Install Ssl On Microsoft Ias Radius Server Ssl Help Cent.Html

5 days ago
Admin
4 minutes

This solution will detail the process of installing an SSL certificate for use with Microsoft IAS Radius Server.

a)  Make backup copies of your old and new SSL certificates:

  1. Create a Microsoft Management Console (MMC) Snap-in for managing certificates, as described in solution SO1849.
  2. Backup the certificate for Microsoft IIS 6, as described in solution SO1707.

b)  Delete the old and new SSL certificates from your server.

This step is required in order for the new SSL Certificate to be picked up by IAS, you MUST clear the personal certificate store, reboot the server and then re-import the new certificate from a backup. If you dont complete this step your new certificate will not work.

  1. With the MMC still open, locate each SSL certificates in Personal > Certificates and delete each one by right-clicking on the certificate in the list and clicking on Delete.
  2. Restart the server.

c)  Reinstall your new SSL certificate on the server.

  1. Create a Microsoft Management Console (MMC) Snap-in again as you did previously in step a)
  2. On the right pane, right-Navigate to and click Certificates and select All Tasks > Import (this opens the Certificate Import Wizard.
  3. Navigate to and click Next
  4. Browse to the certificate file you saved earlier with the PFX extension
  5. Navigate to and click Next
  6. Provide the password used to secure the certificate
  7. Navigate to and click OK (To export the certificate again from this computer, select Mark the key as exportable)
  8. Select the option Automatically select the certificate store based on the type of certificate. (This ensures all the certificates in the certification path (Root, Intermediate, and Server) are stored in the proper place).
  9. Navigate to and click Next
  10. Navigate to and click Finish
  11. A message confirms successful import. Navigate to and click OK

If you only have the one certificate imported then your new SSL certificate should now work immediately. Skip down to step g) to test the certificate.

d) Assigning the certificate in Microsoft IAS

If you require multiple certificates installed on the server then you will need to reference the correct SSL certificate in IAS.

  1. Select Start
  2. Select Internet Authentication Service

  3. On the Left pane, Select Remote Access Policies

  4. On the right pane, Right Navigate to and click the group policy the certificate will be applied to and Navigate to and click Properties

  5. Select the Edit Profile button

  6. Select Authentication tab

  7. Select EAP Methods button

  8. Select EAP Providor and Navigate to and click Edit

  9. Select the correct certificate from the drop down list

  10. Navigate to and click OK

e) Restarting the IAS service

  1. Run the windows Services console from Start -> Control Panel -> Administrative tools -> Services

  2. Locate and restart the Internet Authentication Service

f) Testing the new certificate is working

  1. To check if the service is working with the newly installed certificate, check the Event Viewer logs for successful or failed connections

  2. Run the windows Event Viewer console from Start -> Control Panel -> Administrative tools -> Event Viewer

  3. The four event Information from source type Service Control Manager represent a successful restart of the IAS service. After the service restart, you want to look out for successful client connection events and these will typically come through from the source type IAS. Double Select the highlighted event to view the successful connection information:

You have now successfully installed the new SSL certificate and confirmed connections are accepted by the Radius Server.

Further Troubleshooting

In event viewer, for the IAS source, if you are still seeing connections denied access, open the event and scroll to the bottom of the description to find the reason code.

Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.
Check for any policy that may be restricting access during certain hours of the day or night.

  1. Load up IAS Service
  2. Select Remote Access Policies
  3. Right Navigate to and click the policy and select properties
  4. Check the policy condition i.e. Day-And-Time-Restrictions

Reason-Code = 262
Reason = The supplied message is incomplete. The signature was not verified.
Check that the SSL certificate installed is chaining correctly.

  1. Ensure Thawte Intermediate CA for your SSL certificate are installed correctly on all domain controllers. The Intermediate CA for your SSL certificate can be located in this solution INFO1384