Re: Using Certificates for 802.1x and VPN accecss
From: Mark Gamache (mark.gamache_at_css-security.com.nospam)
Date: 06/29/05
- Next message: Mark Gamache: "Re: Remove Certificate services"
- Previous message: Sandy Wood: "Re: Windows Update v6 on 2003 server going nowhere"
- In reply to: Dan: "Using Certificates for 802.1x and VPN accecss"
- Next in thread: Dan: "Re: Using Certificates for 802.1x and VPN accecss"
- Reply: Dan: "Re: Using Certificates for 802.1x and VPN accecss"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 29 Jun 2005 14:13:39 -0700
The cert on the IAS server must contain the server authentication EKU and
the dns name on it must match the machines DNS name. The clients all need
the client auth. EKU and must contain the subject alt name in the format of
the user principal name.
http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
The machine (computer) certificates can by provisioned using auto-enrolment.
Because you are using win2000 CA, there is no auto-enrollment for users. If
the users are connected to your network (wired) regularly, you can write a
login script that will provision the certs. You could do some scripting and
request the certs in the user's context and then export the cert and priv
key in a P12. I'd recommend SSL protecting the web enrolment interface and
publishing it with your ISA server and having the users provision
themselves. This is easy in your dev environment, but not as useful on an
enterprise scale.
How many user certs will you be issuing? How often will you renew? When
the project goes from dev to production, will you have the budget for a 2003
CA? MS has made the technology pretty easy to setup and administer, but you
really have to make sure that is usable from the operational side. Forcing
1000s of users to self provision will likely generate a lot of calls. One
really needs to plan a PKI well before implementing.
Hope this helps.
Cheers,
-- Mark Gamache Certified Security Solutions http://www.css-security.com "Dan" <Dan@discussions.microsoft.com> wrote in message news:5AB9F1D9-EF37-4ACF-833A-FF201758ECD4@microsoft.com... > Hi, I have posted questons regarding 802.1x before but have more questions > which I hope someone can help out. Trying to use WPA-RADIUS on my Dlink > DWL-2100AP wireless AP using EAP-TLS authentication. > > In my test environment: > Win2k /SP4 running DHCP, DNS, WINS, IAS and CA as a domain controller. 2nd > Win2k Server running Microsoft ISA Server2000 acting as firewall and RRAS > and > a VPN server. > > My question is: > 1. What certificate should be installed on which server and computer? > 2. How do I distribute the certificate to my clients? As far as I > understand, I need to distribute computer and user certificates to my > clients. My preference would be to export it to a diskette and then ship > them to my clients. > > TIA, Daniel
- Next message: Mark Gamache: "Re: Remove Certificate services"
- Previous message: Sandy Wood: "Re: Windows Update v6 on 2003 server going nowhere"
- In reply to: Dan: "Using Certificates for 802.1x and VPN accecss"
- Next in thread: Dan: "Re: Using Certificates for 802.1x and VPN accecss"
- Reply: Dan: "Re: Using Certificates for 802.1x and VPN accecss"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
