Security

Reply
Occasional Contributor II
Posts: 21
Registered: ‎04-13-2009

Radius and User Certs instead of Workstation Certs

Windows Server 2003 - Is the CA, has IAS installed with a Cert.    Default domain policy has auto cert enrollment configured for BOTH users and workstations.

 

On Windows 7, my policy looks like this.

 

WPA2-Enterprise

AES

Protected Peap

Validate Server Cert is CHECKED

Authentication Method is MS-CHAPv2 - Fast Reconnect (on client and server)

Automatically use Domain Credentials selected

 

Under Advanced Settings - I can do either User Auth or Computer Auth or Leave it blank.  

 

Radius Policy has MSCHAP, and Peap as the EAP Option.

Also doing Domain Computers; Domain Users grant access.

 

Everything here works.  

 

 

Question 1.  This method is strictly using PEAP/MS-CHAPv2. - Correct

Question 2.  The certificates I have on the computer for the user and workstation, are they even taken into account for this process?  If so, in what fassion.    If I uncheck Validate Server Certificate, i can still authenticate just fine.  What benifit do i gain if i use the Validate Server Cert?

 

Question 3.   If i change the Authentication Method to Smart Card or Cert, and use the SImple Method for selecting Certs, It does not allow me to connect.

 

I'm trying to discern all the difference radius options out there.   Can anyone shed some light?

 

I want to fully understand all of the different settings and options available.

Thanks.

 

 

 

 

 

Occasional Contributor II
Posts: 21
Registered: ‎04-13-2009

Re: Radius and User Certs instead of Workstation Certs

Follow up - If i change everything to Smart-Cart or Cert and choose workstation authentication I can connect because i have a machine cert...  radius reports EAP type connection not PEAP.

 

When I do user authentication it doesn't connect and says

Policy-Name = Wireless Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

???

Can you not connect with a User Cert that I requested from the CA?

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Radius and User Certs instead of Workstation Certs


dtreff@yellowdognetworks.com wrote:

Windows Server 2003 - Is the CA, has IAS installed with a Cert.    Default domain policy has auto cert enrollment configured for BOTH users and workstations.

 

On Windows 7, my policy looks like this.

 

WPA2-Enterprise

AES

Protected Peap

Validate Server Cert is CHECKED

Authentication Method is MS-CHAPv2 - Fast Reconnect (on client and server)

Automatically use Domain Credentials selected

 

Under Advanced Settings - I can do either User Auth or Computer Auth or Leave it blank.  

 

Radius Policy has MSCHAP, and Peap as the EAP Option.

Also doing Domain Computers; Domain Users grant access.

 

Everything here works.  

 

 

Question 1.  This method is strictly using PEAP/MS-CHAPv2. - Correct

Question 2.  The certificates I have on the computer for the user and workstation, are they even taken into account for this process?  If so, in what fassion.    If I uncheck Validate Server Certificate, i can still authenticate just fine.  What benifit do i gain if i use the Validate Server Cert?

 

Question 3.   If i change the Authentication Method to Smart Card or Cert, and use the SImple Method for selecting Certs, It does not allow me to connect.

 

I'm trying to discern all the difference radius options out there.   Can anyone shed some light?

 

I want to fully understand all of the different settings and options available.

Thanks.

 

 

 

 

 


 

 

2 - If you are using Protected EAP (PEAP), the client only requires a username and password to be submitted to the radius server.  The Certificates on the client side that are used are the Certificates of the Radius server Certificate Authority.  Those certificates are ONLY used by the clients to determine if to trust the radius server (mutual authentication).  If you have Validate Server Certificate checked, that is so that the client will only allow connections to radius servers that have a CA certificate in the list.  If you have individual CAs checked off, it will only allow connections to radius servers that have certificates from those specific CAs checked off.  If "Validate" is not checked, the client does not care what CA the Radius server's certificate comes from, even though it will still ask you to accept it.  Validate Server Certificate exists so that the client will not connect to a rogue network, but only a network that has a server Cert from a CA that it trusts.

 

3.  Smart Card or Certificate Requires a Client-Side Certificate, which is distributed through a CA, either manually or automatically.  The Radius server needs a corresponding remote access policy that has the "Smartcard or Certificate" option enabled, to allow that client to connect.  The client either does not have  a client-side certificate, OR your radius server does not have a remote access policy that has "Smartcard or Certificate" enabled.

 

 This method of connection is known as EAP-TLS (http://en.wikipedia.org/wiki/EAP-TLS#EAP-TLS). 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Radius and User Certs instead of Workstation Certs


dtreff@yellowdognetworks.com wrote:

Follow up - If i change everything to Smart-Cart or Cert and choose workstation authentication I can connect because i have a machine cert...  radius reports EAP type connection not PEAP.

 

When I do user authentication it doesn't connect and says

Policy-Name = Wireless Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

 

???

Can you not connect with a User Cert that I requested from the CA?


User Certs are located in the user store and machine certs are located in the machine store.  From that error, it looks like you do not have a user certificate for that computer.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎04-13-2009

Re: Radius and User Certs instead of Workstation Certs

I understand that its called eap-tls.  I'm only able to get that working with a workstation cert.  Is something special needed for User certs?

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Radius and User Certs instead of Workstation Certs

[ Edited ]

You can configure autoenrollment to get this pushed via group policy but you need to do it for users, as opposed to computers.  

 

Configure Certificate Autoenrollment for computers and users via GPO:  http://technet.microsoft.com/en-us/library/cc731522.aspx



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎03-01-2011

Re: Radius and User Certs instead of Workstation Certs

My apologies for reviving this thread, but I was wondering if there is a functional difference between using machine certificates or users certificates for EAP from a security perspective.  We are in the process of testing EAP-TLS auth for WLAN access for laptops and a few iPads.  The first round of testing involved using machine certificates requested from the IAS server using the MMC from the laptop (wired connection).  This appears to work well as we can use security groups on the domain to assign the appropriate VLAN (we are heavily segmented internally). 

 

Going a bit off topic here, but do we need to be concerned about using any specific value for the common name when manually issuing certificates from IAS for use on iPads?

 

Thanks for any and all feedback.

 

David

 

Guru Elite
Posts: 21,291
Registered: ‎03-29-2007

Re: Radius and User Certs instead of Workstation Certs


delonm wrote:

My apologies for reviving this thread, but I was wondering if there is a functional difference between using machine certificates or users certificates for EAP from a security perspective.  We are in the process of testing EAP-TLS auth for WLAN access for laptops and a few iPads.  The first round of testing involved using machine certificates requested from the IAS server using the MMC from the laptop (wired connection).  This appears to work well as we can use security groups on the domain to assign the appropriate VLAN (we are heavily segmented internally). 

 

Going a bit off topic here, but do we need to be concerned about using any specific value for the common name when manually issuing certificates from IAS for use on iPads?

 

Thanks for any and all feedback.

 

David

 


You can certainly use an autoenrollment group policy to distribute certificates automatically to Windows machines that are part of the domain and the common name will be automatically generated and will not be a problem to you.  You are doing it manually now, but autoenrollment is the way that Active Directory distribute certificates to simplify enrollment and to eliminate errors.

 

If you are using Machine Certificates and Not distributing user certificates, you need to configure your clients to do 802.1x with MACHINE-only authentication so that the wireless supplicant is ONLY looking for a machine certificate.  This provides good security, because only devices that received a certificate will be allowed on the network; a user is STILL required to provide valid credentials to get into the computer and to any other network resources.

 

If you have wireless using Machine AND user certificates, you could have an issue where if a device is wireless, but a user has not ever logged into the machine, the user does not have a certificate, so that he might have to login to the computer at least once wired to get that certificate to connect to the WLAN.

 

Wrapping up, deploying with autoenrollment to distribute certificates is a best practice.  Deploying WLAN settings with a group policy for EAP-TLS for machine certificates only simplifies troubleshooting in that connectivity for the wireless device is only dependent on a single certificate.

 

 

The common name is unremarkable.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: