积极答复者
NPS验证跳过证书问题

问题
-
近期发现一个NPS的问题,和各位讨论。
在没有安装证书的计算机上启用“网络验证服务”,当去掉“验证服务器证书”复选框后,服务器会通过验证,赋予正确的VLAN D并通过DHCP下发地址。附上Cisco2950交换机的配置,请各位帮助,谢谢!
-----------------------------------------
BGLNan-1F2960G-24-01#sh run
Building configuration...Current configuration : 9040 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BGLNan-1F2960G-24-01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$h0H0$MSNVKj0Ena1tjuDNf/ePK/
!
username sw password 0 cisco
aaa new-model
!
aaa authentication login default local
aaa authentication login no_radis none
aaa authentication login xxx group xxx local
aaa authentication dot1x default group radius
aaa authorization network default group radius
!
!
!
aaa session-id common
system mtu routing 1500
ip subnet-zero
!
!
no ip domain-lookup
!
!
crypto pki trustpoint TP-self-signed-2878807808
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2878807808
revocation-check none
rsakeypair TP-self-signed-2878807808
!
!
crypto pki certificate chain TP-self-signed-2878807808
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383738 38303738 3038301E 170D3933 30333031 30303033
31355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38373838
30373830 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A864 9F47C327 D5B5CCE3 C6898652 F75EB112 D63BDCDC CAF694F8 3489454B
A3051392 068E6F4D 169130AF 063CB2C9 D276774D 5624DA44 3F9EBB06 EF86B0B7
28F39789 D615EC48 0B1D43F4 F6DDF1C5 F0AE7159 29A15E6D 9DFE6C5A A34A9B7C
D5F26859 87EC898A DF00A270 4B4A39F0 10AB0D47 8C7B427E BAC44BFE C909E3C1
9EA30203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 1542474C 4E616E2D 31463239 3630472D 32342D30 312E301F
0603551D 23041830 168014B0 ABEDD36E 166956B2 281F3D4E 35B62BCA 89F3AD30
1D060355 1D0E0416 0414B0AB EDD36E16 6956B228 1F3D4E35 B62BCA89 F3AD300D
06092A86 4886F70D 01010405 00038181 0043C5FA 7B31160F B60841B6 2102BEC5
679D71EE E2D739FC 598BDCD6 4B1DF199 24D6585B 58E56DED 41543B93 6AE5CBAA
1ABE7C3B 2557DAC6 54EA08E9 D2956C98 6AA0022F 9FDB2F0E A82E5E4D E1948ABC
61D4315C 1CD5A232 DF645DE4 80BD3536 BFC3589A 4688CACE 31F367A0 A728013A
65512CEB 17758F76 8FDCDE98 DD3C6FD2 13
quit
!
!
dot1x system-auth-control
dot1x guest-vlan supplicant
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
interface GigabitEthernet0/1
switchport mode access
authentication event no-response action authorize vlan 500
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x timeout supp-timeout 10
spanning-tree portfast
!
interface GigabitEthernet0/2
switchport mode access
authentication event no-response action authorize vlan 500
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x timeout supp-timeout 10
spanning-tree portfast
!
interface GigabitEthernet0/17
switchport mode access
authentication event no-response action authorize vlan 500
authentication port-control auto
authentication periodic
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 5
dot1x timeout supp-timeout 10
spanning-tree portfast
ip default-gateway 192.168.10.254
ip http server
ip http secure-server
snmp-server community privacy RW
snmp-server community public RO
radius-server host 192.168.1.77 auth-port 1645 acct-port 1646 key xxx.com
!
control-plane
!
答案
全部回复
-
Certificate Requirements for PEAP and EAP
http://technet.microsoft.com/en-us/library/cc731363.aspxClient computers can be configured to validate server certificates by using the Validate server certificate option on the client computer or in Group Policy.
The client computer accepts the authentication attempt of the server when the server certificate meets the following requirements:
•The Subject name contains a value.
•The computer certificate on the server chains to a trusted root certification authority (CA) and does not fail any of the checks that are performed by CryptoAPI and that are specified in the remote access policy or network policy.
•The computer certificate for the NPS server or VPN server is configured with the Server Authentication purpose in Extended Key Usage (EKU) extensions. (The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.)
•The server certificate is configured with a required algorithm value of RSA .
•The Subject Alternative Name (SubjectAltName) extension, if used, must contain the DNS name of the server.
Technical problem is never a problem.