Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 10/31/04

  • Next message: CG: "Remote Access Policies" 
    Date: Sat, 30 Oct 2004 19:29:55 -0700

    It's a little bit confusing, I know. hope the following explains it a little
    bit more

    WPA is not 802.11i (WPA was introduced before 802.11i was officially
    released) WPA2 is 802.11i and the new WPA2 supports RADIUS authentication &
    WPA at the same time

    When you do RADIUS authentication at present (XPSP1, XPSP2) you can't use
    RADIUS AND WPA, you can select either one. WPA is good when you don't have a
    RADIUS server. But if you do, you will need to revert to WEP. This is not
    the usual static WEP. WEP with RADIUS means Keys generated by the RADIUS
    server and used by the AP and Client. These keys are changed with every
    re-authentication. Which makes them pretty secure. Almost as secure as WPA.

    When selecting the certificates to use, Here's my recommendation
    A) For server obtain a certificate based on "RAS and IAS servers
    authentication" Template (you will need to publish the template in AD first)
    B) For Machines, obtain a certificate based on "Workstation Authentication"
    template
    C) For users, obtain a certificate based on the User template

    Hope you find this information useful 

    -- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no 
rights.
      =============================================
"Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message 
news:%23jef9wovEHA.164@TK2MSFTNGP10.phx.gbl...
> Thanks for you help. It's important to me to know wich certification
> templates to use with WPA and a CA running on Windows 2003 Server standard
> edition.
>
> One thing I don't unterstand is that you write that WPA doesn't work with
> 802.1x. According http://support.microsoft.com/?kbid=815485, 802.1x
> authentication is required in WPA. And on the XP SP2 Wirless Client, 
> 802.1x
> is automatically selected and can not be changed when you chose WPA as
> network authenication. Can you further explain your statement about WPA 
> and
> 802.1x?
>
> Thank you in advance!
> Franz
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> schrieb im Newsbeitrag
> news:eX0inTdvEHA.1292@TK2MSFTNGP10.phx.gbl...
>> Yes it is possible
>> RAS and IAS server authentication is also there in Standard, and you can
>> use
>> "Workstation Authentication" for clients. Otherwise you may use Computer
>> Template for both. But be aware that Computer template will contain
>> "Server
>> Authentication" EKU.
>>
>> One thing that doesn't work in the scenario you mentioned below, that
>> would
>> be WPA with 802.1x
>> WPA is not supported with 802.1x at the moment. Only WEP (which is not 
>> the
>> normal WEP, it's dynamic with keys generated by the Server based PKI, so
>> it's very secure)
>>
>>
>> -- 
>>      =============================================
>>  This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>      =============================================
>>
>> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
>> news:e07CkIavEHA.3908@TK2MSFTNGP12.phx.gbl...
>>> We want to set up a Wirless Network with WPA, internal CA, IAS Radius
>>> Server
>>> and PEAP-EAP-TLS Authentication. We like to use computer authentication
>>> because I suppose that with user authentication, the wireless connection
>>> is
>>> established after user authentication and for example GPO software
>>> packages
>>> that are assigned to computers will never apply to computers that 
>>> connect
>>> over the Wireless network.
>>>
>>> What does confuse me is that Microsoft only recommends and does require
>>> using Windows Server 2003 Enterprise Edition for the CA, because the
>>> certification templates "RAS and IAS Server Authentication" and 
>>> "Wireless
>>> Authentication" are not available in certification services of Windows
>>> 2003
>>> Server standard edition.
>>>
>>> Is it possible to implement the solution described above also with a CA
>>> running on Windows 2003 Server standard edition, using the certification
>>> templates included in Windows Server 2003 standard version?
>>>
>>> Thanks all in advance for any help!
>>> Franz
>>>
>>>
>>
>>
>
>
  • Next message: CG: "Remote Access Policies"

    Relevant Pages

    • Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard
      ... WPA is supported with RADIUS. ... > When you do RADIUS authentication at present ... WPA is good when you don't have> a RADIUS server. ...
      (microsoft.public.internet.radius)
    • Re: Need help configuring Wireless Connection profile
      ... "point" the info of the Radius authentication to your current Radius server. ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
      (microsoft.public.windowsxp.general)
    • Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard
      ... the only issue might be WPA. ... troubleshooting RADIUS using IAS" ... > went with straight computer authentication. ... > are being deployed and the Radius server is validating them correctly, ...
      (microsoft.public.internet.radius)
    • Re: Need help configuring Wireless Connection profile
      ... "point" the info of the Radius authentication to your current Radius server. ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
      (microsoft.public.windowsxp.general)
    • Re: WPA2 security settings:
      ... The Cisco 1200 AP won't provide RADIUS authentication over any protocol ... TLS, LEAP, etc.) When I'm testing PEAP, I use Windows Server 2003 as the ... If you're using radio card X, for example, it might support ...
      (microsoft.public.windowsce.embedded)