802.1x authentication..

Discussion in 'Wireless Networking' started by Zul J, Jul 8, 2005.

  1. Zul J

    Zul J Guest

    Hi,

    I'm setting up a wireless network, I have a cisco 350 series AP and going to
    use the Windows Server 2003 IAS as the radius server. I would like to
    control the client based on the MAC address and the Active Directory user
    logon. The IAS server is a member of the AD. I have install a standalone
    certificate server on the IAS server. On the Cisco AP, I have checked the
    EAP, MAC and USER authentication for radius security settings. The questions
    :

    1) How do I control the users based on the MAC address and the logon without
    using any certificates ?
    2) If with certificates, how do I do that ?
    3) In the IAS, what authentication type that I supposed to use ? for
    question no. (1) and (2) ?

    Thank you.

    Rgrds,
    Zul
    Zul J, Jul 8, 2005
    #1
    1. Advertising

  2. Zul J

    Mark Gamache Guest

    It looks like you have done some interesting stuff.

    1. Forget about MAC authentication. It is of no real value
    2. You need to decide whether you want users to authenticate with a
    certificate or a username and password.
    3. Make sure the IAS server had been authorized in AD

    If clients will use certificates, you need to:
    1. uninstall the CA and make it an Enterprise CA
    2. issue user certs to the clients
    3. setup a policy for EAP-TLS in IAS

    If you use passwords:
    1. Make sure your IAS server has a certificate in its local machine store
    that is valid for server authentication
    2. Setup a policy using PEAP with passwords in IAS.

    I hope that gets you started.


    Cheers

    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Zul J" <> wrote in message
    news:...
    > Hi,
    >
    > I'm setting up a wireless network, I have a cisco 350 series AP and going
    > to use the Windows Server 2003 IAS as the radius server. I would like to
    > control the client based on the MAC address and the Active Directory user
    > logon. The IAS server is a member of the AD. I have install a standalone
    > certificate server on the IAS server. On the Cisco AP, I have checked the
    > EAP, MAC and USER authentication for radius security settings. The
    > questions :
    >
    > 1) How do I control the users based on the MAC address and the logon
    > without using any certificates ?
    > 2) If with certificates, how do I do that ?
    > 3) In the IAS, what authentication type that I supposed to use ? for
    > question no. (1) and (2) ?
    >
    > Thank you.
    >
    > Rgrds,
    > Zul
    >
    Mark Gamache, Jul 8, 2005
    #2
    1. Advertising

  3. Take a look at
    ftp://symstore.longisland.com/Symstore/techpubs/manuals/wireless/pdf/142I-WPA_Win_XP_IAS_v1.pdf
    to use a PEAP authentication scheme.
    ---
    Jeffrey Randow (Windows Networking MVP)

    http://www.networkblog.net (My Networking Blog)
    http://www.remotenetworktechnology.com (Support Site)

    On Fri, 8 Jul 2005 17:46:59 +0800, "Zul J" <> wrote:

    >Hi,
    >
    >I'm setting up a wireless network, I have a cisco 350 series AP and going to
    >use the Windows Server 2003 IAS as the radius server. I would like to
    >control the client based on the MAC address and the Active Directory user
    >logon. The IAS server is a member of the AD. I have install a standalone
    >certificate server on the IAS server. On the Cisco AP, I have checked the
    >EAP, MAC and USER authentication for radius security settings. The questions
    >:
    >
    >1) How do I control the users based on the MAC address and the logon without
    >using any certificates ?
    >2) If with certificates, how do I do that ?
    >3) In the IAS, what authentication type that I supposed to use ? for
    >question no. (1) and (2) ?
    >
    >Thank you.
    >
    >Rgrds,
    >Zul
    >
    Jeffrey Randow (MVP), Jul 10, 2005
    #3
  4. Zul J

    Zul J Guest

    Hi,

    Can I have both, authenticate with a certificate and a username/password ?
    In other words, the client must have the certificate installed and must
    login with the username/password to have the access.

    Thanks.

    Rgrds,
    Zul

    "Mark Gamache" <> wrote in message
    news:OgTBsw%...
    > It looks like you have done some interesting stuff.
    >
    > 1. Forget about MAC authentication. It is of no real value
    > 2. You need to decide whether you want users to authenticate with a
    > certificate or a username and password.
    > 3. Make sure the IAS server had been authorized in AD
    >
    > If clients will use certificates, you need to:
    > 1. uninstall the CA and make it an Enterprise CA
    > 2. issue user certs to the clients
    > 3. setup a policy for EAP-TLS in IAS
    >
    > If you use passwords:
    > 1. Make sure your IAS server has a certificate in its local machine store
    > that is valid for server authentication
    > 2. Setup a policy using PEAP with passwords in IAS.
    >
    > I hope that gets you started.
    >
    >
    > Cheers
    >
    > --
    > Mark Gamache
    > Certified Security Solutions
    > http://www.css-security.com
    >
    >
    >
    > "Zul J" <> wrote in message
    > news:...
    >> Hi,
    >>
    >> I'm setting up a wireless network, I have a cisco 350 series AP and going
    >> to use the Windows Server 2003 IAS as the radius server. I would like to
    >> control the client based on the MAC address and the Active Directory user
    >> logon. The IAS server is a member of the AD. I have install a standalone
    >> certificate server on the IAS server. On the Cisco AP, I have checked the
    >> EAP, MAC and USER authentication for radius security settings. The
    >> questions :
    >>
    >> 1) How do I control the users based on the MAC address and the logon
    >> without using any certificates ?
    >> 2) If with certificates, how do I do that ?
    >> 3) In the IAS, what authentication type that I supposed to use ? for
    >> question no. (1) and (2) ?
    >>
    >> Thank you.
    >>
    >> Rgrds,
    >> Zul
    >>

    >
    >
    Zul J, Jul 11, 2005
    #4
  5. Zul J

    Zul J Guest

    Hi,

    I found one article on the Microsoft site related to using a certificate :

    http://www.microsoft.com/technet/security/topics/cryptographyetc/peap_0.mspx

    but it is more to those users who are a member of the AD domain (using a
    group policy), most of our notebook or wireless clients are a standalone
    users.

    Rgrds,
    Zul


    "Zul J" <> wrote in message
    news:...
    > Hi,
    >
    > I'm setting up a wireless network, I have a cisco 350 series AP and going
    > to use the Windows Server 2003 IAS as the radius server. I would like to
    > control the client based on the MAC address and the Active Directory user
    > logon. The IAS server is a member of the AD. I have install a standalone
    > certificate server on the IAS server. On the Cisco AP, I have checked the
    > EAP, MAC and USER authentication for radius security settings. The
    > questions :
    >
    > 1) How do I control the users based on the MAC address and the logon
    > without using any certificates ?
    > 2) If with certificates, how do I do that ?
    > 3) In the IAS, what authentication type that I supposed to use ? for
    > question no. (1) and (2) ?
    >
    > Thank you.
    >
    > Rgrds,
    > Zul
    >
    Zul J, Jul 11, 2005
    #5
  6. Zul J

    Mark Gamache Guest

    If you use L2TP/IPSec then you can use a computer cert to create the IPSec
    connection and then username and password to authenticate the user.

    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Zul J" <> wrote in message
    news:O%...
    > Hi,
    >
    > Can I have both, authenticate with a certificate and a username/password ?
    > In other words, the client must have the certificate installed and must
    > login with the username/password to have the access.
    >
    > Thanks.
    >
    > Rgrds,
    > Zul
    >
    > "Mark Gamache" <> wrote in message
    > news:OgTBsw%...
    >> It looks like you have done some interesting stuff.
    >>
    >> 1. Forget about MAC authentication. It is of no real value
    >> 2. You need to decide whether you want users to authenticate with a
    >> certificate or a username and password.
    >> 3. Make sure the IAS server had been authorized in AD
    >>
    >> If clients will use certificates, you need to:
    >> 1. uninstall the CA and make it an Enterprise CA
    >> 2. issue user certs to the clients
    >> 3. setup a policy for EAP-TLS in IAS
    >>
    >> If you use passwords:
    >> 1. Make sure your IAS server has a certificate in its local machine store
    >> that is valid for server authentication
    >> 2. Setup a policy using PEAP with passwords in IAS.
    >>
    >> I hope that gets you started.
    >>
    >>
    >> Cheers
    >>
    >> --
    >> Mark Gamache
    >> Certified Security Solutions
    >> http://www.css-security.com
    >>
    >>
    >>
    >> "Zul J" <> wrote in message
    >> news:...
    >>> Hi,
    >>>
    >>> I'm setting up a wireless network, I have a cisco 350 series AP and
    >>> going to use the Windows Server 2003 IAS as the radius server. I would
    >>> like to control the client based on the MAC address and the Active
    >>> Directory user logon. The IAS server is a member of the AD. I have
    >>> install a standalone certificate server on the IAS server. On the Cisco
    >>> AP, I have checked the EAP, MAC and USER authentication for radius
    >>> security settings. The questions :
    >>>
    >>> 1) How do I control the users based on the MAC address and the logon
    >>> without using any certificates ?
    >>> 2) If with certificates, how do I do that ?
    >>> 3) In the IAS, what authentication type that I supposed to use ? for
    >>> question no. (1) and (2) ?
    >>>
    >>> Thank you.
    >>>
    >>> Rgrds,
    >>> Zul
    >>>

    >>
    >>

    >
    >
    Mark Gamache, Jul 11, 2005
    #6
  7. Zul J

    Zul J Guest

    Thanks...

    "Mark Gamache" <> wrote in message
    news:...
    > If you use L2TP/IPSec then you can use a computer cert to create the IPSec
    > connection and then username and password to authenticate the user.
    >
    > --
    > Mark Gamache
    > Certified Security Solutions
    > http://www.css-security.com
    >
    >
    >
    > "Zul J" <> wrote in message
    > news:O%...
    >> Hi,
    >>
    >> Can I have both, authenticate with a certificate and a username/password
    >> ? In other words, the client must have the certificate installed and must
    >> login with the username/password to have the access.
    >>
    >> Thanks.
    >>
    >> Rgrds,
    >> Zul
    >>
    >> "Mark Gamache" <> wrote in message
    >> news:OgTBsw%...
    >>> It looks like you have done some interesting stuff.
    >>>
    >>> 1. Forget about MAC authentication. It is of no real value
    >>> 2. You need to decide whether you want users to authenticate with a
    >>> certificate or a username and password.
    >>> 3. Make sure the IAS server had been authorized in AD
    >>>
    >>> If clients will use certificates, you need to:
    >>> 1. uninstall the CA and make it an Enterprise CA
    >>> 2. issue user certs to the clients
    >>> 3. setup a policy for EAP-TLS in IAS
    >>>
    >>> If you use passwords:
    >>> 1. Make sure your IAS server has a certificate in its local machine
    >>> store that is valid for server authentication
    >>> 2. Setup a policy using PEAP with passwords in IAS.
    >>>
    >>> I hope that gets you started.
    >>>
    >>>
    >>> Cheers
    >>>
    >>> --
    >>> Mark Gamache
    >>> Certified Security Solutions
    >>> http://www.css-security.com
    >>>
    >>>
    >>>
    >>> "Zul J" <> wrote in message
    >>> news:...
    >>>> Hi,
    >>>>
    >>>> I'm setting up a wireless network, I have a cisco 350 series AP and
    >>>> going to use the Windows Server 2003 IAS as the radius server. I would
    >>>> like to control the client based on the MAC address and the Active
    >>>> Directory user logon. The IAS server is a member of the AD. I have
    >>>> install a standalone certificate server on the IAS server. On the Cisco
    >>>> AP, I have checked the EAP, MAC and USER authentication for radius
    >>>> security settings. The questions :
    >>>>
    >>>> 1) How do I control the users based on the MAC address and the logon
    >>>> without using any certificates ?
    >>>> 2) If with certificates, how do I do that ?
    >>>> 3) In the IAS, what authentication type that I supposed to use ? for
    >>>> question no. (1) and (2) ?
    >>>>
    >>>> Thank you.
    >>>>
    >>>> Rgrds,
    >>>> Zul
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    Zul J, Jul 12, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Berhard Wagner

    WPA with 802.1x boot time issue, machine authentication

    Berhard Wagner, Aug 13, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    5,223
    bebrox
    Aug 27, 2004
  2. Oli
    Replies:
    3
    Views:
    816
  3. Rafael
    Replies:
    1
    Views:
    3,139
  4. Johnny
    Replies:
    11
    Views:
    3,044
    Cerebrus
    Aug 4, 2006
  5. zillah
    Replies:
    0
    Views:
    694
    zillah
    Nov 9, 2006
Loading...

Share This Page