Re: Choosing which way to secure WLANs (IAS, WPA and certs or passwd)

From: "Pieman" <bullens_at_no_spam_nifcoeu.com>
Date: Thu, 12 Jul 2007 14:16:22 +0100

Health

certificates are a lot more secure than password strings. The use of
certificates demands a PKI infrastructure whether this be an internal MS
windows CA or a third party CA (i.e. Thwart, Veri-Sign, etc).

The idea behind certificates is that client A trusts client B certificate
and vice versa, so in your case computer certificates would be deployed
across the LAN for the clients and servers, when the client boots and
attempts to connect to the WLAN the request for the computer account to be
authenticated to the LAN is passed via IAS, as long as the computer account
is a member of the allowed group and the computer certificate is valid then
the computer would be allowed to authenticated and logon to the wireless
LAN, after this the client would then receive the Ctrl + Alt + Del screen
allowing the "user" to enter logon credentials to login to the PC and access
resources that they have been granted permissions to.

"Heath" <Heath@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ECB91673-D85F-42BB-A7A9-25AAF806185B@xxxxxxxxxxxxxxxx

I have been looking into setting up a wireless LAN and I am debating
between
using certificates or not. I read the documents on Securing Wireless using
certs and Securing using PEAP and passwords. The one using PEAP and
passwords
seems to be less complicated but I wondering how much less secure it is.

Lets say I set up the following: RADIUS server (IAS), Microsoft root CA
(Windows 2003), Wireless Access Points (Proxim), Windows XP clients, WPA
encryption, settings using group policy. Also, in IAS, I create a group
with
the users and computers that can use wireless.

How will the computer authentication work? What does it check for exactly?
At what point does it get an IP address? What is the risk of being hacked
compared to installing certificates on the client PC's?

Follow-Ups:
- Re: Choosing which way to secure WLANs (IAS, WPA and certs or passwd)
  - From: Robert L [MVP - Networking]

Prev by Date: Re: How to enable split/full tunnel while VPNed??
Next by Date: VPN PPTP on 2003 server wont connect remotely, but will if on same network.. Assistance?
Previous by thread: FPNW service doesn not start
Next by thread: Re: Choosing which way to secure WLANs (IAS, WPA and certs or passwd)
Index(es):
- Date
- Thread

Relevant Pages

Re: VPN vs SSL client side certificates
... > If you're authenticating the clients with certificates, ... > why using passwords at all. ... The authorised client machine is likely to be in a office environment ...
(comp.security.misc)
Re: WSE 3.0 CertSrv Request
... ASP.NET Development Server caching info like IIS would if it were running ... Client OutputTrace looks clean. ... X509 security use our in house Cert Authority with teh CertSrv wizard. ... I have not found any good documentation on what type of certificates ...
(microsoft.public.dotnet.framework.webservices.enhancements)
On Open Source
... server certificate against root certificates when used for client side ... likely to be secure than non-standard or closed source software. ... Client side authentication of the remote host identity is THE ... security service you would normally use SSL/TLS for. ...
(sci.crypt)
Re: SSL and Client Authentication
... First I go on my client and I do a browser request from a CA, ... After issuing a cert. ... install (where I verify that this certification was installed ... > It definitely does not sound like the right way to do client certificates. ...
(microsoft.public.inetserver.iis.security)
Re: WSE 3.0 CertSrv Request
... You can also find the response message in the Response ... Client OutputTrace looks clean. ... X509 security use our in house Cert Authority with teh CertSrv wizard. ... I have not found any good documentation on what type of certificates ...
(microsoft.public.dotnet.framework.webservices.enhancements)