Re: IAS + CRL Usage (PEAP/EAS etc)

"=?Utf-8?B?TWljaGFlbFcgLSBNZWxiLkF1cy4=?="
<MichaelWMelbAus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:9FF4407F-6CB5-4F81-936F-5B1A610DDCD0@xxxxxxxxxxxxx:

I'm just telling you what Microsoft says. Quoting Sam Salhi (MSFT) from
a post made Feb 20, 2004, he says:

"IAS doesn't store the CRL, PKI does. This CRL is not flushable.
although, the metadata in a specific certificate can be modified to point
to a file IAS uses certificate to identify and validate the user
credentials. It doesn't use the certificate to authorize the user. It
needs an account in AD that the certificate maps to. I will say it again,
Restricting access based on certificate revocation IS NOT RECOMMENDED!
Disable/lock/expire/remove dial in the user account instead"

Here's the thread:

http://groups.google.com/group/microsoft.public.internet.radius/browse_th
read/thread/a1c197f4f6da59e3/fea035b885a8700f?lnk=st&q=eap-
tls+crl+checking&rnum=4&hl=en#fea035b885a8700f

Or search Google groups for "eap-tls crl checking"

Wayne

> I'll take a traffic hit for an updated CRL - even 1Mb every 5 hours to
> our remote sites is bugger all if it means that I can ensure systems
> security.
>
> However, I disagree with your "authentication" comment "not for access
> control".
>
> Certificates are revoked for exactly this reason.. they are no longer
> trusted. This is whole REASON for certificates - defining who we
> trust. In this case, we trust the CA - if I have a certificate signed
> by the CA - then I am a trusted person to others who trust it. I would
> like to be told if I am NOT to trust someone - and that is EXACTLY
> what the CRL is for.
>
> The way these certificates work is exactly as defined..
> I have just proven, as a client I don't need to have a certificate to
> authenticate against the certificate on the IAS server - I only need
> to TRUST the certificate installed on the IAS server.
>
> This means that anyone with a copy of the CA's certificate (in
> essence, downloaded straight off the CA's website) can access the
> network.
>
> What SHOULD occur, is that the ISA server should authenticate against
> the clients CERTIFICATE - and if that cert is trusted - then allow in.
> The trust is at least the wrong way around.. the client should be the
> one that is authenticated.
>
> the way it is right now - I trust anyone who can connect to my CA and
> download the CA's certificate - isn't that just the same as "I trust
> you - here is my password"??!!
> What happens when I no longer trust that person? Ask them not to use
> the password anymore? I don't think so..
>
>
>
> "Wayne Tilton" wrote:
>
>> "=?Utf-8?B?TWljaGFlbFcgLSBNZWxiLkF1cy4=?="
>> <MichaelWMelbAus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> news:E2970912-A57D-4F4D-98D2-7CD2A184CD1F@xxxxxxxxxxxxx:
>>
>> > I am having a weird problem but I am not sure if it is a fault or
>> > what it is!??!
>> >
>> > I have IAS authenticating an 802.11g AP using AES/PEAP.
>> > I have installed Microsoft Certificate services on a 2000 machine,
>> > and autoenrolled all machines..
>> >
>> > Now I am testing revocation.
>> > The CRL is set to publish every 5 hours..
>> >
>> > I can establish a certificate and authenticate my session without
>> > fault. However, now I revoke my certificate - it shows in the CRL -
>> > but I can still authenticate???!!!
>> >
>> > How can this be? I would expect that the IAS server would check
>> > against the revocation list and see that my cert is revoked (listed
>> > as superseeded)..
>> >
>> > how come I can still connect? Does IAS not check the CRL?
>> >
>>
>> You should not rely on certificate revokation to disable access. The
>> CRL is cached and will not be reloaded until it expires. Also,
>> you're generating a lot of extra traffic by setting your publication
>> interval to 5 hours.
>>
>> If you want to disable a users or computers access, disable the
>> account or adjust the dial-in properties. Certificates are for
>> authentication, not access control.
>>
>> HTH,
>>
>> Wayne Tilton
>>
>

.

Relevant Pages

  • Re: IAS + CRL Usage (PEAP/EAS etc)
    ... > I am having a weird problem but I am not sure if it is a fault or what ... > I have IAS authenticating an 802.11g AP using AES/PEAP. ... > I can establish a certificate and authenticate my session without ... now I revoke my certificate - it shows in the CRL - ...
    (microsoft.public.windows.server.networking)
  • Re: Stand Alone CA Problem
    ... Unless the CRL is valid for a very long time (which is normally a bad ... download is usually many times faster. ... > and imported it in my certificate store. ... In the Edit Trust ...
    (microsoft.public.win2000.security)
  • Re: forced CRL refresh/update with EAP-TLS
    ... IAS doesn't store the CRL, ... IAS uses certificate to identify and validate the user credentials. ...
    (microsoft.public.internet.radius)
  • Re: IAS CRL Configuration
    ... Essentially I am looking for how to review, control, initiate, verify ... that the CRL is being used/retreived/loaded by IAS. ... says that the CRL will be retreived when the previous one expires. ... certificate for which you want to configure expiration paramaters. ...
    (microsoft.public.internet.radius)
  • Re: IAS CRL Configuration
    ... I was referring to the server that is running CA in my last response. ... troubleshooting certificate issues, but I'm not sure if it would contain the ... You're correct that the IAS server does not use a new CRL until the old one ...
    (microsoft.public.internet.radius)