Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 11/23/04

  • Next message: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory" 
    Date: Tue, 23 Nov 2004 00:29:15 -0800

    CORRECTION:
    Allow me to post a correction to the message below
    WPA is supported with RADIUS (using PEAP or EAP-TLS). It's totally
    transparent to the RADIUS server since it's between the access point and the
    client 

    -- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no rights
Join us on Nov 29th 1:00 to 2:00 PM PST, for an online webchat on "Using and 
troubleshooting RADIUS using IAS"
This chat will help you resolve all of your RADIUS/IAS issues. You can ask 
about RADIUS, IAS, 802.1x, Active directory configuration and Certificate 
services, related to IAS and RADIUS
Follow this link to join the chat
http://www.microsoft.com/communities/chats/default.mspx#04_Nov29_IAS_RADIUS
      =============================================
"Sam Salhi [MSFT]" <samers@online.microsoft.com> wrote in message 
news:u7E5EGvvEHA.3108@TK2MSFTNGP14.phx.gbl...
> It's a little bit confusing, I know. hope the following explains it a 
> little bit more
>
> WPA is not 802.11i (WPA was introduced before 802.11i was officially 
> released) WPA2 is 802.11i and the new WPA2 supports RADIUS authentication 
> & WPA at the same time
>
> When you do RADIUS authentication at present (XPSP1, XPSP2) you can't use 
> RADIUS AND WPA, you can select either one. WPA is good when you don't have 
> a RADIUS server. But if you do, you will need to revert to WEP. This is 
> not the usual static WEP. WEP with RADIUS means Keys generated by the 
> RADIUS server and used by the AP and Client. These keys are changed with 
> every re-authentication. Which makes them pretty secure. Almost as secure 
> as WPA.
>
> When selecting the certificates to use, Here's my recommendation
> A) For server obtain a certificate based on "RAS and IAS servers 
> authentication" Template (you will need to publish the template in AD 
> first)
> B) For Machines, obtain a certificate based on "Workstation 
> Authentication" template
> C) For users, obtain a certificate based on the User template
>
> Hope you find this information useful
>
>
>
> -- 
>      =============================================
>  This posting is provided "AS IS" with no warranties, and confers no 
> rights.
>      =============================================
>
> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message 
> news:%23jef9wovEHA.164@TK2MSFTNGP10.phx.gbl...
>> Thanks for you help. It's important to me to know wich certification
>> templates to use with WPA and a CA running on Windows 2003 Server 
>> standard
>> edition.
>>
>> One thing I don't unterstand is that you write that WPA doesn't work with
>> 802.1x. According http://support.microsoft.com/?kbid=815485, 802.1x
>> authentication is required in WPA. And on the XP SP2 Wirless Client, 
>> 802.1x
>> is automatically selected and can not be changed when you chose WPA as
>> network authenication. Can you further explain your statement about WPA 
>> and
>> 802.1x?
>>
>> Thank you in advance!
>> Franz
>>
>> "Sam Salhi [MSFT]" <samers@online.microsoft.com> schrieb im Newsbeitrag
>> news:eX0inTdvEHA.1292@TK2MSFTNGP10.phx.gbl...
>>> Yes it is possible
>>> RAS and IAS server authentication is also there in Standard, and you can
>>> use
>>> "Workstation Authentication" for clients. Otherwise you may use Computer
>>> Template for both. But be aware that Computer template will contain
>>> "Server
>>> Authentication" EKU.
>>>
>>> One thing that doesn't work in the scenario you mentioned below, that
>>> would
>>> be WPA with 802.1x
>>> WPA is not supported with 802.1x at the moment. Only WEP (which is not 
>>> the
>>> normal WEP, it's dynamic with keys generated by the Server based PKI, so
>>> it's very secure)
>>>
>>>
>>> -- 
>>>      =============================================
>>>  This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>      =============================================
>>>
>>> "Franz Schenk" <franz.schenkNOSPAM@fititNO-_SPAM.ch> wrote in message
>>> news:e07CkIavEHA.3908@TK2MSFTNGP12.phx.gbl...
>>>> We want to set up a Wirless Network with WPA, internal CA, IAS Radius
>>>> Server
>>>> and PEAP-EAP-TLS Authentication. We like to use computer authentication
>>>> because I suppose that with user authentication, the wireless 
>>>> connection
>>>> is
>>>> established after user authentication and for example GPO software
>>>> packages
>>>> that are assigned to computers will never apply to computers that 
>>>> connect
>>>> over the Wireless network.
>>>>
>>>> What does confuse me is that Microsoft only recommends and does require
>>>> using Windows Server 2003 Enterprise Edition for the CA, because the
>>>> certification templates "RAS and IAS Server Authentication" and 
>>>> "Wireless
>>>> Authentication" are not available in certification services of Windows
>>>> 2003
>>>> Server standard edition.
>>>>
>>>> Is it possible to implement the solution described above also with a CA
>>>> running on Windows 2003 Server standard edition, using the 
>>>> certification
>>>> templates included in Windows Server 2003 standard version?
>>>>
>>>> Thanks all in advance for any help!
>>>> Franz
>>>>
>>>>
>>>
>>>
>>
>>
>
>
  • Next message: Sam Salhi [MSFT]: "Re: How does IAS authenticate using Active Directory"

    Relevant Pages