Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 11/09/04

  • Next message: Sam Salhi [MSFT]: "Re: PEAP with XP SP2 & W2K SP4" 
    Date: Mon, 8 Nov 2004 20:48:42 -0800

    As far as I know, the only issue might be WPA. Eventhough you might have
    enabled that in GP, the AP might still be doing WEP with EAP-TLS. I don't
    see any reason why this wouldn't be supported 

    -- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no rights
Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and 
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask 
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate 
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
      =============================================
"froowstie" <smeg@smeg.com> wrote in message 
news:%23ivk42exEHA.3624@TK2MSFTNGP09.phx.gbl...
> Sam,
>
> Perhaps you can elaborate as I'm now a little confused.
>
> I've just setup a prototype lab as per the MS documentation (Securing
> Wireless LANs). The only place I strayed from the instructions were that I
> went with straight computer authentication (instead of User and Computer). 
> I
> have a Cisco Airnonet 1200 Access Point that I have configured with
> mandatory WPA as my authentication method and TKIP as my encryption method
> and passing all requests to my two Radius servers.
>
> I then patched the W2k3 DC with the new wireless GPOs as per the hotfix
> http://support.microsoft.com/?kbid=811233. After that, I created a new
> Wireless GPO that forced the WPA/TKIP settings down onto my XP SP2 client
> machines. The system is working perfect, the EAP/TLS machine certificates
> are being deployed and the Radius server is validating them correctly, all
> my client machines can access the network via the WLAN.
>
> Is this setup supported by MS?
>
> Regards,
>
> James Frost
> Avanade Australia
>
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message
> news:u7E5EGvvEHA.3108@TK2MSFTNGP14.phx.gbl...
>> It's a little bit confusing, I know. hope the following explains it a
> little
>> bit more
>>
>> WPA is not 802.11i (WPA was introduced before 802.11i was officially
>> released) WPA2 is 802.11i and the new WPA2 supports RADIUS authentication
> &
>> WPA at the same time
>>
>> When you do RADIUS authentication at present (XPSP1, XPSP2) you can't use
>> RADIUS AND WPA, you can select either one. WPA is good when you don't 
>> have
> a
>> RADIUS server. But if you do, you will need to revert to WEP. This is not
>> the usual static WEP. WEP with RADIUS means Keys generated by the RADIUS
>> server and used by the AP and Client. These keys are changed with every
>> re-authentication. Which makes them pretty secure. Almost as secure as
> WPA.
>>
>> When selecting the certificates to use, Here's my recommendation
>> A) For server obtain a certificate based on "RAS and IAS servers
>> authentication" Template (you will need to publish the template in AD
> first)
>> B) For Machines, obtain a certificate based on "Workstation
> Authentication"
>> template
>> C) For users, obtain a certificate based on the User template
>>
>> Hope you find this information useful
>>
>>
>>
>> -- 
>>       =============================================
>>   This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>       =============================================
>>
>> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
>> news:%23jef9wovEHA.164@TK2MSFTNGP10.phx.gbl...
>> > Thanks for you help. It's important to me to know wich certification
>> > templates to use with WPA and a CA running on Windows 2003 Server
> standard
>> > edition.
>> >
>> > One thing I don't unterstand is that you write that WPA doesn't work
> with
>> > 802.1x. According http://support.microsoft.com/?kbid=815485, 802.1x
>> > authentication is required in WPA. And on the XP SP2 Wirless Client,
>> > 802.1x
>> > is automatically selected and can not be changed when you chose WPA as
>> > network authenication. Can you further explain your statement about WPA
>> > and
>> > 802.1x?
>> >
>> > Thank you in advance!
>> > Franz
>> >
>> > "Sam Salhi [MSFT]" <samers@online.microsoft.com> schrieb im Newsbeitrag
>> > news:eX0inTdvEHA.1292@TK2MSFTNGP10.phx.gbl...
>> >> Yes it is possible
>> >> RAS and IAS server authentication is also there in Standard, and you
> can
>> >> use
>> >> "Workstation Authentication" for clients. Otherwise you may use
> Computer
>> >> Template for both. But be aware that Computer template will contain
>> >> "Server
>> >> Authentication" EKU.
>> >>
>> >> One thing that doesn't work in the scenario you mentioned below, that
>> >> would
>> >> be WPA with 802.1x
>> >> WPA is not supported with 802.1x at the moment. Only WEP (which is not
>> >> the
>> >> normal WEP, it's dynamic with keys generated by the Server based PKI,
> so
>> >> it's very secure)
>> >>
>> >>
>> >> -- 
>> >>      =============================================
>> >>  This posting is provided "AS IS" with no warranties, and confers no
>> >> rights.
>> >>      =============================================
>> >>
>> >> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
>> >> news:e07CkIavEHA.3908@TK2MSFTNGP12.phx.gbl...
>> >>> We want to set up a Wirless Network with WPA, internal CA, IAS Radius
>> >>> Server
>> >>> and PEAP-EAP-TLS Authentication. We like to use computer
> authentication
>> >>> because I suppose that with user authentication, the wireless
> connection
>> >>> is
>> >>> established after user authentication and for example GPO software
>> >>> packages
>> >>> that are assigned to computers will never apply to computers that
>> >>> connect
>> >>> over the Wireless network.
>> >>>
>> >>> What does confuse me is that Microsoft only recommends and does
> require
>> >>> using Windows Server 2003 Enterprise Edition for the CA, because the
>> >>> certification templates "RAS and IAS Server Authentication" and
>> >>> "Wireless
>> >>> Authentication" are not available in certification services of 
>> >>> Windows
>> >>> 2003
>> >>> Server standard edition.
>> >>>
>> >>> Is it possible to implement the solution described above also with a
> CA
>> >>> running on Windows 2003 Server standard edition, using the
> certification
>> >>> templates included in Windows Server 2003 standard version?
>> >>>
>> >>> Thanks all in advance for any help!
>> >>> Franz
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>
  • Next message: Sam Salhi [MSFT]: "Re: PEAP with XP SP2 & W2K SP4"

    Relevant Pages