Re: IEEE 802.1x & dynamic vlan assignment

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #252"
• Next in thread: Kim, Cameron: "RE: IEEE 802.1x & dynamic vlan assignment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 17 Aug 2005 19:53:29 +0200
To: "Devanathan.Balaji@datacraft-asia.com" <Devanathan.Balaji@datacraft-asia.com>

Yes. That happened to me too...

The solution I took was to force the 802.1x switch to re-authenticate
quite often. What kind of switches are you using?

Regards,
Rodrigo.

On 8/17/05, Devanathan.Balaji@datacraft-asia.com
<Devanathan.Balaji@datacraft-asia.com> wrote:
> Hi,
>
> Has anyone tested dynamic vlan assignment through dot1x . I am trying to
> implement this with PEAP authentication with Windows Active directory. When
> I reboot the windows pc the vlan assignment is happening properly. But when
> I logoff from the domain and login as a different user the vlan is not
> getting assigned immediately, but works after the re authentication timeout.
> I feel that Windows XP client is not sending EAPOL-logoff message. Can
> anyone help in this
>
> Regards
> Devanathan.B
>
> -----Original Message-----
> From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
> Sent: Tuesday, August 09, 2005 12:00 PM
> To: offtopic
> Cc: focus-ms@securityfocus.com
> Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
>
> In fact, I was thinking of just using user certificates (no need for
> personal computers to be on-line while noone is logged on), and
> storing them on the profile of each user, on their computer.
>
> And, unfortunately, PEAP is not an option either.
>
> Surfing thorugh MS doc., I had read that through CAPICOM scripts or
> batches using certreq.exe against the MS Certificate Services 2003, it
> is possible to "emulate" (by programming...) the Active Directory 2003
> - Certificate Services 2003 integrated auto-enrollment and
> auto-installation of the users' certificates.
>
> However, I have no idea if this is applicable to Certificate Services
> 2000, if it is a pragmatic solution, and whether it is reasonably easy
> to set up.
>
> Any experience using this tools? Would it be crazy to focus the
> project in this direction?
>
> Thanks again and best regards,
> Rodrigo.
>
> On 8/9/05, offtopic <offtopic@mail.ru> wrote:
> > > - Although the MS Certificate Services are in standalone mode, can I
> > > still configure some auto-enrollment based on the users' AD logon? If
> > > not, what is the best option in order to minimize administrative
> > > effort?
> >
> > No. AFAIK, Only Enterprise CA can be used for auto-enrollment. You can
> choose PEAP MSCHAPv2 for client authentication instead. In this case you
> don't need to manage client-side certificates and revocation.
> > If you need to use client certificates - create new Enterprise Subordinate
> CA for issue client certificates.
> >
> > > - Since MS Certificate Services are in standalone mode, is it possible
> > > to have the IAS server map certificates to AD users
> >
> > You can bind user-to-certificate manually in AD, but I think this is not
> best solution.
> >
> > > If you could point me to any paper or step-by-step guide that can
> >
> >
> http://www.altavista.com/web/results?itag=ody&q=site%3Amicrosoft.com+802.1x+
> step-by-step&kgs=0&kls=0 ????
> >
> >
> > PS. You want to use client certificates, where you will store it? In local
> profile, or on smartcard?
> > Will you authenticate computer or user or both?
> >
> >
> > (c)oded by offtopic@mail.ru
> >
> >
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
> ****************************************************************************
> This email and all contents are subject to the following disclaimer:
>
> http://www.datacraft-asia.com/disclaimer
> ****************************************************************************
>
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #252"
• Next in thread: Kim, Cameron: "RE: IEEE 802.1x & dynamic vlan assignment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Digital Certificates Concepts needed (newbie to Crypto) ... > authentication via smartcards that will hold client certificates. ... Do we have to have a online connection / request to the CA? ... (microsoft.public.platformsdk.security) IEEE 802.1x & dynamic vlan assignment ... I reboot the windows pc the vlan assignment is happening properly. ... but works after the re authentication timeout. ... auto-installation of the users' certificates. ... > If you need to use client certificates - create new Enterprise Subordinate ... (Focus-Microsoft) Digital Certificates Concepts needed (newbie to Crypto) ... authentication via smartcards that will hold client certificates. ... After correct authentication subsequent requests are authorized via ... Do we have to have a online connection / request to the CA? ... (microsoft.public.platformsdk.security) Re: PEAP-TLS vs EAP-TLS ... MSCHAPV2 will not be used and then maybe that would be PEAP-TLS. ... select authentication method there are two choices - secured password ... certificates for both server authentication and client authentication; ... I think this means that there's a PEAP-TLS that's separate from EAP-TLS ... (microsoft.public.windows.server.security) Re: public key vs passwd authentication? ... note that in the generic description of 3-factor authentication, ... certification authorities, and/or certificates ... considered a totally orthogonal business issue. ... possible to deploy a digital signature based two-factor authentication ... (comp.security.ssh)