Hi,
Has anyone tested dynamic vlan assignment through dot1x . I am trying to
implement this with PEAP authentication with Windows Active directory. When
I reboot the windows pc the vlan assignment is happening properly. But when
I logoff from the domain and login as a different user the vlan is not
getting assigned immediately, but works after the re authentication timeout.
I feel that Windows XP client is not sending EAPOL-logoff message. Can
anyone help in this
Regards
Devanathan.B
-----Original Message-----
From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Tuesday, August 09, 2005 12:00 PM
To: offtopic
Cc: focus-ms@securityfocus.com
Subject: Re: IEEE 802.1x & EAP-TLS design based on Windows 2000 Server
In fact, I was thinking of just using user certificates (no need for
personal computers to be on-line while noone is logged on), and
storing them on the profile of each user, on their computer.
And, unfortunately, PEAP is not an option either.
Surfing thorugh MS doc., I had read that through CAPICOM scripts or
batches using certreq.exe against the MS Certificate Services 2003, it
is possible to "emulate" (by programming...) the Active Directory 2003
- Certificate Services 2003 integrated auto-enrollment and
auto-installation of the users' certificates.
However, I have no idea if this is applicable to Certificate Services
2000, if it is a pragmatic solution, and whether it is reasonably easy
to set up.
Any experience using this tools? Would it be crazy to focus the
project in this direction?
Thanks again and best regards,
Rodrigo.
On 8/9/05, offtopic <offtopic@mail.ru> wrote:
- Although the MS Certificate Services are in standalone mode, can I
still configure some auto-enrollment based on the users' AD logon? If
not, what is the best option in order to minimize administrative
effort?
No. AFAIK, Only Enterprise CA can be used for auto-enrollment. You can
choose PEAP MSCHAPv2 for client authentication instead. In this case you
don't need to manage client-side certificates and revocation.
If you need to use client certificates - create new Enterprise Subordinate
CA for issue client certificates.
- Since MS Certificate Services are in standalone mode, is it possible
to have the IAS server map certificates to AD users
You can bind user-to-certificate manually in AD, but I think this is not
best solution.
If you could point me to any paper or step-by-step guide that can
http://www.altavista.com/web/results?itag=ody&q=site%3Amicrosoft.com+802.1x+
step-by-step&kgs=0&kls=0 ????
PS. You want to use client certificates, where you will store it? In local
profile, or on smartcard?
Will you authenticate computer or user or both?
(c)oded by offtopic@mail.ru
---------------------------------------------------------------------------
---------------------------------------------------------------------------
****************************************************************************
This email and all contents are subject to the following disclaimer:
http://www.datacraft-asia.com/disclaimer
****************************************************************************
---------------------------------------------------------------------------
---------------------------------------------------------------------------
