Forum

http://www.microsoft.com/technet/network/wifi/wifitrbl.mspx

Validating the IAS Server's Certificate
In order for the wireless client to validate the certificate of the IAS server for either EAP-TLS or PEAP-MS-CHAP v2 authentication, the following must be true for each certificate in the certificate chain sent by the IAS server:

?¡é?€?¡é The current date must be within the validity dates of the certificate.

?¡é?€?¡é The certificate has a valid digital signature.


Additionally, the IAS server computer certificate must have the Server Authentication EKU (OID 1.3.6.1.5.5.7.3.1). To view the EKU for a certificate in the Certificates snap-in, double-click the certificate in the contents pane, click the Details tab, and then click the Enhanced Key Usage field.

Finally, to trust the certificate chain offered by the IAS server, the wireless client must have the root CA certificate of the issuing CA of the IAS server certificate installed in its Trusted Root Certification Authorities store.

Notice that the wireless client (SUPPLICANT) does not perform certificate revocation checking for the certificates in the certificate chain of the IAS server's computer certificate. The assumption is that the wireless client does not yet have a physical connection to the network, and therefore cannot access a Web page or other resource in order to check for certificate revocation.