Can we do without user authentication?

Archived from groups: (More info?)

Setting up a WLAN of 250+ laptops - all Windows XP SP1.
Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
users?)
60+ Cisco 1200 APs using EAP-TLS for authentication.

We need a system that is:
a) Totally transparent to end-users
(ie logging onto WLAN is same as logging onto Wired LAN)
b) Is secure and not easily hacked
(we are a high school so we dont need defense grade security but we do
want to take all due care and do better than static WEP)
c) Easy to administer through AD (we cant possibly manage certificates
manually)

After a bit of experimentation and a lot of swearing we have setup one AP +
IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
user certificate authentication but this was a real headache - especially
getting all the users certificates on to the laptops they *might* log on
to) - and very slow (due to the re-authentication when a user logs on).
So we just found the setting in AD to require computer authenitcation *all*
the time.
This works much more reliably but (here's the question)

what are we giving up?

Realistically what downsides can anyone see by only requiring the laptop to
authenticate itself using its own certificate (and presumably then getting a
secure WEP channel established) over which the user can then authenticate
with the standard domain username & password, just like they do with a wired
logon? Isnt the level of encryption the same anyway? What would we gain for
all the hassle of requiring user certificates (2000+) as well?

Any comments? Any big holes here?

Regards
Al Blake, Canberra, Australia
5 answers Last reply
More about user authentication
  1. Archived from groups: (More info?)

    I had thought about this too setting up my environment and it sounds
    reasonable to me. Since the machine has to have a computer certificate that
    you provided, only those computers will be able to connect to the wireless
    network.

    Jeff


    "Al Blake" <al@blakes.net> wrote in message
    news:%23PF8w$qqEHA.1576@TK2MSFTNGP12.phx.gbl...
    > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
    > Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
    > users?)
    > 60+ Cisco 1200 APs using EAP-TLS for authentication.
    >
    > We need a system that is:
    > a) Totally transparent to end-users
    > (ie logging onto WLAN is same as logging onto Wired LAN)
    > b) Is secure and not easily hacked
    > (we are a high school so we dont need defense grade security but we do
    > want to take all due care and do better than static WEP)
    > c) Easy to administer through AD (we cant possibly manage certificates
    > manually)
    >
    > After a bit of experimentation and a lot of swearing we have setup one AP
    > +
    > IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
    > user certificate authentication but this was a real headache - especially
    > getting all the users certificates on to the laptops they *might* log on
    > to) - and very slow (due to the re-authentication when a user logs on).
    > So we just found the setting in AD to require computer authenitcation
    > *all*
    > the time.
    > This works much more reliably but (here's the question)
    >
    > what are we giving up?
    >
    > Realistically what downsides can anyone see by only requiring the laptop
    > to
    > authenticate itself using its own certificate (and presumably then getting
    > a
    > secure WEP channel established) over which the user can then authenticate
    > with the standard domain username & password, just like they do with a
    > wired
    > logon? Isnt the level of encryption the same anyway? What would we gain
    > for
    > all the hassle of requiring user certificates (2000+) as well?
    >
    > Any comments? Any big holes here?
    >
    > Regards
    > Al Blake, Canberra, Australia
    >
    >
  2. Archived from groups: (More info?)

    Hey Jeff,
    Good to hear from you again.
    Seems to me that setting up a user certificate infrastructure that we dont
    need, which will be continuously issuing 1000s of certs of an extra
    complication if we can do without it. The machine certs will be farily
    static as we dont buy new laptops that often :(

    Do you know how the WEP encryption is established when you use EAP-TLS? I
    have got mine working and havent had to input WEP keys (not practical on
    hundreds of machines)....but I would like to know how the AP and client
    decide what WEP key to use?
    Is it randomly generated once the certificate has been verified?

    Anyone?

    Al.


    "Jeff Durham" <jdurham.outdoor.life@cinci.rr.com> wrote in message
    news:e9IssvxqEHA.332@TK2MSFTNGP14.phx.gbl...
    > I had thought about this too setting up my environment and it sounds
    > reasonable to me. Since the machine has to have a computer certificate
    that
    > you provided, only those computers will be able to connect to the wireless
    > network.
    >
    > Jeff
    >
    >
    > "Al Blake" <al@blakes.net> wrote in message
    > news:%23PF8w$qqEHA.1576@TK2MSFTNGP12.phx.gbl...
    > > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
    > > Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
    > > users?)
    > > 60+ Cisco 1200 APs using EAP-TLS for authentication.
    > >
    > > We need a system that is:
    > > a) Totally transparent to end-users
    > > (ie logging onto WLAN is same as logging onto Wired LAN)
    > > b) Is secure and not easily hacked
    > > (we are a high school so we dont need defense grade security but we
    do
    > > want to take all due care and do better than static WEP)
    > > c) Easy to administer through AD (we cant possibly manage certificates
    > > manually)
    > >
    > > After a bit of experimentation and a lot of swearing we have setup one
    AP
    > > +
    > > IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
    > > user certificate authentication but this was a real headache -
    especially
    > > getting all the users certificates on to the laptops they *might* log on
    > > to) - and very slow (due to the re-authentication when a user logs on).
    > > So we just found the setting in AD to require computer authenitcation
    > > *all*
    > > the time.
    > > This works much more reliably but (here's the question)
    > >
    > > what are we giving up?
    > >
    > > Realistically what downsides can anyone see by only requiring the laptop
    > > to
    > > authenticate itself using its own certificate (and presumably then
    getting
    > > a
    > > secure WEP channel established) over which the user can then
    authenticate
    > > with the standard domain username & password, just like they do with a
    > > wired
    > > logon? Isnt the level of encryption the same anyway? What would we gain
    > > for
    > > all the hassle of requiring user certificates (2000+) as well?
    > >
    > > Any comments? Any big holes here?
    > >
    > > Regards
    > > Al Blake, Canberra, Australia
    > >
    > >
    >
    >
  3. Archived from groups: (More info?)

    Hi Al,

    Once 802.1X authentication has completed the AP will send a WEP key to
    the
    802.1X supplicant (ie. the laptop). It is randomly generated by the AP. I'm
    pretty
    sure that the AP is not basing the WEP key generated on any information
    contained
    within the certificate.

    In answer to your original question concerning user authentication and
    certificates,
    have you considered using PEAP-MSCHAPv2 instead of EAP-TLS? PEAP-MSCHAPv2
    should enable you to do user authentication without having to have all the
    users certs on
    the laptop.

    Chris Gual [MSFT]
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Al Blake" <al@blakes.net> wrote in message
    news:uiHXCdyqEHA.3712@TK2MSFTNGP15.phx.gbl...
    > Hey Jeff,
    > Good to hear from you again.
    > Seems to me that setting up a user certificate infrastructure that we dont
    > need, which will be continuously issuing 1000s of certs of an extra
    > complication if we can do without it. The machine certs will be farily
    > static as we dont buy new laptops that often :(
    >
    > Do you know how the WEP encryption is established when you use EAP-TLS? I
    > have got mine working and havent had to input WEP keys (not practical on
    > hundreds of machines)....but I would like to know how the AP and client
    > decide what WEP key to use?
    > Is it randomly generated once the certificate has been verified?
    >
    > Anyone?
    >
    > Al.
    >
    >
    > "Jeff Durham" <jdurham.outdoor.life@cinci.rr.com> wrote in message
    > news:e9IssvxqEHA.332@TK2MSFTNGP14.phx.gbl...
    >> I had thought about this too setting up my environment and it sounds
    >> reasonable to me. Since the machine has to have a computer certificate
    > that
    >> you provided, only those computers will be able to connect to the
    >> wireless
    >> network.
    >>
    >> Jeff
    >>
    >>
    >> "Al Blake" <al@blakes.net> wrote in message
    >> news:%23PF8w$qqEHA.1576@TK2MSFTNGP12.phx.gbl...
    >> > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
    >> > Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
    >> > users?)
    >> > 60+ Cisco 1200 APs using EAP-TLS for authentication.
    >> >
    >> > We need a system that is:
    >> > a) Totally transparent to end-users
    >> > (ie logging onto WLAN is same as logging onto Wired LAN)
    >> > b) Is secure and not easily hacked
    >> > (we are a high school so we dont need defense grade security but we
    > do
    >> > want to take all due care and do better than static WEP)
    >> > c) Easy to administer through AD (we cant possibly manage certificates
    >> > manually)
    >> >
    >> > After a bit of experimentation and a lot of swearing we have setup one
    > AP
    >> > +
    >> > IAS + two laptops to use EAP-TLS. We started off by requiring Computer
    >> > +
    >> > user certificate authentication but this was a real headache -
    > especially
    >> > getting all the users certificates on to the laptops they *might* log
    >> > on
    >> > to) - and very slow (due to the re-authentication when a user logs on).
    >> > So we just found the setting in AD to require computer authenitcation
    >> > *all*
    >> > the time.
    >> > This works much more reliably but (here's the question)
    >> >
    >> > what are we giving up?
    >> >
    >> > Realistically what downsides can anyone see by only requiring the
    >> > laptop
    >> > to
    >> > authenticate itself using its own certificate (and presumably then
    > getting
    >> > a
    >> > secure WEP channel established) over which the user can then
    > authenticate
    >> > with the standard domain username & password, just like they do with a
    >> > wired
    >> > logon? Isnt the level of encryption the same anyway? What would we gain
    >> > for
    >> > all the hassle of requiring user certificates (2000+) as well?
    >> >
    >> > Any comments? Any big holes here?
    >> >
    >> > Regards
    >> > Al Blake, Canberra, Australia
    >> >
    >> >
    >>
    >>
    >
    >
  4. Archived from groups: (More info?)

    Thanks for the feedback Chris,
    No we havent considered PEAP-MSChapv2, but why would we want to?
    I mean the user has to login using theor domain username and password anyway
    (just like on the wire) and if we have already authenticated the machine
    (using PEAP-TLS) and we are encrypting the channel so that hopefully no-one
    can steal the logon info off the WLAN then what additional benefit would we
    achevie over using the PEAP-TLS just to validate the machine?

    I may be missing something here?
    Also, if we were to consider PEAP-MSChapv2 would the user have to relogon
    for the wireless (ie a secondary logon). that would be total overkisl for
    someo our users who can only just about logon once ;)

    Al.


    "Chris Gual [MSFT]" <cgual@online.microsoft.com> wrote in message
    news:eCPWTPArEHA.4008@TK2MSFTNGP14.phx.gbl...
    > Hi Al,
    >
    > Once 802.1X authentication has completed the AP will send a WEP key to
    > the
    > 802.1X supplicant (ie. the laptop). It is randomly generated by the AP.
    > I'm pretty
    > sure that the AP is not basing the WEP key generated on any information
    > contained
    > within the certificate.
    >
    > In answer to your original question concerning user authentication and
    > certificates,
    > have you considered using PEAP-MSCHAPv2 instead of EAP-TLS? PEAP-MSCHAPv2
    > should enable you to do user authentication without having to have all the
    > users certs on
    > the laptop.
    >
    > Chris Gual [MSFT]
    > --
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    > "Al Blake" <al@blakes.net> wrote in message
    > news:uiHXCdyqEHA.3712@TK2MSFTNGP15.phx.gbl...
    >> Hey Jeff,
    >> Good to hear from you again.
    >> Seems to me that setting up a user certificate infrastructure that we
    >> dont
    >> need, which will be continuously issuing 1000s of certs of an extra
    >> complication if we can do without it. The machine certs will be farily
    >> static as we dont buy new laptops that often :(
    >>
    >> Do you know how the WEP encryption is established when you use EAP-TLS? I
    >> have got mine working and havent had to input WEP keys (not practical on
    >> hundreds of machines)....but I would like to know how the AP and client
    >> decide what WEP key to use?
    >> Is it randomly generated once the certificate has been verified?
    >>
    >> Anyone?
    >>
    >> Al.
    >>
    >>
    >> "Jeff Durham" <jdurham.outdoor.life@cinci.rr.com> wrote in message
    >> news:e9IssvxqEHA.332@TK2MSFTNGP14.phx.gbl...
    >>> I had thought about this too setting up my environment and it sounds
    >>> reasonable to me. Since the machine has to have a computer certificate
    >> that
    >>> you provided, only those computers will be able to connect to the
    >>> wireless
    >>> network.
    >>>
    >>> Jeff
    >>>
    >>>
    >>> "Al Blake" <al@blakes.net> wrote in message
    >>> news:%23PF8w$qqEHA.1576@TK2MSFTNGP12.phx.gbl...
    >>> > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
    >>> > Using 2003 Enterprise to auto-enroll certificates for machines (+
    >>> > maybe
    >>> > users?)
    >>> > 60+ Cisco 1200 APs using EAP-TLS for authentication.
    >>> >
    >>> > We need a system that is:
    >>> > a) Totally transparent to end-users
    >>> > (ie logging onto WLAN is same as logging onto Wired LAN)
    >>> > b) Is secure and not easily hacked
    >>> > (we are a high school so we dont need defense grade security but we
    >> do
    >>> > want to take all due care and do better than static WEP)
    >>> > c) Easy to administer through AD (we cant possibly manage certificates
    >>> > manually)
    >>> >
    >>> > After a bit of experimentation and a lot of swearing we have setup one
    >> AP
    >>> > +
    >>> > IAS + two laptops to use EAP-TLS. We started off by requiring Computer
    >>> > +
    >>> > user certificate authentication but this was a real headache -
    >> especially
    >>> > getting all the users certificates on to the laptops they *might* log
    >>> > on
    >>> > to) - and very slow (due to the re-authentication when a user logs
    >>> > on).
    >>> > So we just found the setting in AD to require computer authenitcation
    >>> > *all*
    >>> > the time.
    >>> > This works much more reliably but (here's the question)
    >>> >
    >>> > what are we giving up?
    >>> >
    >>> > Realistically what downsides can anyone see by only requiring the
    >>> > laptop
    >>> > to
    >>> > authenticate itself using its own certificate (and presumably then
    >> getting
    >>> > a
    >>> > secure WEP channel established) over which the user can then
    >> authenticate
    >>> > with the standard domain username & password, just like they do with a
    >>> > wired
    >>> > logon? Isnt the level of encryption the same anyway? What would we
    >>> > gain
    >>> > for
    >>> > all the hassle of requiring user certificates (2000+) as well?
    >>> >
    >>> > Any comments? Any big holes here?
    >>> >
    >>> > Regards
    >>> > Al Blake, Canberra, Australia
    >>> >
    >>> >
    >>>
    >>>
    >>
    >>
    >
    >
  5. Archived from groups: (More info?)

    Hi Al,

    If you use just machine authentication with 802.1X (with any EAP type),
    anyone logged into the machine can access the wireless network. This
    includes accounts which are local to the machine and are not domain
    accounts. It also means that as a domain administrator, that you will be
    able to control access to the wireless network on a machine basis rather
    than a user basis (ie. you can deny access to the network to machine1, but
    not to user1). If this type of authenticaion control is sufficient, then you
    could use either EAP-TLS, PEAP-MSCHAPv2 or PEAP-TLS as EAP types. Both TLS
    types use certificates to authenticate, but MSCHAPv2 uses a
    username/password to authenticate.

    If you use user authentication with 802.1X (with any EAP type) then only
    users which are allowed remote access by the IAS / Domain controller will be
    able to access the wireless network. You could conceivably allow someone to
    log in and use a machine without letting them onto the network. Using a
    certificate based approach (EAP-TLS or PEAP-TLS) would require that each
    user have a certificate on the machine in order to access the network.
    PEAP-MSCHAPv2 would just use a username/password, and by default it is
    configured to automatically use the same username/password used to login via
    the domain for 802.1X authentication.

    So, either method might work for you. I just wanted to let you know
    that it was possible to do user authentication without having certs on all
    the machines.

    Chris Gual [MSFT]
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Al Blake" <al@removethistext.blakes.net> wrote in message
    news:u%23whLD1rEHA.3728@TK2MSFTNGP09.phx.gbl...
    > Thanks for the feedback Chris,
    > No we havent considered PEAP-MSChapv2, but why would we want to?
    > I mean the user has to login using theor domain username and password
    > anyway (just like on the wire) and if we have already authenticated the
    > machine (using PEAP-TLS) and we are encrypting the channel so that
    > hopefully no-one can steal the logon info off the WLAN then what
    > additional benefit would we achevie over using the PEAP-TLS just to
    > validate the machine?
    >
    > I may be missing something here?
    > Also, if we were to consider PEAP-MSChapv2 would the user have to relogon
    > for the wireless (ie a secondary logon). that would be total overkisl for
    > someo our users who can only just about logon once ;)
    >
    > Al.
    >
    >
    >
    > "Chris Gual [MSFT]" <cgual@online.microsoft.com> wrote in message
    > news:eCPWTPArEHA.4008@TK2MSFTNGP14.phx.gbl...
    >> Hi Al,
    >>
    >> Once 802.1X authentication has completed the AP will send a WEP key to
    >> the
    >> 802.1X supplicant (ie. the laptop). It is randomly generated by the AP.
    >> I'm pretty
    >> sure that the AP is not basing the WEP key generated on any information
    >> contained
    >> within the certificate.
    >>
    >> In answer to your original question concerning user authentication and
    >> certificates,
    >> have you considered using PEAP-MSCHAPv2 instead of EAP-TLS?
    >> PEAP-MSCHAPv2
    >> should enable you to do user authentication without having to have all
    >> the users certs on
    >> the laptop.
    >>
    >> Chris Gual [MSFT]
    >> --
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >> "Al Blake" <al@blakes.net> wrote in message
    >> news:uiHXCdyqEHA.3712@TK2MSFTNGP15.phx.gbl...
    >>> Hey Jeff,
    >>> Good to hear from you again.
    >>> Seems to me that setting up a user certificate infrastructure that we
    >>> dont
    >>> need, which will be continuously issuing 1000s of certs of an extra
    >>> complication if we can do without it. The machine certs will be farily
    >>> static as we dont buy new laptops that often :(
    >>>
    >>> Do you know how the WEP encryption is established when you use EAP-TLS?
    >>> I
    >>> have got mine working and havent had to input WEP keys (not practical on
    >>> hundreds of machines)....but I would like to know how the AP and client
    >>> decide what WEP key to use?
    >>> Is it randomly generated once the certificate has been verified?
    >>>
    >>> Anyone?
    >>>
    >>> Al.
    >>>
    >>>
    >>> "Jeff Durham" <jdurham.outdoor.life@cinci.rr.com> wrote in message
    >>> news:e9IssvxqEHA.332@TK2MSFTNGP14.phx.gbl...
    >>>> I had thought about this too setting up my environment and it sounds
    >>>> reasonable to me. Since the machine has to have a computer certificate
    >>> that
    >>>> you provided, only those computers will be able to connect to the
    >>>> wireless
    >>>> network.
    >>>>
    >>>> Jeff
    >>>>
    >>>>
    >>>> "Al Blake" <al@blakes.net> wrote in message
    >>>> news:%23PF8w$qqEHA.1576@TK2MSFTNGP12.phx.gbl...
    >>>> > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
    >>>> > Using 2003 Enterprise to auto-enroll certificates for machines (+
    >>>> > maybe
    >>>> > users?)
    >>>> > 60+ Cisco 1200 APs using EAP-TLS for authentication.
    >>>> >
    >>>> > We need a system that is:
    >>>> > a) Totally transparent to end-users
    >>>> > (ie logging onto WLAN is same as logging onto Wired LAN)
    >>>> > b) Is secure and not easily hacked
    >>>> > (we are a high school so we dont need defense grade security but
    >>>> > we
    >>> do
    >>>> > want to take all due care and do better than static WEP)
    >>>> > c) Easy to administer through AD (we cant possibly manage
    >>>> > certificates
    >>>> > manually)
    >>>> >
    >>>> > After a bit of experimentation and a lot of swearing we have setup
    >>>> > one
    >>> AP
    >>>> > +
    >>>> > IAS + two laptops to use EAP-TLS. We started off by requiring
    >>>> > Computer +
    >>>> > user certificate authentication but this was a real headache -
    >>> especially
    >>>> > getting all the users certificates on to the laptops they *might* log
    >>>> > on
    >>>> > to) - and very slow (due to the re-authentication when a user logs
    >>>> > on).
    >>>> > So we just found the setting in AD to require computer authenitcation
    >>>> > *all*
    >>>> > the time.
    >>>> > This works much more reliably but (here's the question)
    >>>> >
    >>>> > what are we giving up?
    >>>> >
    >>>> > Realistically what downsides can anyone see by only requiring the
    >>>> > laptop
    >>>> > to
    >>>> > authenticate itself using its own certificate (and presumably then
    >>> getting
    >>>> > a
    >>>> > secure WEP channel established) over which the user can then
    >>> authenticate
    >>>> > with the standard domain username & password, just like they do with
    >>>> > a
    >>>> > wired
    >>>> > logon? Isnt the level of encryption the same anyway? What would we
    >>>> > gain
    >>>> > for
    >>>> > all the hassle of requiring user certificates (2000+) as well?
    >>>> >
    >>>> > Any comments? Any big holes here?
    >>>> >
    >>>> > Regards
    >>>> > Al Blake, Canberra, Australia
    >>>> >
    >>>> >
    >>>>
    >>>>
    >>>
    >>>
    >>
    >>
    >
    >
Ask a new question

Read More

Configuration Laptops Authentication Wireless Networking