Re: EAP-TLS with windows CE
- From: "Paul G. Tobey [eMVP]" <p space tobey no spam AT no instrument no spam DOT com>
- Date: Wed, 15 Aug 2007 08:27:00 -0700
It's used to decide if you're legal to be connected to the network, of
course. You're looked up in the user table, just as if you entered those
credentials at the login prompt for Windows Server 2003 on the server
machine. When it finds that you've entered the right login information, it
checks to see if that user is allowed to connect via wireless/EAP/whatever,
and, if so, tells the access point to allow you.
The certificate is *only* to identify the server *to the Windows CE device*.
The certificate is a public thing, not a secret. *Anyone* might have that
certificate, so merely having it in your certificate store only proves that
you know who the server is, not that you should be allowed to connect to the
network. When the server asks the Windows CE device to identify itself, the
Windows CE device, to avoid man-in-the-middle or other impersonation
problems, has to be able to verify that the system that's asking for a user
name and password is someone that you should be telling that information to.
If it didn't do that, I could easily steal your authentication information.
Once the Windows CE device is convinced that the server is someone that it
should be talking to, an encrypted connection is created based on the
certificate and both ends know that no one trapping the packets in the
middle can read them.
Paul T.
"hileyj" <hileyj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B162DAA7-0788-43D5-B0CF-064A9DF7A345@xxxxxxxxxxxxxxxx
Thanks for the quick response. That second paragraph you wrote makes
sense
with the little I had already known about TLS.
I'm still a little unclear about something, though. From my
understanding,
the conversation starts with a Eap Request/Identity from the AP to the
client. Windows CE then prompts the wireless user for the
UserName/DomainName. The client then responds with an EAP
response/Identity
to the AP which gets passed on to an authentication server (RADIUS or
otherwise). This response contains the username/domainName the wireless
user
entered in the prompt.
My question is, what exactly is this identity response used for at the
authentication server? I thought the authentication was provided by the
certificate information, so why is a user or machine name used in the
response/identity packet? The problem I'm having is this prompt keeps
reappearing, suggesting that something in the response/Identity is
incorrect.
Unfortunately, I can't give you more information about the actual EAP
message
exchange since I don't have access to the network where this is occurring.
Thanks again for your response,
Jon Hiley
"Paul G. Tobey [eMVP]" wrote:
What you want is the user name and password that the authentication
server
that your access point is directing the EAP packets to is expecting. It
has
nothing to do with the contents of the certificate at all. That will be
used by the device to verify that the server is who it says that it is
and
that it should be trusted, and to encrypt the data. The server that's
doing
the verification decides what users and passwords are need, though. If
it
doesn't work, I'd suspect that the problem is there.
No, there's no description anywhere that I've ever seen of how EAP-TLS
works
at all, let alone specifically on Windows CE. As I recall it, basically
what happens is that Windows CE calls up the access point. The AP looks
at
how it's configured and sees that EAP-TLS is set, so it creates a virtual
connection to the server with which it's supposed to communicate,
commonly a
RADIUS server, for the Windows CE device. The AP is configured with
suitable authentication information so that it can connect to the server
in
this way. The server sees that someone is trying to connect and requests
credentials, giving a list of ways that they can be provided, and some
certificate identification information. The Windows CE device looks at
the
server information and verifies that the server's certificate was issued
by
a trusted authority (this is why you might need to install a certificate
on
the Windows CE device, to trust an authority other than those standard
authorities). Via some back and forth, a secure connection is
established.
Once that's taken care of, Windows CE either asks you who you are or
looks
up the default credentials in the registry and sends them to the server
via
the negotiated protocol. If the server agrees that you are
authenticated,
it assigns you an IP address and tells the access point to allow you
access
to the entire network.
Paul T.
"hileyj" <hileyj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D16B6792-29C7-400D-8E49-58913988C1A2@xxxxxxxxxxxxxxxx
Hi,
I was wondering how EAP-TLS authentication is performed with windows ce
5.0.
I have loaded the necessary private key and certificates (they work
with
other devices such as laptops) onto my device and they appear to be
going
to
the correct stores. When I go to connect to an EAP-TLS enabled
network, I
get a prompt for a User Name and Domain Name. What exactly is it
looking
for
here? The Active Directory user name that the certificate was issued
to?
Or
the subject name as on the certificate?
After entering the user name and the domain, the username dialog goes
away
but then authentication fails and it reappears. What are possible
causes
of
this authentication failure?
Also, is there a good description somewhere out there about how EAP-TLS
works with Windows CE5.0? I'd really like to be able to troubleshoot
these
types of problems...
Thanks,
Jon
.
- Follow-Ups:
- Re: EAP-TLS with windows CE
- From: hileyj
- Re: EAP-TLS with windows CE
- References:
- Re: EAP-TLS with windows CE
- From: Paul G. Tobey [eMVP]
- Re: EAP-TLS with windows CE
- From: hileyj
- Re: EAP-TLS with windows CE
- Prev by Date: Re: Help about COM Thread Models!
- Next by Date: Re: kill build task
- Previous by thread: Re: EAP-TLS with windows CE
- Next by thread: Re: EAP-TLS with windows CE
- Index(es):
Relevant Pages
|
