Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Radius and User Certs instead of Workstation Certs

This thread has been viewed 1 times

  • 1.  Radius and User Certs instead of Workstation Certs

    Posted Dec 14, 2011 11:33 AM

    Windows Server 2003 - Is the CA, has IAS installed with a Cert.    Default domain policy has auto cert enrollment configured for BOTH users and workstations.

     

    On Windows 7, my policy looks like this.

     

    WPA2-Enterprise

    AES

    Protected Peap

    Validate Server Cert is CHECKED

    Authentication Method is MS-CHAPv2 - Fast Reconnect (on client and server)

    Automatically use Domain Credentials selected

     

    Under Advanced Settings - I can do either User Auth or Computer Auth or Leave it blank.  

     

    Radius Policy has MSCHAP, and Peap as the EAP Option.

    Also doing Domain Computers; Domain Users grant access.

     

    Everything here works.  

     

     

    Question 1.  This method is strictly using PEAP/MS-CHAPv2. - Correct

    Question 2.  The certificates I have on the computer for the user and workstation, are they even taken into account for this process?  If so, in what fassion.    If I uncheck Validate Server Certificate, i can still authenticate just fine.  What benifit do i gain if i use the Validate Server Cert?

     

    Question 3.   If i change the Authentication Method to Smart Card or Cert, and use the SImple Method for selecting Certs, It does not allow me to connect.

     

    I'm trying to discern all the difference radius options out there.   Can anyone shed some light?

     

    I want to fully understand all of the different settings and options available.

    Thanks.

     

     

     

     

     



  • 2.  RE: Radius and User Certs instead of Workstation Certs

    Posted Dec 14, 2011 11:39 AM

    Follow up - If i change everything to Smart-Cart or Cert and choose workstation authentication I can connect because i have a machine cert...  radius reports EAP type connection not PEAP.

     

    When I do user authentication it doesn't connect and says

    Policy-Name = Wireless Access
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 22
    Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

     

    ???

    Can you not connect with a User Cert that I requested from the CA?



  • 3.  RE: Radius and User Certs instead of Workstation Certs

    EMPLOYEE
    Posted Dec 14, 2011 02:28 PM
    @dtreff@yellowdognetworks.com wrote:

    Follow up - If i change everything to Smart-Cart or Cert and choose workstation authentication I can connect because i have a machine cert...  radius reports EAP type connection not PEAP.

     

    When I do user authentication it doesn't connect and says

    Policy-Name = Wireless Access
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 22
    Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

     

    ???

    Can you not connect with a User Cert that I requested from the CA?

    User Certs are located in the user store and machine certs are located in the machine store.  From that error, it looks like you do not have a user certificate for that computer.

     



  • 4.  RE: Radius and User Certs instead of Workstation Certs

    EMPLOYEE
    Posted Dec 14, 2011 02:26 PM
    @dtreff@yellowdognetworks.com wrote:

    Windows Server 2003 - Is the CA, has IAS installed with a Cert.    Default domain policy has auto cert enrollment configured for BOTH users and workstations.

     

    On Windows 7, my policy looks like this.

     

    WPA2-Enterprise

    AES

    Protected Peap

    Validate Server Cert is CHECKED

    Authentication Method is MS-CHAPv2 - Fast Reconnect (on client and server)

    Automatically use Domain Credentials selected

     

    Under Advanced Settings - I can do either User Auth or Computer Auth or Leave it blank.  

     

    Radius Policy has MSCHAP, and Peap as the EAP Option.

    Also doing Domain Computers; Domain Users grant access.

     

    Everything here works.  

     

     

    Question 1.  This method is strictly using PEAP/MS-CHAPv2. - Correct

    Question 2.  The certificates I have on the computer for the user and workstation, are they even taken into account for this process?  If so, in what fassion.    If I uncheck Validate Server Certificate, i can still authenticate just fine.  What benifit do i gain if i use the Validate Server Cert?

     

    Question 3.   If i change the Authentication Method to Smart Card or Cert, and use the SImple Method for selecting Certs, It does not allow me to connect.

     

    I'm trying to discern all the difference radius options out there.   Can anyone shed some light?

     

    I want to fully understand all of the different settings and options available.

    Thanks.

     

     

     

     

     

     

     

    2 - If you are using Protected EAP (PEAP), the client only requires a username and password to be submitted to the radius server.  The Certificates on the client side that are used are the Certificates of the Radius server Certificate Authority.  Those certificates are ONLY used by the clients to determine if to trust the radius server (mutual authentication).  If you have Validate Server Certificate checked, that is so that the client will only allow connections to radius servers that have a CA certificate in the list.  If you have individual CAs checked off, it will only allow connections to radius servers that have certificates from those specific CAs checked off.  If "Validate" is not checked, the client does not care what CA the Radius server's certificate comes from, even though it will still ask you to accept it.  Validate Server Certificate exists so that the client will not connect to a rogue network, but only a network that has a server Cert from a CA that it trusts.

     

    3.  Smart Card or Certificate Requires a Client-Side Certificate, which is distributed through a CA, either manually or automatically.  The Radius server needs a corresponding remote access policy that has the "Smartcard or Certificate" option enabled, to allow that client to connect.  The client either does not have  a client-side certificate, OR your radius server does not have a remote access policy that has "Smartcard or Certificate" enabled.

     

     This method of connection is known as EAP-TLS (http://en.wikipedia.org/wiki/EAP-TLS#EAP-TLS). 



  • 5.  RE: Radius and User Certs instead of Workstation Certs

    Posted Dec 15, 2011 03:59 PM

    I understand that its called eap-tls.  I'm only able to get that working with a workstation cert.  Is something special needed for User certs?



  • 6.  RE: Radius and User Certs instead of Workstation Certs

    EMPLOYEE
    Posted Dec 15, 2011 06:02 PM

    You can configure autoenrollment to get this pushed via group policy but you need to do it for users, as opposed to computers.  

     

    Configure Certificate Autoenrollment for computers and users via GPO:  http://technet.microsoft.com/en-us/library/cc731522.aspx



  • 7.  RE: Radius and User Certs instead of Workstation Certs

    Posted Jan 05, 2012 12:49 PM

    My apologies for reviving this thread, but I was wondering if there is a functional difference between using machine certificates or users certificates for EAP from a security perspective.  We are in the process of testing EAP-TLS auth for WLAN access for laptops and a few iPads.  The first round of testing involved using machine certificates requested from the IAS server using the MMC from the laptop (wired connection).  This appears to work well as we can use security groups on the domain to assign the appropriate VLAN (we are heavily segmented internally). 

     

    Going a bit off topic here, but do we need to be concerned about using any specific value for the common name when manually issuing certificates from IAS for use on iPads?

     

    Thanks for any and all feedback.

     

    David

     



  • 8.  RE: Radius and User Certs instead of Workstation Certs

    EMPLOYEE
    Posted Jan 06, 2012 02:02 PM
    @delonm wrote:

    My apologies for reviving this thread, but I was wondering if there is a functional difference between using machine certificates or users certificates for EAP from a security perspective.  We are in the process of testing EAP-TLS auth for WLAN access for laptops and a few iPads.  The first round of testing involved using machine certificates requested from the IAS server using the MMC from the laptop (wired connection).  This appears to work well as we can use security groups on the domain to assign the appropriate VLAN (we are heavily segmented internally). 

     

    Going a bit off topic here, but do we need to be concerned about using any specific value for the common name when manually issuing certificates from IAS for use on iPads?

     

    Thanks for any and all feedback.

     

    David

     

    You can certainly use an autoenrollment group policy to distribute certificates automatically to Windows machines that are part of the domain and the common name will be automatically generated and will not be a problem to you.  You are doing it manually now, but autoenrollment is the way that Active Directory distribute certificates to simplify enrollment and to eliminate errors.

     

    If you are using Machine Certificates and Not distributing user certificates, you need to configure your clients to do 802.1x with MACHINE-only authentication so that the wireless supplicant is ONLY looking for a machine certificate.  This provides good security, because only devices that received a certificate will be allowed on the network; a user is STILL required to provide valid credentials to get into the computer and to any other network resources.

     

    If you have wireless using Machine AND user certificates, you could have an issue where if a device is wireless, but a user has not ever logged into the machine, the user does not have a certificate, so that he might have to login to the computer at least once wired to get that certificate to connect to the WLAN.

     

    Wrapping up, deploying with autoenrollment to distribute certificates is a best practice.  Deploying WLAN settings with a group policy for EAP-TLS for machine certificates only simplifies troubleshooting in that connectivity for the wireless device is only dependent on a single certificate.

     

     

    The common name is unremarkable.