Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard
From: froowstie (smeg_at_smeg.com)
Date: 11/08/04
- Next message: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Previous message: anonymous_at_discussions.microsoft.com: "Reporting"
- In reply to: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Next in thread: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Reply: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 9 Nov 2004 10:50:36 +1100
Sam,
Perhaps you can elaborate as I'm now a little confused.
I've just setup a prototype lab as per the MS documentation (Securing
Wireless LANs). The only place I strayed from the instructions were that I
went with straight computer authentication (instead of User and Computer). I
have a Cisco Airnonet 1200 Access Point that I have configured with
mandatory WPA as my authentication method and TKIP as my encryption method
and passing all requests to my two Radius servers.
I then patched the W2k3 DC with the new wireless GPOs as per the hotfix
http://support.microsoft.com/?kbid=811233. After that, I created a new
Wireless GPO that forced the WPA/TKIP settings down onto my XP SP2 client
machines. The system is working perfect, the EAP/TLS machine certificates
are being deployed and the Radius server is validating them correctly, all
my client machines can access the network via the WLAN.
Is this setup supported by MS?
Regards,
James Frost
Avanade Australia
"Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
news:u7E5EGvvEHA.3108@TK2MSFTNGP14.phx.gbl...
> It's a little bit confusing, I know. hope the following explains it a
little
> bit more
>
> WPA is not 802.11i (WPA was introduced before 802.11i was officially
> released) WPA2 is 802.11i and the new WPA2 supports RADIUS authentication
&
> WPA at the same time
>
> When you do RADIUS authentication at present (XPSP1, XPSP2) you can't use
> RADIUS AND WPA, you can select either one. WPA is good when you don't have
a
> RADIUS server. But if you do, you will need to revert to WEP. This is not
> the usual static WEP. WEP with RADIUS means Keys generated by the RADIUS
> server and used by the AP and Client. These keys are changed with every
> re-authentication. Which makes them pretty secure. Almost as secure as
WPA.
>
> When selecting the certificates to use, Here's my recommendation
> A) For server obtain a certificate based on "RAS and IAS servers
> authentication" Template (you will need to publish the template in AD
first)
> B) For Machines, obtain a certificate based on "Workstation
Authentication"
> template
> C) For users, obtain a certificate based on the User template
>
> Hope you find this information useful
>
>
>
> --
> =============================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> =============================================
>
> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
> news:%23jef9wovEHA.164@TK2MSFTNGP10.phx.gbl...
> > Thanks for you help. It's important to me to know wich certification
> > templates to use with WPA and a CA running on Windows 2003 Server
standard
> > edition.
> >
> > One thing I don't unterstand is that you write that WPA doesn't work
with
> > 802.1x. According http://support.microsoft.com/?kbid=815485, 802.1x
> > authentication is required in WPA. And on the XP SP2 Wirless Client,
> > 802.1x
> > is automatically selected and can not be changed when you chose WPA as
> > network authenication. Can you further explain your statement about WPA
> > and
> > 802.1x?
> >
> > Thank you in advance!
> > Franz
> >
> > "Sam Salhi [MSFT]" <samers@online.microsoft.com> schrieb im Newsbeitrag
> > news:eX0inTdvEHA.1292@TK2MSFTNGP10.phx.gbl...
> >> Yes it is possible
> >> RAS and IAS server authentication is also there in Standard, and you
can
> >> use
> >> "Workstation Authentication" for clients. Otherwise you may use
Computer
> >> Template for both. But be aware that Computer template will contain
> >> "Server
> >> Authentication" EKU.
> >>
> >> One thing that doesn't work in the scenario you mentioned below, that
> >> would
> >> be WPA with 802.1x
> >> WPA is not supported with 802.1x at the moment. Only WEP (which is not
> >> the
> >> normal WEP, it's dynamic with keys generated by the Server based PKI,
so
> >> it's very secure)
> >>
> >>
> >> --
> >> =============================================
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> =============================================
> >>
> >> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
> >> news:e07CkIavEHA.3908@TK2MSFTNGP12.phx.gbl...
> >>> We want to set up a Wirless Network with WPA, internal CA, IAS Radius
> >>> Server
> >>> and PEAP-EAP-TLS Authentication. We like to use computer
authentication
> >>> because I suppose that with user authentication, the wireless
connection
> >>> is
> >>> established after user authentication and for example GPO software
> >>> packages
> >>> that are assigned to computers will never apply to computers that
> >>> connect
> >>> over the Wireless network.
> >>>
> >>> What does confuse me is that Microsoft only recommends and does
require
> >>> using Windows Server 2003 Enterprise Edition for the CA, because the
> >>> certification templates "RAS and IAS Server Authentication" and
> >>> "Wireless
> >>> Authentication" are not available in certification services of Windows
> >>> 2003
> >>> Server standard edition.
> >>>
> >>> Is it possible to implement the solution described above also with a
CA
> >>> running on Windows 2003 Server standard edition, using the
certification
> >>> templates included in Windows Server 2003 standard version?
> >>>
> >>> Thanks all in advance for any help!
> >>> Franz
> >>>
> >>>
> >>
> >>
> >
> >
>
>
- Next message: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Previous message: anonymous_at_discussions.microsoft.com: "Reporting"
- In reply to: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Next in thread: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Reply: Sam Salhi [MSFT]: "Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
