”,当去掉“验证服务器证书”复选框后,服务器会通过验证,赋予正确的VLAN D并通过DHCP下发地址。附上Cisco2950交换机的配置,请各位帮助,谢谢!

    -----------------------------------------

    BGLNan-1F2960G-24-01#sh run
    Building configuration...

    Current configuration : 9040 bytes
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname BGLNan-1F2960G-24-01
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$h0H0$MSNVKj0Ena1tjuDNf/ePK/
    !
    username sw password 0 cisco
    aaa new-model
    !
    aaa authentication login default local
    aaa authentication login no_radis none
    aaa authentication login xxx group xxx local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    !
    !
    !
    aaa session-id common
    system mtu routing 1500
    ip subnet-zero
    !
    !
    no ip domain-lookup
    !
    !
    crypto pki trustpoint TP-self-signed-2878807808
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2878807808
     revocation-check none
     rsakeypair TP-self-signed-2878807808
    !
    !        
    crypto pki certificate chain TP-self-signed-2878807808
     certificate self-signed 01
      3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32383738 38303738 3038301E 170D3933 30333031 30303033
      31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373838
      30373830 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100A864 9F47C327 D5B5CCE3 C6898652 F75EB112 D63BDCDC CAF694F8 3489454B
      A3051392 068E6F4D 169130AF 063CB2C9 D276774D 5624DA44 3F9EBB06 EF86B0B7
      28F39789 D615EC48 0B1D43F4 F6DDF1C5 F0AE7159 29A15E6D 9DFE6C5A A34A9B7C
      D5F26859 87EC898A DF00A270 4B4A39F0 10AB0D47 8C7B427E BAC44BFE C909E3C1
      9EA30203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
      551D1104 19301782 1542474C 4E616E2D 31463239 3630472D 32342D30 312E301F
      0603551D 23041830 168014B0 ABEDD36E 166956B2 281F3D4E 35B62BCA 89F3AD30
      1D060355 1D0E0416 0414B0AB EDD36E16 6956B228 1F3D4E35 B62BCA89 F3AD300D
      06092A86 4886F70D 01010405 00038181 0043C5FA 7B31160F B60841B6 2102BEC5
      679D71EE E2D739FC 598BDCD6 4B1DF199 24D6585B 58E56DED 41543B93 6AE5CBAA
      1ABE7C3B 2557DAC6 54EA08E9 D2956C98 6AA0022F 9FDB2F0E A82E5E4D E1948ABC
      61D4315C 1CD5A232 DF645DE4 80BD3536 BFC3589A 4688CACE 31F367A0 A728013A
      65512CEB 17758F76 8FDCDE98 DD3C6FD2 13
      quit
    !
    !
    dot1x system-auth-control
    dot1x guest-vlan supplicant
    !
    !
    !
    spanning-tree mode pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    !
    !
    interface GigabitEthernet0/1
     switchport mode access
     authentication event no-response action authorize vlan 500
     authentication port-control auto
     authentication periodic
     dot1x pae authenticator
     dot1x timeout quiet-period 10
     dot1x timeout tx-period 5
     dot1x timeout supp-timeout 10
     spanning-tree portfast
    !
    interface GigabitEthernet0/2
     switchport mode access
     authentication event no-response action authorize vlan 500
     authentication port-control auto
     authentication periodic
     dot1x pae authenticator
     dot1x timeout quiet-period 10
     dot1x timeout tx-period 5
     dot1x timeout supp-timeout 10
     spanning-tree portfast
    !
    interface GigabitEthernet0/17
     switchport mode access
     authentication event no-response action authorize vlan 500
     authentication port-control auto
     authentication periodic
     dot1x pae authenticator
     dot1x timeout quiet-period 10
     dot1x timeout tx-period 5
     dot1x timeout supp-timeout 10
     spanning-tree portfast
    ip default-gateway 192.168.10.254
    ip http server
    ip http secure-server
    snmp-server community privacy RW
    snmp-server community public RO
    radius-server host 192.168.1.77 auth-port 1645 acct-port 1646 key xxx.com
    !
    control-plane
    !

     

    2013年5月2日 3:03

答案

  • 你的问题是什么?

    是想说 选中 “验证服务器证书” 复选框时,就通不过验证吗?

    如果是,那么,你的服务端证书导出.cer来放到客户机上打开看看是否信任呢?

    如果是自签名证书,且没有导入到客户端的受信任根证中的话,那当然会失败。
    2013年5月2日 6:55

全部回复

  • 你的问题是什么?

    是想说 选中 “验证服务器证书” 复选框时,就通不过验证吗?

    如果是,那么,你的服务端证书导出.cer来放到客户机上打开看看是否信任呢?

    如果是自签名证书,且没有导入到客户端的受信任根证中的话,那当然会失败。
    2013年5月2日 6:55
  • 微软的NAP仅仅通过AD帐号就能验证通过,不需要证书,这是我的测试结果。
    2013年6月9日 0:09
  • 你的问题是什么?

    是想说 选中 “验证服务器证书” 复选框时,就通不过验证吗?

    如果是,那么,你的服务端证书导出.cer来放到客户机上打开看看是否信任呢?

    如果是自签名证书,且没有导入到客户端的受信任根证中的话,那当然会失败。

    在没有企业根证书的计算机上:

    1. 选中 “验证服务器证书” 复选框,用AD帐号,验证失败;

    2.不勾选 “验证服务器证书” 复选框,用AD帐号,验证成功。


    2013年6月9日 0:10
  • Certificate Requirements for PEAP and EAP
    http://technet.microsoft.com/en-us/library/cc731363.aspx

    Client computers can be configured to validate server certificates by using the Validate server certificate option on the client computer or in Group Policy.

    The client computer accepts the authentication attempt of the server when the server certificate meets the following requirements:

    •The Subject name contains a value.

    •The computer certificate on the server chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.

    •The computer certificate for the NPS server or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.)

    •The server certificate is configured with a required algorithm value of RSA .

    •The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server.


    Technical problem is never a problem.

    2013年6月9日 12:30