Specifications
Step 1: Configuring the Certificate Infrastructure
Summit WM20 Technical Reference Guide, Software Version 4.2 25
● Step 9: Configuring Wireless Clients for EAP-TLS
● Step 10: Configuring Wireless Client Computers for PEAP-MS-CHAP v2
Step 1: Configuring the Certificate Infrastructure
Table 4 summarizes the certificates needed for the different types of authentication.
● Regardless of which authentication method you use for wireless connections, EAP-TLS or PEAP-MS-
CHAP v2, you must install computer certificates on the IAS servers.
● For PEAP-MS-CHAP v2, you do not have to deploy a certificate infrastructure to issue computer and
user certificates for each wireless client computer. Instead, you can obtain individual certificates for
each IAS server in your enterprise from a commercial certification authority and install them on the
IAS servers.
● For more information, see “Step 3: Configuring the Primary IAS Server” and “Step 4: Configuring
the Secondary IAS Server” in this article. Windows wireless clients include a number of root CA
certificates for well known and trusted commercial CAs. If you obtain computer certificates from
a commercial CA for which there is already an installed root CA certificate, there are no
additional certificates to install on the Windows wireless clients.
● If you obtain computer certificates from a commercial CA for which there is not already an
installed root CA certificate, you must install the root CA certificates for the issuers of the
computer certificates installed on the IAS servers on each Windows wireless client. For more
information, see “Step 10: Configuring Wireless Client Computers for PEAP-MS-CHAP v2” in
this article.
● For computer authentication with EAP-TLS, you must install a computer certificate, also known as a
machine certificate, on the wireless client computer. A computer certificate installed on the wireless
client computer is used to authenticate the wireless client computer so that the computer can obtain
network connectivity to the enterprise intranet and computer configuration Group Policy updates
prior to user login. For user authentication with EAP-TLS after a network connection is made and
the user logs in, you must use a user certificate on the wireless client computer.
● The computer certificate is installed on the IAS server computer so that during EAP-TLS
authentication, the IAS server has a certificate to send to the wireless client computer for mutual
authentication, regardless of whether the wireless client computer authenticates with a computer
certificate or a user certificate. The computer and user certificates submitted by the wireless client
and IAS server during EAP-TLS authentication must conform to the requirements specified in
“Using a Third-Party CA” in this article.
● In Windows Server 2003, Windows XP, and Windows 2000, you can view the certificate chain from
the Certification Path tab in the properties of a certificate in the Certificates snap-in. You can view
the installed root CA certificates in the Trusted Root Certification Authorities\Certificates folder and
Table 4: Authentication types and certificates
Authentication Type Certificates on Wireless Client Certificates on IAS Server
EAP-TLS • Computer certificates
• User certificates
• Root CA certificates for issuers of IAS
server computer certificates
• Computer certificates
• Root CA certificates for issuers
of wireless client computer
and user certificates
PEAP-MS-CHAP v2 Root CA certificates for issuers of IAS
server computer certificates
Computer certificates