G
Guest
Guest
Archived from groups: (More info?)
Setting up a WLAN of 250+ laptops - all Windows XP SP1.
Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
users?)
60+ Cisco 1200 APs using EAP-TLS for authentication.
We need a system that is:
a) Totally transparent to end-users
(ie logging onto WLAN is same as logging onto Wired LAN)
b) Is secure and not easily hacked
(we are a high school so we dont need defense grade security but we do
want to take all due care and do better than static WEP)
c) Easy to administer through AD (we cant possibly manage certificates
manually)
After a bit of experimentation and a lot of swearing we have setup one AP +
IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
user certificate authentication but this was a real headache - especially
getting all the users certificates on to the laptops they *might* log on
to) - and very slow (due to the re-authentication when a user logs on).
So we just found the setting in AD to require computer authenitcation *all*
the time.
This works much more reliably but (here's the question)
what are we giving up?
Realistically what downsides can anyone see by only requiring the laptop to
authenticate itself using its own certificate (and presumably then getting a
secure WEP channel established) over which the user can then authenticate
with the standard domain username & password, just like they do with a wired
logon? Isnt the level of encryption the same anyway? What would we gain for
all the hassle of requiring user certificates (2000+) as well?
Any comments? Any big holes here?
Regards
Al Blake, Canberra, Australia
Setting up a WLAN of 250+ laptops - all Windows XP SP1.
Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
users?)
60+ Cisco 1200 APs using EAP-TLS for authentication.
We need a system that is:
a) Totally transparent to end-users
(ie logging onto WLAN is same as logging onto Wired LAN)
b) Is secure and not easily hacked
(we are a high school so we dont need defense grade security but we do
want to take all due care and do better than static WEP)
c) Easy to administer through AD (we cant possibly manage certificates
manually)
After a bit of experimentation and a lot of swearing we have setup one AP +
IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
user certificate authentication but this was a real headache - especially
getting all the users certificates on to the laptops they *might* log on
to) - and very slow (due to the re-authentication when a user logs on).
So we just found the setting in AD to require computer authenitcation *all*
the time.
This works much more reliably but (here's the question)
what are we giving up?
Realistically what downsides can anyone see by only requiring the laptop to
authenticate itself using its own certificate (and presumably then getting a
secure WEP channel established) over which the user can then authenticate
with the standard domain username & password, just like they do with a wired
logon? Isnt the level of encryption the same anyway? What would we gain for
all the hassle of requiring user certificates (2000+) as well?
Any comments? Any big holes here?
Regards
Al Blake, Canberra, Australia