Forum

Hi all,

I have a requirement to get some non-domain laptops to authenticate to a WLAN using machine certificates. The environment has an existing Microsoft enterprise root CA and RADIUS via IAS ( also a domain member).

My understanding is that I can't issue a certificate to the non-domain workstations from an enterprise CA ( at least not a 2003 CA). So i'm thinking that firing up a stand-alone CA might be able to do this but I keep falling short in my attempts.

Does anyone have thoughts on how to issue machine certs. To non-domain Windows laptops and get them to authenticate to a WLAN via EAP-TLS?

You should be able to use this instruction for creating a cert request using certreq.exe.
http://technet.microsoft.com/en-us/library/ff625722%28WS.10%29.aspx#BKMK_CertreqNew
Since your machines are not members of the domain, you may not be able to connect to the <ServerNameCAName> share, unless you provide domain credentials.
If you are unable, you should access the Enterprise CA mmc snap-in (CA Admin console) and submit your cert request file into the CA this way.

Alternatively, you probably thought about this already, but you can just add the machine to domain to obtain a machine cert and then remove afterwards.

Hope this helps.

@juanq -Thanks for the reply.

Update for anyone else trying this: I managed to get this working by creating a stand-alone CA and using it to issue a cert. to my non-domain machine. I then imported my stand-alone CA certificate into my wlan controller and generated a server certificate for the controller as well. From there it was just a matter of getting the controller to do EAP termination.

The issue I was having wasn't really about getting a certificate onto the client, it was a problem getting IAS to accept the certificate from a non-domain machine. Removing IAS from the equation seems to have done the trick.