Re: certificateless RADIUS
- From: "NMax" <NMax@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 27 Sep 2005 18:17:01 -0700
James,
Great feedback! Thank you. I will review the whitepapers and hope I can make
it work. I appreciate your time.
Nmax
"James McIllece [MS]" wrote:
> "=?Utf-8?B?Tk1heA==?=" <NMax@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> news:DAACF715-9E31-4796-897F-B83BA687FF4D@xxxxxxxxxxxxx:
>
> > Goal: Username/password wireless network access
> > Details: I have a Windows 2003 Server and 3com Access points. I would
> > like to do username/password authentication for wireless network
> > access. Working for a church, I envision someone coming in as a guest
> > speaker, setting his laptop on the podium, and after having a staff
> > member enter their username/password, boom, laptop is on the internet.
> >
> > Is this possible?
> > N
> >
>
> Yes -- sort of. :-)
>
> The best way to do it in terms of security is to deploy IAS with PEAP-MS-
> CHAP v2. A server certificate is required and client computers must trust
> the server cert, but user credentials are password based.
>
> The issue that the client must trust the server certificate presents three
> possible solutions:
>
> -- Obtain a server certificate that is trusted by all Windows clients by
> default. For example, you can purchase a server certificate from Verisign.
>
> -- Deploy your own Certification Authority using Windows Server 2003. When
> guests arrive, install the CA cert from floppy or CD (or USB flash drive)
> in the Trusted Root Certification Authorities certificate store on the
> client computer.
>
> -- This solution is not recommended -- however if you do not have *any*
> sensitive data accessible via the WLAN, it is a possibility -- you can
> configure the client not to validate the server certificate. Keep in mind
> that this does open your network up to a variety of security problems and
> possible attacks, and as I said it is not recommended.
>
> There is one other elegant solution too, and that is to create a guest VLAN
> -- so that your guest speakers can just walk in and access the Internet
> without credentials. This solution requires VLAN-aware APs though, and is
> fairly challenging to deploy if you haven't done it before.
>
> Here are some handy links for you that cover most of the stuff I discuss
> above:
>
>
> "Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
> at http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx
>
>
> "Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-
> CHAP v2 Wireless Authentication" at
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1971d43c-d2d9-
> 408d-bd97-139afc60996b&DisplayLang=en
>
>
> "Deploying Windows Server 2003 Internet Authentication Service (IAS) with
> Virtual Local Area Networks (VLANs)" at
> http://www.microsoft.com/downloads/details.aspx?FamilyId=C9ED3609-49FC-
> 439B-92F4-266B187CAE5A&displaylang=en
>
> "The Advantages of Protected Extensible Authentication Protocol (PEAP): A
> Standard Approach to User Authentication for IEEE 802.11 Wireless Network
> Access"
> http://www.microsoft.com/windowsserver2003/techinfo/overview/peap.mspx
>
>
> Internet Authentication Service Technology Center
> http://www.microsoft.com/windowsserver2003/technologies/ias/default.mspx
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
.
- References:
- Re: certificateless RADIUS
- From: James McIllece [MS]
- Re: certificateless RADIUS
- Prev by Date: Re: Site to Site VPN
- Next by Date: Windows Server 2003 IAS Log session Time
- Previous by thread: Re: certificateless RADIUS
- Next by thread: Windows Server 2003 IAS Log session Time
- Index(es):
Relevant Pages
|
