Re: Wired 802.1x Questions

Last I heard that is correct in that there is no way to use Group Policy to
configure wired 802.1x . Microsoft itself uses ipsec to protect access to
domain resources that in addition to computer authentication can also
protect traffic with encryption and integrity with ESP/AH that 802.1x can
not do and I have read that Vista/Longhorn may have the capability to use
ipsec and "user" authentication also.

See the link below for a registry setting that may be able to do what you
want for CRL checking though I have not tried them myself. --- Steve

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx

The following registry settings in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13 on
the IAS server can modify the behavior of the EAP-TLS when performing
certificate revocation:

. IgnoreNoRevocationCheck

When set to 1, IAS allows EAP-TLS clients to connect even when it does
not perform or cannot complete a revocation check of the client's
certificate chain (excluding the root certificate). Typically, revocation
checks fail because the certificate doesn't include CRL information.

IgnoreNoRevocationCheck is set to 0 (disabled) by default. An EAP-TLS
client cannot connect unless the server completes a revocation check of the
client's certificate chain (including the root certificate) and verifies
that none of the certificates have been revoked.

You can use this entry to authenticate clients when the certificate
does not include CRL distribution points, such as those from third parties.

. IgnoreRevocationOffline

When set to 1, IAS allows EAP-TLS clients to connect even when a
server that stores a CRL is not available on the network.
IgnoreRevocationOffline is set to 0 by default. IAS does not allow clients
to connect unless it can complete a revocation check of their certificate
chain and verify that none of the certificates has been revoked. When it
cannot connect to a server that stores a revocation list, EAP-TLS considers
the certificate to have failed the revocation check.

Setting IgnoreRevocationOffline to 1 prevents certificate validation
failure because poor network conditions prevented their revocation check
from completing successfully.

. NoRevocationCheck

When set to 1, IAS prevents EAP-TLS from performing a revocation check
of the wireless client's certificate. The revocation check verifies that the
wireless client's certificate and the certificates in its certificate chain
have not been revoked. NoRevocationCheck is set to 0 by default.

. NoRootRevocationCheck

When set to 1, IAS prevents EAP-TLS from performing a revocation check
of the wireless client's root CA certificate. NoRootRevocationCheck is set
to 0 by default. This entry only eliminates the revocation check of the
client's root CA certificate. A revocation check is still performed on the
remainder of the wireless client's certificate chain.

You can use this entry to authenticate clients when the certificate
does not include CRL distribution points, such as those from third parties.
Also, this entry can prevent certification-related delays that occur when a
certificate revocation list is offline or is expired.


All of these registry settings must be added as a DWORD type and have the
valid values of 0 or 1. The wireless client does not use these settings.



"Chipeater" <david.wozny@xxxxxxxxx> wrote in message
news:1146511840.823031.22870@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Could anyone help with the following two questions...
a) Is my understanding correct that there are no GPO settings that can
be used to centrally configure wired 802.1x? If so, is manual
configuration the only option.

b) Is there any way on an IAS server to temporarily disable CRL
checking via a registry entry (or otherwise). This is clearly not a
desirable thing to do in production but I would like to do some testing
with CRL checking disabled.

Thanking you in anticipation



.

Relevant Pages

  • Re: Smart Card Logon Failure with Windows 2003 Server (works with Windows 2000 server)
    ... certificate could not be validated because the revocation ... The error message from the event log on the CDC is in the ... revocation function was unable to check revocation because ... >> the CRL is downloaded. ...
    (microsoft.public.win2000.security)
  • Re: certificate revocation error
    ... The CA is poorly configured and does not include revocation information in its issued certificates. ... I have configured IAS and also certificate server as Enterprise ... CN=TEST DSL Gateway Device Root Certificate Authority ... CN=TEST DSL Gateway Device Root Certificate Authority, ...
    (microsoft.public.win2000.security)
  • Re: 2003 Server and CRLs
    ... I have several 2003 servers within a network that has no contact to ... certificate revolcation list checks when the authentication method ... perform or cannot complete a revocation check of the certificate chain ... client cannot connect unless the server completes a revocation check of the ...
    (microsoft.public.windows.server.general)
  • Re: certificate revocation doesnt work
    ... Also we did get the certificate installed and working using OWA. ... I do understand that using OWA and ISA2000 revocation checking doesn't work. ... >> Why isn't this kept in AD so when a user loogs in the cert is marked as ... >>> send the signed mail, not the user who is going to receive the mail. ...
    (microsoft.public.win2000.security)
  • Re: eap-tls and peap-tls
    ... Certificate revocation is NOT designed as a user control mechanism, ... We have all the authentication working perfectly using> eap-tls, we're now testing the certificate revocation for the opps> people. ... Should the IAS server check for> revocation list as set on the CA schedule? ...
    (microsoft.public.internet.radius)