Security

Reply
ack
Occasional Contributor II
Posts: 11
Registered: ‎09-24-2014

Windows AD client machine certificate authentication?

I've inherited a wireless network (WPA-TKIP) that has an active directory setup with NPS configured.  The machines that are apart of the domain have the CA cert pushed to them via GPO as well the wireless network so they connect automatically using their AD credentials and already accept the internal CA signed server cert.

 

Unfortunately with this setup anyone can bring in any wiress device and login to the network assuming they have valid AD credentials.  Non-corporate devices won't have the internal CA trusted but it's bypassed by just accepting the cert.

 

What I've been tasked to do is REQUIRE the machine cert (AFAIK) to be signed by the internal CA for successful authentication to the wireless network. My colleague who asked me to research if this is possible thinks we can't do this because we only have Windows 2008 R2 Standard, (Running at Windows 2003 level if that matters) we can't issue machine certs without Windows 2008 Server Enterpise.  We can't upgrade at the moment to 2012 because we still have some Windows 2003 servers lurking. 

 

So the questions I have unasnwered are:

 

1) Is it possible to setup client machine certification authentication with Windows 2008 R2 Standard?

2) Are there security wholes with this plan?  Do we still need authentication of AD credentials in addition to authentication the client certificate to prevent outside devices from connecting.

 

Thanks

 

 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Windows AD client machine certificate authentication?

1) Yes. In your connection request policy, remove the Protected EAP option leaving only the "Smartcard or other certificate" option.

 

2) If you're only allowing certificate based authentication from corporate assets, there's nothing else you need to do. From a security standpoint, you should configure the 802.1X settings via Group Policy so end users can't change them.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
ack
Occasional Contributor II
Posts: 11
Registered: ‎09-24-2014

Re: Windows AD client machine certificate authentication?

Doesn't the server need to verify that the client cert is signed by the internal CA? Maybe I'm not grasping the idea of the machine cert. I'm not really a Windows Admin. AD isn't my strong suit.
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Windows AD client machine certificate authentication?

Yes, you would need to issue machine certificates from your ADCS. This can happen automagically via Group Policy.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Windows AD client machine certificate authentication?

 


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

ack
Occasional Contributor II
Posts: 11
Registered: ‎09-24-2014

Re: Windows AD client machine certificate authentication?

Can this be done without an Enterprise CA though?

ack
Occasional Contributor II
Posts: 11
Registered: ‎09-24-2014

Re: Windows AD client machine certificate authentication?

All I see is a blank post, cjoseph.

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Windows AD client machine certificate authentication?

Yes, but it would be a manual, painful process.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
ack
Occasional Contributor II
Posts: 11
Registered: ‎09-24-2014

Re: Windows AD client machine certificate authentication?

Is there a login script that someone has made to automate this?  We just don't have Windows Server 2008 Enterprise and I doubt we'll get it soon. 

 

 

 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Windows AD client machine certificate authentication?

Not that I know of. Maybe someone else has some ideas.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: