Re: 802.1x Authentication over Wireless

---

• From: Paul Adare <pkadare@xxxxxxxxx>
• Date: Fri, 16 Nov 2007 06:12:40 -0500

---

On Thu, 15 Nov 2007 11:05:36 -0800 (PST), mike.elam@xxxxxxxxx wrote:

I have implemented 802.1x with certificates in my Windows domain. I am
able to autoenroll computers and user certificates at login if they
are connected to the wire. Is it possible for the computer to push the
user certificate over the wireless link. I don't want to have my users
log on with the wire before they can connect onto the wireless. The
machine connects as a computer to the wireless and allows a domain
account to login. Once the domain account logs in, the wireless
disconnects with "Windows was unable to find a certificate to log you
on to the network XXXXXXX".

I can't really see why if the certificate was already issued to the
user and is published in Active Directory, why it IAS server can't
provide the certifcate to the machine and connect the user to the
wireless network.

My IAS is using Server 2003. My Certificate Authority is on another
Server 2003 machine. I am using Cisco Access Points controlled by a
Cisco WLAN Controller.

You don't understand how 802.1x works nor why certificates are published to
Active Directory. If you're implementing 802.1x for WiFi then presumably
you only want authorized users and computers to access your WiFi network.
How do you supposed that your WiFi infrastructure is supposed to determine
who is allowed to access your network in order to get certificates issued
in the first place? You've got a chicken and egg situation here. You're
only allowing those with valid certificates to have access to your WiFi
network yet you seem to think that the infrastructure can magically
discriminate between those that are accessing it to get certificates and
those that simply should not have access.


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
One person's error is another person's data.
.

---

• References:
  • 802.1x Authentication over Wireless
    • From: mike . elam

• Prev by Date: About the SELF group
• Next by Date: Folder permissions - deny users, allow administrator
• Previous by thread: 802.1x Authentication over Wireless
• Next by thread: Re: 802.1x Authentication over Wireless
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Wireless Login help please ... bypass domain user configuration Group Policy. ... wireless card, logon with cached credentials, then plug their network card ... certificates may help. ... (microsoft.public.windowsxp.security_admin) Re: IPSEC with non-domain Server ... Certificates are not the "most secure", rather, they are one of the 2 "more ... > authenticate computers and protect traffic integrity and confidentiality ... > Attacks on IPSec and Other Security Concerns ... (microsoft.public.security) Re: Unauthorized Network Access ... You may want to look into using switches that use 802.1x authentication. ... require your computers to be W2K/XP/W2003. ... You then would issue certificates to the ... computers from a CA on your network which can be done automatically to domain members ... (microsoft.public.win2000.networking) Machine Certificates for L2TP/IPSEC etc ... I'm running SBS 2003 Premium SP1 with ISA 2004 Installed. ... I am trying to get all computers on the network a machine ... Machine Certificates to domain computers via Group Policy within SBS? ... (microsoft.public.windows.server.sbs) Default Stat Up/Shut Down Menus ... I installed a piece of software and certificates to be able to use a wireless ... network in my university library but it's changed my logon screen and shut ... Prev by Date: ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2007-11