Re: wireless lan & computer certificates

From: Dave Taylor (Dave.Taylor_at_work.com)
Date: 11/17/03


Date: Mon, 17 Nov 2003 08:59:45 +0100

Hi David,

Again, thanks for your reply.

I had looked at certificate mapping - but I assumed it was referring to user
certificates (ie a direct user cert to user account map) rather than
computer certificates. Can you definately do this with computer certs ?
And if so, (bearing in mind the ssl server is in our dmz - and not a member
of our active directory) how/where would these certs get 'married' ?

I also have looked at IPSec for the same project - with certificate
authentication (rather than kerberos), but i'm having real difficulty making
this work (and it's not helped by the fact that practically nothing is going
into the event logs :-(

Ok, i'll keep plodding ...

Thanks again for your suggestions

Dave

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:eiS3YVrqDHA.1880@TK2MSFTNGP09.phx.gbl...
> yes, you could require that the IAS or IIS server require client
> authentication certs ... that way only clients with certs from your CA can
> access it.
>
> one example: Step by Step Guide to Certificate Mapping:
>
http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp
>
> this can also be done with wireless, RAS, VPN server, etc.
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "Dave Taylor" <Dave.Taylor@work.com> wrote in message
> news:3fb39865$1@eumel.hag.hilti.com...
> > Thanks for the links, David.
> >
> > Moving the goalpost slightly ... If we had a public accessible ssl
> server -
> > but we want to restrict its access to only computers that have a
computer
> > certificate given from our CA ... would there be a recommended 'best
> > practice' for this ?
> >
> > eg if I am using my company laptop (with a computer cert), i should be
> able
> > to access https://company.domain.com (from any valid internet ip
address)
> >
> > but if I went to an internet cafe, and typed the same https address, I
> > shouldn't be allowed to connect.
> >
> >
> > Any info much appreciated.
> >
> > Dave
> >
> >
> > "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> > news:u5OYq$RqDHA.708@TK2MSFTNGP10.phx.gbl...
> > > yes, it is called PEAP and there are several docs available that
discuss
> > > this:
> > >
> > >
> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
> > >
> > >
> >
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=cdb639b3-010b-47e7-b234-a27cda291dad&DisplayLang=en
> > >
> > > --
> > >
> > >
> > > David B. Cross [MS]
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > >
> > > http://support.microsoft.com
> > >
> > > "Dave Taylor" <Dave.Taylor@work.com> wrote in message
> > > news:3fb1e970$1@eumel.hag.hilti.com...
> > > > Hi all,
> > > >
> > > > We are looking at wireless technology at the moment. Obviously,
> > security
> > > is
> > > > the big concern .
> > > >
> > > >
> > > >
> > > > Does anyone know of a method for us to set up a wireless technology
> that
> > > > makes use of our internal m/s PKI - but NOT by using the user
> > certificates
> > > > (ie smartcards), but computer certificates ?
> > > >
> > > >
> > > >
> > > > What we want is to only allow computers that have a valid company
> > computer
> > > > certificate to be allowed to 'get a login prompt' to our wireless
> > network.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Is this do-able ?
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Thanks for any help,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Dave
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: Using Certificates for 802.1x and VPN accecss
    ... The cert on the IAS server must contain the server authentication EKU and ... The machine certificates can by provisioned using auto-enrolment. ... login script that will provision the certs. ... How do I distribute the certificate to my clients? ...
    (microsoft.public.security)
  • Re: Impact of removing only CA
    ... Okay, first of all, is your policy alllowing EFS? ... If you remove the public CA key from trusted root CAs the certs will not be trusted and will stop working as well. ... Migrate the CA to a new server, then stop issuing certs untill the expiration date comes, by doing that you'll have a CA to get those certs if needed and if you've a KRA defined. ... We are not concerned with any certificates that we’ve manually ...
    (microsoft.public.windows.server.active_directory)
  • Re: Certificate Services help
    ... server with a different name. ... DCs need certificates to talk to each other? ... aren't using certs, you should revoke all certificates and then uninstall ... Certificate Services without installing it on a different server. ...
    (microsoft.public.windows.server.general)
  • Re: How to fix broken security in Windows 2000?
    ... mvp) post all this stuff? ... >> involved in importing security certificates. ... > and Microsoft code signing are not proof that Microsoft is writing ... > past two days you have said that certs are missing, ...
    (microsoft.public.win2000.security)
  • Re: How to fix broken security in Windows 2000?
    ... mvp) post all this stuff? ... >> involved in importing security certificates. ... > and Microsoft code signing are not proof that Microsoft is writing ... > past two days you have said that certs are missing, ...
    (microsoft.public.win2000.windows_update)