Setting up a 802.1x test network for Windows CE
I little while back I had to setup a RADIUS server to perform 802.1x testing over Wifi for Windows CE. I wish to share the simple setup steps and the troubleshooting I had to do to make it work, especially for CE clients.
RADIUS Server (With DHCP server, Active Directory, Domain Controller)
802.1x AP |
Non 802.1x AP Other APs
Test CE Wifi Device
To setup a RADIUS server, I did not want to add another machine in my office. So I installed Windows 2003 on a Virtual PC. I had 2 network adapters on my host machine – one connected to the corporate network and one on a local subnet. During the installation of all components on the virtual machine, I had the Corpnet available to it. Once all components were installed I just had the local subnet available to the virtual machine. (To select which network adapters are available to the virtual machine, use the Virtual PC console settings).
To setup a RADIUS server on Windows 2003 I used a very concise online tutorial http://www.windowsnetworking.com/articles_tutorials/Wireless-Networking-Windows-2003.html
§ Make sure you create a new Domain controller and not be part of the corporate domain when you install the CA and Active Directory. Else you will have to uninstall and reinstall those components.
As a first step to verify the 802.1x setup using an independent method, I used an XP laptop to verify authentication.
Step 1: - Get a user certificate on XP
1. Connect to the RADIUS server via a non 802.1x AP, such as WEP to get on to the AP network.
2. Login to http://<ip address of the RADIUS server>/certsrv.asp using the user credentials for the wireless users created in the Active Directory on the RADIUS server and request for a user certificate
3. Use the same page as step 2 and download
Step 2:- Associate using WPA EAP AP.
§ Check the event viewer for problems in authenticating to the RADIUS server. Usual problems are failing to give Dial in rights to the user account to be used in authenticating to the RADIUS server
§ XP can request certificates and the enroll sample for CE fails. The event viewer shows the following error
Certificate Services denied request 16 because The requested certificate template is not supported by this CA. 0x80094800 (-2146875392). The request was for CN=SubjectName-Should Be OverWritten by CA. Additional information: Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Certificate Services policy: ClientAuth.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
You need to add some Certificate templates in CA plugin in the mmc console. The default templates which are enabled do not work with the CE enroll sample (The sample is available in public\common\sdk\samples\enroll). This is the list of templates that I have, which work for CE enroll tool.
Administrator, Authenticated Session, Basic EFS, Computer, Domain Controller, EFS Recovery agent, Smartcard Logon, Subordinate Certification Authority, User, User Certificate Only, Web Server.