Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server

from [Rasmus Rønlev] Network Security [Permanent Link]
Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
Date: Tue, 09 Aug 2005 00:33:44 +0200 
Hi Rodrigo,

I know your e-mail doesn't mention this, so maybe it's because you've chosen not to use/deploy PEAP, but using PEAP you would need only certificated for your IAS (radius) server(s) - to authenticate themselves with the WAP et al. Then if you deploy PEAP the client computers won't need certificates, but instead use windows domain accounts to authenticate against.

Running over Microsofts own documentation you should be able to host PEAP fine with the outlined Windows 2000 infrastructure you suggest; http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

As for answering some other of your questions; No, you cannot use autoenrollment without Enterprise CAs as far as I know. When using stand alone CAs all you really get is web based enrollment for your Windows clients. From my point of view, I'd use PEAP in the spirit of 'least administrative effort'.

Regards,
r@smus

Rodrigo Blanco wrote:

Hello list,

I am currently facing an IEEE 802.1x deployment based on EAP-TLS. I
have found tons of documentation for Windows 2003 environments (and
with MS Certificate Services in Enterprise mode), but my environment
is a little older (upgrade is unfortunately not an option):

- Active Directory on Windows 2000 Server
- MS IAS on Windows 2000 Server (regitered in and reading from the
domain) as RADIUS server
- MS Cert Services - Standalone Mode - on Windows 2000 Server
- Windows XP Professional workstations as clients
- IEEE 802.1x-enabled Cisco Switches

My questions are:

- Although the MS Certificate Services are in standalone mode, can I
still configure some auto-enrollment based on the users' AD logon? If
not, what is the best option in order to minimize administrative
effort?
- Since MS Certificate Services are in standalone mode, is it possible
to have the IAS server map certificates to AD users, and based on
these AD identities, apply different IAS remote access policies?

If you could point me to any paper or step-by-step guide that can
provide me with some insight on what the design options (and
associated pros and cons) are for such an environment, I would also be
more than grateful.

Thanks in advance and best regards,
Rodrigo.

---------------------------------------------------------------------------
---------------------------------------------------------------------------





---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IEEE 802.1x & EAP-TLS design based on Windows 2000 Server, Rodrigo Blanco
Next by Date:  RE: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server, Pidgorny, Slav
Previous by Thread:  IEEE 802.1x & EAP-TLS design based on Windows 2000 Server, Rodrigo Blanco
Next by Thread:  Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server, offtopic
Indexes:  [Date] [Thread] [Top] [All Lists]