Re: Only validate certificate, not AD account !
- From: gbraux@xxxxxxxxxxx
- Date: Fri, 30 Nov 2007 15:07:36 -0800 (PST)
Thanks for your answer.
Here is the message I posted on Expert-Exchange ... Maybe it will help
you to better understand my problematic :
---
Hello,
This is my first post on Expert-Exchange, I hope somebody will be able
to help me !
My objective :
Authenticating a non-domain computer for 802.1x EAP/TLS access to a
wireless network using computer certificate, IAS, and stand-alone CA.
If the certificate is revoked, the client cannot connect to the
network. If the certificate is valid, access is granted.
My constraints :
- Clients computers are non-domain Windows XP SP2 laptop computers.
- I have no AD computer object in my Active Directory for these
computers, as they are not integrated in my domain.
- My radius server is IAS. It is installed on a Windows server 2003
domain controller.
- My CA is a Stand-Alone Certification Authority also installed on the
domain controller.
My IAS configuration :
- Just a single Access policy rule : Authentification-Type=EAP and NAS-
Port-Type="Wireless IEEE802.11".
- It seems that IAS has automaticaly integrated with my Active
Directory as they are on the same computer.
Resolved problems :
- Using the AuthMode=2 registry key on my client laptops, I am able to
force 802.1x to use only computer authentification (only use the
computer certificate, even if a user log on).
- Not using Enterprise CA because Enterprise generated certificates
use a "Template" attribute, not suitable for non-domain computers.
- I generate certificates for the client computer (and integrate root
CA) using CertSvr on a unsecured wired connection.
The problems I am not able to resolve :
- When a client authenticates, IAS try to authenticate a user called
"host/CertificateName" throught my Active Directory. This user do not
exists so the connection is refused. The certificate is never
validated.
My PKI/IAS infrastructure seems to work as when I do a user
authentication (disabling AuthMode registry key and creating a user
called "CertificateName" in my AD), It works.
Certficate is validated by my CA, and acces is granted.
A also try creating a "host/CertificateName" AD account when doing
computer authentication. The Windows Athentication passed, but I got
error during the EAP negociation.
My questions are :
- How to tell IAS not to make this Windows Authentication before
validating certificate, and only have acces policy based on the
certificate revocation state ?
- If not possible, can a IAS Extension do the job (code sample ?)
- As I generate manualy the client computer certificate without a
template, what are the needed attributes to perform computer
authentication throught IAS (I already know client and server Auth OID
are needed, but threre may be other needs ...) ?
Any different solutions to achieve my goal are welcome, if you think
mine is not good :)
Guillaume
.
- Follow-Ups:
- Re: Only validate certificate, not AD account !
- From: gbraux
- Re: Only validate certificate, not AD account !
- Next by Date: Re: Only validate certificate, not AD account !
- Next by thread: Re: Only validate certificate, not AD account !
- Index(es):
Relevant Pages
|
Loading
