Re: EAP-TLS / Radius & AD

From: Thomas Kuborn (thomas_at_kuborn.be)
Date: 05/28/04

Next message: stephenbbaker_at_hotmail.com: "IAS on 2003 member server will not register in Active Directory?"
Previous message: rippy: "Re: IAS and Callback"
In reply to: James McIllece [MS]: "Re: EAP-TLS / Radius & AD"
Messages sorted by: [ date ] [ thread ]

Date: Fri, 28 May 2004 18:46:57 +0200

Thx James,

I'm especially interested in the part "IAS authenticating the client by
quering AD"
1/ what properties of the client certs does IAS need to match in AD ?
2/ that means that you can prevent EAP-TLS to work by:
    - revoking the client cert
    or by
    - deleting the computer/user account from AD

Cheers,

- Thomas -

"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
news:Xns94F67A86F68C5jamesmcionlinemicros@207.46.248.16...
> "Thomas Kuborn" <thomas.kuborn@eu.didata.com> wrote in
> news:c8vurb$os5$1@phys-news-1.nl.colt.net:
>
> > Dear ng,
> >
> > What exactly happens between the Radius server & Active Directory as
> > far as EAP-TLS is concerned ?
> >
> > 1/ Is it correct to say that:
> > - the supplicant challenges the authentication server to see if the
> > authentication server is who it claims to be (to see if it has the
> > private key associated with its public key [certificate])
> > - the authentication server challenges the supplicant to see if the
> > supplicant is who it claims to be (to see if it has the private key
> > associated with its public key [certificate]
> >
> > 2/ Does the authentication server query the Active Directory to see if
> > the supplicant certificate is published ?
> > Does the authentication server query the Active Directory to see if
> > the Subject Alternate Name field of the supplicant's certificate
> > matches ?
> > - a computer account (FQDN)
> > - a user account (UPN)
> > What checks must the authentication server perform against AD to be
> > confident that the supplicant is trusted & send its access-accept
> > message ?
> >
> > 3/ Is it correct to say that:
> > - for EAP-TLS, there's no Kerberos involved between the authentication
> > server & AD (since auth is based on TLS only)
> > - for PEAP, there's Kerberos involved (when the authentication server
> > must validate the user's password)
> >
> > 4/ In the XP supplicant, there's the possibility to only allow
> > connection to specific servers (FQDN or domain suffix). How does the
> > supplicant knows the FQDN of the authentication server? by looking at
> > the SAN field in the server's cert ?
> >
> > Much thx
> >
> > Regards,
> >
> > - Thomas -
> >
> >
> >
>
> EAP-TLS is an authentication protocol used between clients and the RADIUS
> server. AD is not involved in EAP-TLS conversations between client and
> server.
>
> During the authentication process, the IAS server sends its Server
> Certificate to client computers. If the client trusts the CA that issued
> the cert (and if the cert meets other minimum server cert requirements),
> server auth is successful.
>
> The IAS server uses properties of the cert supplied by the client to
> authenticate and authorize the user or machine against AD. If the server
> trusts the CA that issued the cert (and if the cert meets other minimum
> client cert requirements), and if the user or computer is valid and is
> authorized to access the network (based on user account properties in AD
> and on remote access policy), access is granted.
>
> For more information, see "Network access authentication and certificates"
> in Windows Server 2003 IAS or VPN Help, or on the web at
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
> proddocs/en-
>
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
> ocs/en-us/sag_VPN_und15.asp.
>
>
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.

Next message: stephenbbaker_at_hotmail.com: "IAS on 2003 member server will not register in Active Directory?"
Previous message: rippy: "Re: IAS and Callback"
In reply to: James McIllece [MS]: "Re: EAP-TLS / Radius & AD"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: WCF security advice (and clarification) needed
... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
(microsoft.public.dotnet.framework.webservices)
Re: SSPI Kerberos for delegation
... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
(comp.protocols.kerberos)
Re: Aironet 1200/Radius Help Needed
... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
(microsoft.public.internet.radius)
RE: Certificate logon on Unix
... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
(Security-Basics)
Re: IIS website - only allow users with client cert from our CA. P
... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
(microsoft.public.inetserver.iis.security)