802.1x, IAS and SecurID
From: Batkin, Seva (Seva_Batkin_at_canaccord.com)
Date: 09/26/03
- Previous message: Spencer D'oro: "RE: protect MS Windows 95/98/Me"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: security-basics@securityfocus.com Date: Thu, 25 Sep 2003 19:54:11 -0700
Hi All,
I apologize in advance if this has been previously discussed. However, here
are the questions I have.
I have just completed setting up 802.1x system to secure our wireless
communications. Specifically I have installed Microsoft IAS, enabled PEAP
and integrated with our existing Domain Controller. I am currently using
Windows XP SP1 clients but plan to test this on W2k as well.
I have noticed strange behavior on the client, specifically persistent
caching of the login credentials. I have disabled the "use windows logon
credentials" checkbox in PEAP configuration and was once asked for username,
password and domain. However it seems that once authenticated, XP requires
no more intervention. Even if I logoff or reboot the machine, the password
is still stored. I am wondering if there is anyway that this behavior could
be changed, ideally I would like the user to enter the passwords much more
often, at least after a reboot.
The second issue I found is while integrating with RSA's securID system. I
successfully installed the agent on the IAS server and it seems that the RSA
module is now enabled. All the connections to the server are fine. The
problem came when I changed the authentication method for PEAP form MSCHAPv2
to RSA. The XP consistently tried to login using the same old credentials
and would completely refused to ask for new login information. On the AP I
could easily see that the IAS server (through EAP) would reply that previous
credentials are no longer valid...something that the client appeared to
ignore. Am I missing something here?
Thanx for all your help
Seva Batkin
Sr. Network Engineer
Canaccord Capital
"Canaccord Capital Corporation <canaccord.com>" made the following
annotations on 09/25/2003 07:54:15 PM
------------------------------------------------------------------------------
This message may contain confidential or privileged material. Any use of this
information by anyone other than the intended recipient is prohibited. If you
have received this message in error, please immediately reply to the sender
and delete this information from your computer. Thank you.
==============================================================================
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Spencer D'oro: "RE: protect MS Windows 95/98/Me"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
