Forum

  • I like to know if there is anyway to configure the WLAN security by using only the computer cert and domain user acct credential and not requiring the user cert?

    I know one can configure EAPPEAP-MSCHAPv2 to use domain user acct credential and EAP-TLS which require both user and computer cert, but I am looking for something in between and not require user cert at all.

    We are using Cisco Aironet 1232 and 1252 Wireless AP and Windows 2003 IAS server. we can possibly deploy Cisco ACS in place of Windows IAS if that will help.

    thanks in advance,

  • I wouldn't get caught up in the user/computer cert. What you want to do is put a cert on your IAS box that is issued from a known cert authority. You can either pay for one via Verisign et al, do your own CA if all of your machines are part of a MS Domain you'll be auth'ing with or generate a machine cert manually.

    The latter is the least desirable because you have to then put that on each client as part of the trusted root authorities. Rolling your own CA is added overhead and you'll have to benchmark this against the cost/time involved in just purchasing a new cert from a known trusted root authority.

    Think about it like this. When you're web browsing and you come across a site and the certificate is invalid a message occurs. This is obviously very typical when you doing an HTTPS to a network device from most manufacturers. 802.1X no likely likely trusting it. Windows has some nice features using their CA and IAS together part of a domain. You can autodeploy certificates to domain clients, which is pretty cool. ...good luck getting good documentation on it though.

    After the TLS tunnel is established then go ahead with MS-CHAPv2 or whatever you want for the inner auth. Make sure you enable the client side setting to validate the server cert. Without that you can have man-in-the-middle attacks.

    BTW, don't go with ACS just for 802.11 security. IAS works just fine for that, but you might want ACS for the TACACS+ features or even NAC. I just saw a preso on ACS 5.0 and it looks pretty cool and they are doing some cool new things.

    Does that make sense?

  • Thanks for your replied.

    I think I understood where you coming from.

    Basically, here is what we done and the issue that we are dealing with:

    We already set up our WLAN with EAPPEAP-MSCHAPv2 and it works great with WinXP clients. We got our own CA in place and IAS has a Cert from the root and again it works just fine.

    The issue is that now we got some user starting to use the Apple PC with OS10.4 or newer. And because these OSs has 802.1x build-in, they can connect to our WLAN with their active domain credential even though their Apple PC is not part of our domain and we cannot allow that.

    We already push computer cert to our domain computers for other reason but not user cert at this time. It also appears to be almost impossible to deploy user cert at this time as well.

    The solution that we are looking for is to try use the combination of domain credential and computer cert (both already in place) to prevent non-domain computer to connect to the WLAN even with an active domain credential.

    We are talking to Microsoft about adjusting IAS policy to enforce both domain user and domain computer and we were told that IAS cannot enforce both by design.

    So the question is: is there a way to configure WLAN using IAS or ACS to enforce both domain credential and computer cert on the WLAN users?

    PS: the only reason I mentioned ACS is because we got ACS in place for other reason already and I was thinking maybe ACS can do what we looking for if we implement the EAPFAST or something.

    Again, thanks for all your helps.

  • I had to do something similar to this and found that only the Juniper (Funk) Steel Belted RADIUS sever was capable of doing this. It was a while back, so others may have added similar ability in later releases.

    Basically, we validate that the certificate credentials are not revoked and then perform a secondary validation that there is a corresponding AD account that exists and not locked out. We did EAP-TLS instead of PEAP, but I think you are looking for a similar function.

  • But doesn't EAP-TLS requires both user and computer cert? or can one set up EAP-TLS with just computer cert only?

    unfortunately, different RADIUS server is out of the question too.

    Thanks,

  • EAP-TLS requires a client certificate. This is both its +ve and -ve point. (EAP-TLS & PEAP-TLS have the same requirements - duh !!)

    -ve - because of the overhead that is going to be involved with client certificates.

    +ve - because an unauthorized person will need more than just a password to gain unauthorized access. The person will need the client side certificate too ..

  • Thanks, just want to clarify it.

    Any way, back to my original question, is there way (any way) to set up WLAN with some version of EAP or not that will allow me to use domain user credential and computer cert only----[b]no user cert involve[/b].. :(

    Thanks,

Page 1 of 1
  • 1