Enterprise Lockdown

Contributor I

Authentication Challenges

I have some challenges with my wireless project...
One of the requirements is to be able to provide wireless
1. Only via approved devices.
2. Only to approved users.
3. 802.11i (AES)
1. The "approval" for devices must :
A. Only come from an "approval source" such as an domain admin, desktop admin etc.
B. Not be exportable between devices
C. Be revocable in case the device is stolen.
D. Be the basis from authentication to the wireless network without which the machine will not connect to the wireless network.
2. The "approval" for the wireless users must:
A. Only come from an "approval source" such as an domain admin, desktop admin etc.
B. Be revocable.
C. Not be tied to any device i.e. The user should be allowed to logon from any "approved" device.
I was thinking about using 802.11i, eap-tls, and Cisco ACS to do device approval and domain groups to do user approval.
Is this a doable thing?
I have been doing research on eap-tls and it looks like it requires user-certs which breaks 2C above.
What I was hoping to do is something like the below.
1. User gives device to a desktop admin which in turn requests a cert from the CA.
2. The CA approves the "device" cert and issues it to the desktop admin
3. The desktop admin installs the "device" cert and places the user in the "approved wireless user" domain user group.
4. The user is then allowed to logon to the wireless network from any "approved device".
Is there a better way?
Tom Davis...
Search Airheads
Showing results for 
Search instead for 
Did you mean: