Re: Using Certificates for 802.1x and VPN accecss
From: Dan (Dan_at_discussions.microsoft.com)
Date: 06/30/05
- Next message: Guillaume: "Small error in "Best Practices for Implementing a MS W2003 PKI""
- Previous message: S. Pidgorny
: "Re: HIPAA and DMZ" - In reply to: Mark Gamache: "Re: Using Certificates for 802.1x and VPN accecss"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Jun 2005 06:15:02 -0700
Thks Mark. Not really the answer I'm expecting ;-)
What is EKU? This is going to be for a small number of people. For the
wireless access, we are only going to use 1 wireless AP at our conference
room only. For VPN, there will be about 20 clients. Even if we go full
fletch, it will be less than 100 clients wireless and VPN combined.
Just need to know what certificate to issue to what computer. Don't think I
will publish the certificate enrolment via the web using ISA server but will
prefer exporting the cert to a diskette or CD-R, and then mail to them.
"Mark Gamache" wrote:
> The cert on the IAS server must contain the server authentication EKU and
> the dns name on it must match the machines DNS name. The clients all need
> the client auth. EKU and must contain the subject alt name in the format of
> the user principal name.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
>
> The machine (computer) certificates can by provisioned using auto-enrolment.
> Because you are using win2000 CA, there is no auto-enrollment for users. If
> the users are connected to your network (wired) regularly, you can write a
> login script that will provision the certs. You could do some scripting and
> request the certs in the user's context and then export the cert and priv
> key in a P12. I'd recommend SSL protecting the web enrolment interface and
> publishing it with your ISA server and having the users provision
> themselves. This is easy in your dev environment, but not as useful on an
> enterprise scale.
>
> How many user certs will you be issuing? How often will you renew? When
> the project goes from dev to production, will you have the budget for a 2003
> CA? MS has made the technology pretty easy to setup and administer, but you
> really have to make sure that is usable from the operational side. Forcing
> 1000s of users to self provision will likely generate a lot of calls. One
> really needs to plan a PKI well before implementing.
>
> Hope this helps.
>
> Cheers,
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:5AB9F1D9-EF37-4ACF-833A-FF201758ECD4@microsoft.com...
> > Hi, I have posted questons regarding 802.1x before but have more questions
> > which I hope someone can help out. Trying to use WPA-RADIUS on my Dlink
> > DWL-2100AP wireless AP using EAP-TLS authentication.
> >
> > In my test environment:
> > Win2k /SP4 running DHCP, DNS, WINS, IAS and CA as a domain controller. 2nd
> > Win2k Server running Microsoft ISA Server2000 acting as firewall and RRAS
> > and
> > a VPN server.
> >
> > My question is:
> > 1. What certificate should be installed on which server and computer?
> > 2. How do I distribute the certificate to my clients? As far as I
> > understand, I need to distribute computer and user certificates to my
> > clients. My preference would be to export it to a diskette and then ship
> > them to my clients.
> >
> > TIA, Daniel
>
>
>
- Next message: Guillaume: "Small error in "Best Practices for Implementing a MS W2003 PKI""
- Previous message: S. Pidgorny
: "Re: HIPAA and DMZ" - In reply to: Mark Gamache: "Re: Using Certificates for 802.1x and VPN accecss"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
