10-10-2014 01:14 PM
I've inherited a wireless network (WPA-TKIP) that has an active directory setup with NPS configured. The machines that are apart of the domain have the CA cert pushed to them via GPO as well the wireless network so they connect automatically using their AD credentials and already accept the internal CA signed server cert.
Unfortunately with this setup anyone can bring in any wiress device and login to the network assuming they have valid AD credentials. Non-corporate devices won't have the internal CA trusted but it's bypassed by just accepting the cert.
What I've been tasked to do is REQUIRE the machine cert (AFAIK) to be signed by the internal CA for successful authentication to the wireless network. My colleague who asked me to research if this is possible thinks we can't do this because we only have Windows 2008 R2 Standard, (Running at Windows 2003 level if that matters) we can't issue machine certs without Windows 2008 Server Enterpise. We can't upgrade at the moment to 2012 because we still have some Windows 2003 servers lurking.
So the questions I have unasnwered are:
1) Is it possible to setup client machine certification authentication with Windows 2008 R2 Standard?
2) Are there security wholes with this plan? Do we still need authentication of AD credentials in addition to authentication the client certificate to prevent outside devices from connecting.
10-10-2014 02:53 PM
1) Yes. In your connection request policy, remove the Protected EAP option leaving only the "Smartcard or other certificate" option.
2) If you're only allowing certificate based authentication from corporate assets, there's nothing else you need to do. From a security standpoint, you should configure the 802.1X settings via Group Policy so end users can't change them.
10-10-2014 05:27 PM
10-10-2014 05:28 PM
Yes, you would need to issue machine certificates from your ADCS. This can happen automagically via Group Policy.