802.1x authentication..

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Hi,

I'm setting up a wireless network, I have a cisco 350 series AP and going to
use the Windows Server 2003 IAS as the radius server. I would like to
control the client based on the MAC address and the Active Directory user
logon. The IAS server is a member of the AD. I have install a standalone
certificate server on the IAS server. On the Cisco AP, I have checked the
EAP, MAC and USER authentication for radius security settings. The questions
:

1) How do I control the users based on the MAC address and the logon without
using any certificates ?
2) If with certificates, how do I do that ?
3) In the IAS, what authentication type that I supposed to use ? for
question no. (1) and (2) ?

Thank you.

Rgrds,
Zul

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

It looks like you have done some interesting stuff.

1. Forget about MAC authentication. It is of no real value
2. You need to decide whether you want users to authenticate with a
certificate or a username and password.
3. Make sure the IAS server had been authorized in AD

If clients will use certificates, you need to:
1. uninstall the CA and make it an Enterprise CA
2. issue user certs to the clients
3. setup a policy for EAP-TLS in IAS

If you use passwords:
1. Make sure your IAS server has a certificate in its local machine store
that is valid for server authentication
2. Setup a policy using PEAP with passwords in IAS.

I hope that gets you started.


Cheers

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Zul J" <mlist@istar.com.my> wrote in message
news:O7gFsG6gFHA.3436@tk2msftngp13.phx.gbl...
> Hi,
>
> I'm setting up a wireless network, I have a cisco 350 series AP and going
> to use the Windows Server 2003 IAS as the radius server. I would like to
> control the client based on the MAC address and the Active Directory user
> logon. The IAS server is a member of the AD. I have install a standalone
> certificate server on the IAS server. On the Cisco AP, I have checked the
> EAP, MAC and USER authentication for radius security settings. The
> questions :
>
> 1) How do I control the users based on the MAC address and the logon
> without using any certificates ?
> 2) If with certificates, how do I do that ?
> 3) In the IAS, what authentication type that I supposed to use ? for
> question no. (1) and (2) ?
>
> Thank you.
>
> Rgrds,
> Zul
>

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Take a look at
ftp://symstore.longisland.com/Symstore/techpubs/manuals/wireless/pdf/142I-WPA_Win_XP_IAS_v1.pdf
to use a PEAP authentication scheme.
---
Jeffrey Randow (Windows Networking MVP)
jeffreyr-support@remotenetworktechnology.com
http://www.networkblog.net (My Networking Blog)
http://www.remotenetworktechnology.com (Support Site)

On Fri, 8 Jul 2005 17:46:59 +0800, "Zul J" <mlist@istar.com.my> wrote:

>Hi,
>
>I'm setting up a wireless network, I have a cisco 350 series AP and going to
>use the Windows Server 2003 IAS as the radius server. I would like to
>control the client based on the MAC address and the Active Directory user
>logon. The IAS server is a member of the AD. I have install a standalone
>certificate server on the IAS server. On the Cisco AP, I have checked the
>EAP, MAC and USER authentication for radius security settings. The questions
>:
>
>1) How do I control the users based on the MAC address and the logon without
>using any certificates ?
>2) If with certificates, how do I do that ?
>3) In the IAS, what authentication type that I supposed to use ? for
>question no. (1) and (2) ?
>
>Thank you.
>
>Rgrds,
>Zul
>

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Hi,

Can I have both, authenticate with a certificate and a username/password ?
In other words, the client must have the certificate installed and must
login with the username/password to have the access.

Thanks.

Rgrds,
Zul

"Mark Gamache" <mark.gamache@css-security.com.nospam> wrote in message
news:OgTBsw%23gFHA.1148@TK2MSFTNGP12.phx.gbl...
> It looks like you have done some interesting stuff.
>
> 1. Forget about MAC authentication. It is of no real value
> 2. You need to decide whether you want users to authenticate with a
> certificate or a username and password.
> 3. Make sure the IAS server had been authorized in AD
>
> If clients will use certificates, you need to:
> 1. uninstall the CA and make it an Enterprise CA
> 2. issue user certs to the clients
> 3. setup a policy for EAP-TLS in IAS
>
> If you use passwords:
> 1. Make sure your IAS server has a certificate in its local machine store
> that is valid for server authentication
> 2. Setup a policy using PEAP with passwords in IAS.
>
> I hope that gets you started.
>
>
> Cheers
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Zul J" <mlist@istar.com.my> wrote in message
> news:O7gFsG6gFHA.3436@tk2msftngp13.phx.gbl...
>> Hi,
>>
>> I'm setting up a wireless network, I have a cisco 350 series AP and going
>> to use the Windows Server 2003 IAS as the radius server. I would like to
>> control the client based on the MAC address and the Active Directory user
>> logon. The IAS server is a member of the AD. I have install a standalone
>> certificate server on the IAS server. On the Cisco AP, I have checked the
>> EAP, MAC and USER authentication for radius security settings. The
>> questions :
>>
>> 1) How do I control the users based on the MAC address and the logon
>> without using any certificates ?
>> 2) If with certificates, how do I do that ?
>> 3) In the IAS, what authentication type that I supposed to use ? for
>> question no. (1) and (2) ?
>>
>> Thank you.
>>
>> Rgrds,
>> Zul
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Hi,

I found one article on the Microsoft site related to using a certificate :

http://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspx

but it is more to those users who are a member of the AD domain (using a
group policy), most of our notebook or wireless clients are a standalone
users.

Rgrds,
Zul


"Zul J" <mlist@istar.com.my> wrote in message
news:O7gFsG6gFHA.3436@tk2msftngp13.phx.gbl...
> Hi,
>
> I'm setting up a wireless network, I have a cisco 350 series AP and going
> to use the Windows Server 2003 IAS as the radius server. I would like to
> control the client based on the MAC address and the Active Directory user
> logon. The IAS server is a member of the AD. I have install a standalone
> certificate server on the IAS server. On the Cisco AP, I have checked the
> EAP, MAC and USER authentication for radius security settings. The
> questions :
>
> 1) How do I control the users based on the MAC address and the logon
> without using any certificates ?
> 2) If with certificates, how do I do that ?
> 3) In the IAS, what authentication type that I supposed to use ? for
> question no. (1) and (2) ?
>
> Thank you.
>
> Rgrds,
> Zul
>

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

If you use L2TP/IPSec then you can use a computer cert to create the IPSec
connection and then username and password to authenticate the user.

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Zul J" <mlist@istar.com.my> wrote in message
news:O%23rWfEdhFHA.1372@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> Can I have both, authenticate with a certificate and a username/password ?
> In other words, the client must have the certificate installed and must
> login with the username/password to have the access.
>
> Thanks.
>
> Rgrds,
> Zul
>
> "Mark Gamache" <mark.gamache@css-security.com.nospam> wrote in message
> news:OgTBsw%23gFHA.1148@TK2MSFTNGP12.phx.gbl...
>> It looks like you have done some interesting stuff.
>>
>> 1. Forget about MAC authentication. It is of no real value
>> 2. You need to decide whether you want users to authenticate with a
>> certificate or a username and password.
>> 3. Make sure the IAS server had been authorized in AD
>>
>> If clients will use certificates, you need to:
>> 1. uninstall the CA and make it an Enterprise CA
>> 2. issue user certs to the clients
>> 3. setup a policy for EAP-TLS in IAS
>>
>> If you use passwords:
>> 1. Make sure your IAS server has a certificate in its local machine store
>> that is valid for server authentication
>> 2. Setup a policy using PEAP with passwords in IAS.
>>
>> I hope that gets you started.
>>
>>
>> Cheers
>>
>> --
>> Mark Gamache
>> Certified Security Solutions
>> http://www.css-security.com
>>
>>
>>
>> "Zul J" <mlist@istar.com.my> wrote in message
>> news:O7gFsG6gFHA.3436@tk2msftngp13.phx.gbl...
>>> Hi,
>>>
>>> I'm setting up a wireless network, I have a cisco 350 series AP and
>>> going to use the Windows Server 2003 IAS as the radius server. I would
>>> like to control the client based on the MAC address and the Active
>>> Directory user logon. The IAS server is a member of the AD. I have
>>> install a standalone certificate server on the IAS server. On the Cisco
>>> AP, I have checked the EAP, MAC and USER authentication for radius
>>> security settings. The questions :
>>>
>>> 1) How do I control the users based on the MAC address and the logon
>>> without using any certificates ?
>>> 2) If with certificates, how do I do that ?
>>> 3) In the IAS, what authentication type that I supposed to use ? for
>>> question no. (1) and (2) ?
>>>
>>> Thank you.
>>>
>>> Rgrds,
>>> Zul
>>>
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Thanks...

"Mark Gamache" <mark.gamache@css-security.com.nospam> wrote in message
news:OgeFvSmhFHA.1164@TK2MSFTNGP10.phx.gbl...
> If you use L2TP/IPSec then you can use a computer cert to create the IPSec
> connection and then username and password to authenticate the user.
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Zul J" <mlist@istar.com.my> wrote in message
> news:O%23rWfEdhFHA.1372@TK2MSFTNGP10.phx.gbl...
>> Hi,
>>
>> Can I have both, authenticate with a certificate and a username/password
>> ? In other words, the client must have the certificate installed and must
>> login with the username/password to have the access.
>>
>> Thanks.
>>
>> Rgrds,
>> Zul
>>
>> "Mark Gamache" <mark.gamache@css-security.com.nospam> wrote in message
>> news:OgTBsw%23gFHA.1148@TK2MSFTNGP12.phx.gbl...
>>> It looks like you have done some interesting stuff.
>>>
>>> 1. Forget about MAC authentication. It is of no real value
>>> 2. You need to decide whether you want users to authenticate with a
>>> certificate or a username and password.
>>> 3. Make sure the IAS server had been authorized in AD
>>>
>>> If clients will use certificates, you need to:
>>> 1. uninstall the CA and make it an Enterprise CA
>>> 2. issue user certs to the clients
>>> 3. setup a policy for EAP-TLS in IAS
>>>
>>> If you use passwords:
>>> 1. Make sure your IAS server has a certificate in its local machine
>>> store that is valid for server authentication
>>> 2. Setup a policy using PEAP with passwords in IAS.
>>>
>>> I hope that gets you started.
>>>
>>>
>>> Cheers
>>>
>>> --
>>> Mark Gamache
>>> Certified Security Solutions
>>> http://www.css-security.com
>>>
>>>
>>>
>>> "Zul J" <mlist@istar.com.my> wrote in message
>>> news:O7gFsG6gFHA.3436@tk2msftngp13.phx.gbl...
>>>> Hi,
>>>>
>>>> I'm setting up a wireless network, I have a cisco 350 series AP and
>>>> going to use the Windows Server 2003 IAS as the radius server. I would
>>>> like to control the client based on the MAC address and the Active
>>>> Directory user logon. The IAS server is a member of the AD. I have
>>>> install a standalone certificate server on the IAS server. On the Cisco
>>>> AP, I have checked the EAP, MAC and USER authentication for radius
>>>> security settings. The questions :
>>>>
>>>> 1) How do I control the users based on the MAC address and the logon
>>>> without using any certificates ?
>>>> 2) If with certificates, how do I do that ?
>>>> 3) In the IAS, what authentication type that I supposed to use ? for
>>>> question no. (1) and (2) ?
>>>>
>>>> Thank you.
>>>>
>>>> Rgrds,
>>>> Zul
>>>>
>>>
>>>
>>
>>
>
>