Wired 802.1x

[lee]

Archived from groups: microsoft.public.security,microsoft.public.win2000.networking,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.wmi,microsoft.public.windows.networking.wireless (More info?)

Greetings.

I have been researching this for some time and have not come up with a
solution.
Basically, I would like to configure the interface Authentication settings
across all clients to use PEAP, along with some other related adjustments.

After downloading and installing Windows 2003 SP1, it appears that Microsoft
has really missed the boat on this. WHY would they include new GPO-based
features for wireless but not wired interfaces???

Does anyone know of a tool/script that configures Authentication settings of
an interface?

Thanks

- Lee

 

[Guest]

Archived from groups: microsoft.public.security,microsoft.public.win2000.networking,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.wmi,microsoft.public.windows.networking.wireless (More info?)

We didn't miss the boat...

802.1x is not the answer here: IPsec transport mode is. IPsec works fine
*with* 802.1x, but 802.1x will not provide end to end protection of
anything.

IPsec will provide authentication, nonrepudiation, and confidentiality.

When you look at the majority of threats that these 2 technologies are
designed to protect an enterprise from, IPsec is the hands-down winner.



"Lee" <Lee@discussions.microsoft.com> wrote in message
news:BA5A5DA7-DDBC-42CE-99E9-3539DCD89663@microsoft.com...
> Greetings.
>
> I have been researching this for some time and have not come up with a
> solution.
> Basically, I would like to configure the interface Authentication settings
> across all clients to use PEAP, along with some other related adjustments.
>
> After downloading and installing Windows 2003 SP1, it appears that
> Microsoft
> has really missed the boat on this. WHY would they include new GPO-based
> features for wireless but not wired interfaces???
>
> Does anyone know of a tool/script that configures Authentication settings
> of
> an interface?
>
> Thanks
>
> - Lee

 

[Pete]

Archived from groups: microsoft.public.security,microsoft.public.win2000.networking,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.wmi,microsoft.public.windows.networking.wireless (More info?)

"Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
news:uKsnbwOIFHA.1476@TK2MSFTNGP09.phx.gbl...
> We didn't miss the boat...
>
> 802.1x is not the answer here: IPsec transport mode is. IPsec works fine
> *with* 802.1x, but 802.1x will not provide end to end protection of
> anything.
>
> IPsec will provide authentication, nonrepudiation, and confidentiality.
>
> When you look at the majority of threats that these 2 technologies are
> designed to protect an enterprise from, IPsec is the hands-down winner.
>



There you go.
So much for the customer is always right.


--
Pete
"Any color you want as long as it's black."


>
> "Lee" <Lee@discussions.microsoft.com> wrote in message
> news:BA5A5DA7-DDBC-42CE-99E9-3539DCD89663@microsoft.com...
> > Greetings.
> >
> > I have been researching this for some time and have not come up with a
> > solution.
> > Basically, I would like to configure the interface Authentication
settings
> > across all clients to use PEAP, along with some other related
adjustments.
> >
> > After downloading and installing Windows 2003 SP1, it appears that
> > Microsoft
> > has really missed the boat on this. WHY would they include new
GPO-based
> > features for wireless but not wired interfaces???
> >
> > Does anyone know of a tool/script that configures Authentication
settings
> > of
> > an interface?
> >
> > Thanks
> >
> > - Lee
>
>

 

[Guest]

Archived from groups: microsoft.public.security,microsoft.public.win2000.networking,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.wmi,microsoft.public.windows.networking.wireless (More info?)

Do you understand the fundamental differences between these two
technologies?

I'm not being argumentative, I'm trying to determine how best to demonstrate
where we counter threats....

Do you realize 802.1x has a fundamental problem with the way it
authenticates? When it was created years ago, it was all about wired
security. It was ported to wireless because it filled a particular gap that
exists. Now some are using it in a "wired" scenario.

What I'm saying is that IPsec is far more powerful than 802.1x ever thought
about being when it comes to protecting traffic on a per-packet basis.
802.1x is the equivalent of asking hosts to play nice on the network. IPsec
*forces* hosts to play nice on the network (if they want to talk to hosts
secured with it).




"Pete" <Pete@pete> wrote in message
news:uOFj19PIFHA.2852@TK2MSFTNGP09.phx.gbl...
>
> "Steve Clark [MSFT]" <bogus@microsoft.com> wrote in message
> news:uKsnbwOIFHA.1476@TK2MSFTNGP09.phx.gbl...
>> We didn't miss the boat...
>>
>> 802.1x is not the answer here: IPsec transport mode is. IPsec works
>> fine
>> *with* 802.1x, but 802.1x will not provide end to end protection of
>> anything.
>>
>> IPsec will provide authentication, nonrepudiation, and confidentiality.
>>
>> When you look at the majority of threats that these 2 technologies are
>> designed to protect an enterprise from, IPsec is the hands-down winner.
>>
>
>
>
> There you go.
> So much for the customer is always right.
>
>
> --
> Pete
> "Any color you want as long as it's black."
>
>
>>
>> "Lee" <Lee@discussions.microsoft.com> wrote in message
>> news:BA5A5DA7-DDBC-42CE-99E9-3539DCD89663@microsoft.com...
>> > Greetings.
>> >
>> > I have been researching this for some time and have not come up with a
>> > solution.
>> > Basically, I would like to configure the interface Authentication
> settings
>> > across all clients to use PEAP, along with some other related
> adjustments.
>> >
>> > After downloading and installing Windows 2003 SP1, it appears that
>> > Microsoft
>> > has really missed the boat on this. WHY would they include new
> GPO-based
>> > features for wireless but not wired interfaces???
>> >
>> > Does anyone know of a tool/script that configures Authentication
> settings
>> > of
>> > an interface?
>> >
>> > Thanks
>> >
>> > - Lee
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.security,microsoft.public.win2000.networking,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.wmi,microsoft.public.windows.networking.wireless (More info?)

Yes, Microsoft screwed this up. You cannot configure wired 802.1x properties
with group policy, or script, or any tool. Only manually, using GUI.

We should stay tuned for the OS feature packs, I guess.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Lee" <Lee@discussions.microsoft.com> wrote in message
news:BA5A5DA7-DDBC-42CE-99E9-3539DCD89663@microsoft.com...
> Greetings.
>
> I have been researching this for some time and have not come up with a
> solution.
> Basically, I would like to configure the interface Authentication settings
> across all clients to use PEAP, along with some other related adjustments.
>
> After downloading and installing Windows 2003 SP1, it appears that
Microsoft
> has really missed the boat on this. WHY would they include new GPO-based
> features for wireless but not wired interfaces???
>
> Does anyone know of a tool/script that configures Authentication settings
of
> an interface?
>
> Thanks
>
> - Lee

 

[lee]

Archived from groups: microsoft.public.security,microsoft.public.win2000.networking,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.wmi (More info?)

Steve -

Thanks for the post but...
I have read your mantra in many other posts.

Maybe your comments would benefit others, but I would appreciate it if you
tried to answer the question. The bottom line is that I have not seen any
high-level interfaces that automate the configuration of wired 802.1x on XP.
So if you have something to contribute in THAT regard, it would be greatly
appreciated.

Please don't presume to know what the customer wants. We are looking for
security IN DEPTH - you know, the multiple layers thing? 802.1x and IPSec
will coexist in my environment... which in this case is military.

- Lee

"Steve Clark [MSFT]" wrote:

> We didn't miss the boat...
>
> 802.1x is not the answer here: IPsec transport mode is. IPsec works fine
> *with* 802.1x, but 802.1x will not provide end to end protection of
> anything.
>
> IPsec will provide authentication, nonrepudiation, and confidentiality.
>
> When you look at the majority of threats that these 2 technologies are
> designed to protect an enterprise from, IPsec is the hands-down winner.
>
>
>
> "Lee" <Lee@discussions.microsoft.com> wrote in message
> news:BA5A5DA7-DDBC-42CE-99E9-3539DCD89663@microsoft.com...
> > Greetings.
> >
> > I have been researching this for some time and have not come up with a
> > solution.
> > Basically, I would like to configure the interface Authentication settings
> > across all clients to use PEAP, along with some other related adjustments.
> >
> > After downloading and installing Windows 2003 SP1, it appears that
> > Microsoft
> > has really missed the boat on this. WHY would they include new GPO-based
> > features for wireless but not wired interfaces???
> >
> > Does anyone know of a tool/script that configures Authentication settings
> > of
> > an interface?
> >
> > Thanks
> >
> > - Lee
>
>
>

 

[Guest]

Archived from groups: microsoft.public.security,microsoft.public.win2000.networking,microsoft.public.windowsxp.security_admin,microsoft.public.windowsxp.wmi (More info?)

I have answered your question before: the only high-level interface that
exists is the GUI.

I disagree with your "in depth" approach. I saw "in depth" approach
implementing HTTP over SSL over SSH over IPsec (on a private MPLS
network) - big overhead with very questionable security benefit.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Lee" <Lee@discussions.microsoft.com> wrote in message
news:58558A50-02D6-484F-8694-48A0CA211CFD@microsoft.com...
> Steve -
>
> Thanks for the post but...
> I have read your mantra in many other posts.
>
> Maybe your comments would benefit others, but I would appreciate it if you
> tried to answer the question. The bottom line is that I have not seen any
> high-level interfaces that automate the configuration of wired 802.1x on
XP.
> So if you have something to contribute in THAT regard, it would be greatly
> appreciated.
>