Re: EAP-TLS machine authentication for non-domain systems

"George Stribley" <noone@xxxxxxxx> wrote in
news:O0wIfhDiHHA.1708@xxxxxxxxxxxxxxxxxxxx:

We are using EAP-TLS to authenticate non-domain devices to our
wireless network. We are using Windows Server 2003 SP1 certificate
services, IIS, and IAS to generate x.509 v3 certificates and
authenticate though our Cisco WLC wireless infrastructure. We can
authenticate just fine, but we have one major problem--the
certificates are portable, and a single certificate can be installed
on any number of devices to allow those devices to gain access to our
wireless network.

We cannot set a password on the private keys--most of the devices are
portable userless devices, and thus have no user to type in the
password.

We need a way to tie the certificate to a specific device to make it a
true machine certificate. My idea is to compare the User-Name RADIUS
attribute to the Calling-Station-ID RADIUS attribute--as long as the
certificate CN equals the MAC address of the device's NIC, we should
be able to get a match (technically, the CN on the certificate would
be MAC_addr@domain, so we would need to strip off the domain portion).

Is there a way to get this done? I don't see any facility in IAS to
compare RADIUS attributes to each other. Is there another way to do
this comparison? Or is there another way to tie the certificate to the
machine?




If I remember correctly you can configure the cert template on the CA so
that the certificate cannot be exported or reused. Check out the PKI
documentation at
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx.
One of the main docs there has this information. (Sorry I can't recall
which one.)

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: 802.1x wireless lan how to?
    ... had on the methodology. ... methodology that doesn't affect the operation of the wireless network. ... it seems that if you have a certificate issue while everything ... My laptop does not have a domain account ...
    (microsoft.public.windows.server.sbs)
  • Re: IAS CRL problem
    ... one with CA and IAS installed the other ... If I revoke the certificate of the user and then try to authenticate ... "After the old certificate is revoked, IAS will continue to use it until ... and the Transport Layer Security cache time expiry have been modified ...
    (microsoft.public.internet.radius)
  • Re: Logging to AD domain from wireless?
    ... you can do automatic certificate enrollement by group policy. ... Yes, you can configure a certificate authority, an IAS server (Microsoft ... configure your access point to authenticate users to this newly configured ...
    (microsoft.public.windows.server.networking)
  • Re: Authenticate user with third party certificates
    ... I use IAS to authenticate wireless clients with user certificates ... I installed its root certificate in the Trusted ... "Mapping network authentication and authorization" at ...
    (microsoft.public.internet.radius)
  • help! domain controller wont renew certificate
    ... I set up a wireless network using PEAP authentication in ... wireless network not to validate your server certificate, ... process of following the WLAN setup instructions is 25 years, ...
    (microsoft.public.windows.server.active_directory)