Attn. MVPs/MSFT - Q: different authentication methods for computers/users

Discussion in 'Wireless Networking' started by S. Pidgorny, Dec 13, 2004.

  1. S. Pidgorny

    S. Pidgorny Guest

    Is it possible to use computer pasword/soft cert for computer authentication
    and a smart card for user authentication to wireless network?

    I can create separate IAS policies but I'm unable to create different
    connection settings for the same SSID for computer and user.

    I will do more testing, but while my Cisco Aironet 1x00 APs are on their
    way, I'd like any input on the following:

    1. If I'll use PEAP, will that work if I'm authenticating users to Windows
    using smart cards?
    2. If authentication fails for the SSID at the top of the preference list,
    will the client try the next SSID on the list (the idea is to have different
    SSIDs for computers and users - as ugly as it sounds)

    Appreciate any thoughts.

    Cheers

    Slav
    S. Pidgorny, Dec 13, 2004
    #1
    1. Advertising

  2. Hi !
    "S. Pidgorny <MVP>" <> wrote in message
    news:...
    > Is it possible to use computer pasword/soft cert for computer

    authentication
    > and a smart card for user authentication to wireless network?
    >
    > I can create separate IAS policies but I'm unable to create different
    > connection settings for the same SSID for computer and user.
    >
    > I will do more testing, but while my Cisco Aironet 1x00 APs are on their
    > way, I'd like any input on the following:
    >
    > 1. If I'll use PEAP, will that work if I'm authenticating users to Windows
    > using smart cards?
    > 2. If authentication fails for the SSID at the top of the preference list,
    > will the client try the next SSID on the list (the idea is to have

    different
    > SSIDs for computers and users - as ugly as it sounds)
    >

    You can't SSID ( like MAC ) the property of BSS not of user :(
    Arkady

    > Appreciate any thoughts.
    >
    > Cheers
    >
    > Slav
    >
    >
    Arkady Frenkel, Dec 13, 2004
    #2
    1. Advertising

  3. S. Pidgorny

    S. Pidgorny Guest

    Hi Steve:

    "Steve Riley [MSFT]" <> wrote in message
    news:...
    > A couple things planned for PEAP v.2 will help here. There will be a
    > cryptographic binding between the server's authentication method and the
    > client's, to prevent certain kinds of MITM attacks (which can be stopped

    now
    > if you use group policy to constrain the client to trust only a certain

    CA).
    > You'll also be able to choose different methods for computers and users.


    When PEAPv2 will be available for XP?

    > Not sure what you really are looking for with your second point... SSIDs

    are
    > network names and therefore group together network elements like
    > authenticators (access points) and supplicants (computers)... I don't see

    a
    > way to assign an SSID to a person. Why do you need to do this?


    I can use different authentication for different SSID on the same AP. If XP
    will retry second SSID on the list after failing authentication to the first
    one, I can do peap authentication for computers and EAP-TLS for the users.

    Still wondering if PEAPv0 will work if I authenticate users using smart
    card. Can only test next week but would lie to know what to expect
    beforehand.

    Thank you!

    Slav

    > "S. Pidgorny <MVP>" <> wrote in message
    > news:...
    > > Is it possible to use computer pasword/soft cert for computer
    > > authentication
    > > and a smart card for user authentication to wireless network?
    > >
    > > I can create separate IAS policies but I'm unable to create different
    > > connection settings for the same SSID for computer and user.
    > >
    > > I will do more testing, but while my Cisco Aironet 1x00 APs are on their
    > > way, I'd like any input on the following:
    > >
    > > 1. If I'll use PEAP, will that work if I'm authenticating users to

    Windows
    > > using smart cards?
    > > 2. If authentication fails for the SSID at the top of the preference

    list,
    > > will the client try the next SSID on the list (the idea is to have
    > > different
    > > SSIDs for computers and users - as ugly as it sounds)
    > >
    > > Appreciate any thoughts.
    > >
    > > Cheers
    > >
    > > Slav
    > >
    > >

    >
    >
    S. Pidgorny, Dec 14, 2004
    #3
  4. > When PEAPv2 will be available for XP?

    Dunno. It's in the works, though.


    > I can use different authentication for different SSID on the same AP. If
    > XP
    > will retry second SSID on the list after failing authentication to the
    > first
    > one, I can do peap authentication for computers and EAP-TLS for the users.
    >
    > Still wondering if PEAPv0 will work if I authenticate users using smart
    > card. Can only test next week but would lie to know what to expect
    > beforehand.


    Interesting. Not something I've seen done before. Let us know what you
    discover! :)

    Steve Riley




    "S. Pidgorny <MVP>" <> wrote in message
    news:...
    > Hi Steve:
    >
    > "Steve Riley [MSFT]" <> wrote in message
    > news:...
    >> A couple things planned for PEAP v.2 will help here. There will be a
    >> cryptographic binding between the server's authentication method and the
    >> client's, to prevent certain kinds of MITM attacks (which can be stopped

    > now
    >> if you use group policy to constrain the client to trust only a certain

    > CA).
    >> You'll also be able to choose different methods for computers and users.

    >
    > When PEAPv2 will be available for XP?
    >
    >> Not sure what you really are looking for with your second point... SSIDs

    > are
    >> network names and therefore group together network elements like
    >> authenticators (access points) and supplicants (computers)... I don't see

    > a
    >> way to assign an SSID to a person. Why do you need to do this?

    >
    > I can use different authentication for different SSID on the same AP. If
    > XP
    > will retry second SSID on the list after failing authentication to the
    > first
    > one, I can do peap authentication for computers and EAP-TLS for the users.
    >
    > Still wondering if PEAPv0 will work if I authenticate users using smart
    > card. Can only test next week but would lie to know what to expect
    > beforehand.
    >
    > Thank you!
    >
    > Slav
    >
    >> "S. Pidgorny <MVP>" <> wrote in message
    >> news:...
    >> > Is it possible to use computer pasword/soft cert for computer
    >> > authentication
    >> > and a smart card for user authentication to wireless network?
    >> >
    >> > I can create separate IAS policies but I'm unable to create different
    >> > connection settings for the same SSID for computer and user.
    >> >
    >> > I will do more testing, but while my Cisco Aironet 1x00 APs are on
    >> > their
    >> > way, I'd like any input on the following:
    >> >
    >> > 1. If I'll use PEAP, will that work if I'm authenticating users to

    > Windows
    >> > using smart cards?
    >> > 2. If authentication fails for the SSID at the top of the preference

    > list,
    >> > will the client try the next SSID on the list (the idea is to have
    >> > different
    >> > SSIDs for computers and users - as ugly as it sounds)
    >> >
    >> > Appreciate any thoughts.
    >> >
    >> > Cheers
    >> >
    >> > Slav
    >> >
    >> >

    >>
    >>

    >
    >
    Steve Riley [MSFT], Dec 14, 2004
    #4
  5. S. Pidgorny

    S. Pidgorny Guest

    Done some testing:

    PEAP v0 authentication when user logs on using smart card: it works. Tested
    on a system with no cached user profile credentials: upon the system
    startup, it connects to the wireless network (PEAP/computer auth), then
    domain logon using smart card works too. Sounds like better solution to me.

    Separate SSIDs for user/computer authentication: IAS doesn't support the
    required RADIUS attribute, cannot create separate IAS profiles for different
    SSIDs.

    --
    Svyatoslav Pidgorny, MVP, MCSE
    -= F1 is the key =-

    "Steve Riley [MSFT]" <> wrote in message
    news:#...

    > > I can use different authentication for different SSID on the same AP. If
    > > XP
    > > will retry second SSID on the list after failing authentication to the
    > > first
    > > one, I can do peap authentication for computers and EAP-TLS for the

    users.
    > >
    > > Still wondering if PEAPv0 will work if I authenticate users using smart
    > > card. Can only test next week but would lie to know what to expect
    > > beforehand.

    >
    > Interesting. Not something I've seen done before. Let us know what you
    > discover! :)
    >
    > Steve Riley
    >
    S. Pidgorny, Dec 17, 2004
    #5
  6. > Separate SSIDs for user/computer authentication: IAS doesn't support the
    > required RADIUS attribute, cannot create separate IAS profiles for
    > different
    > SSIDs.


    Slav, I'm still having trouble envisioning why this is a requirement. An
    SSID is a network name. Access points belong to one network by virtue of the
    SSID programmed into them. If my computer has authenticated to the access
    point closest to me, and is therefore now a member of that SSID-named
    network, why would I ever want my user account to authenticate to some other
    SSID, which most likely means some other network?

    Steve Riley




    "S. Pidgorny <MVP>" <> wrote in message
    news:%...
    > Done some testing:
    >
    > PEAP v0 authentication when user logs on using smart card: it works.
    > Tested
    > on a system with no cached user profile credentials: upon the system
    > startup, it connects to the wireless network (PEAP/computer auth), then
    > domain logon using smart card works too. Sounds like better solution to
    > me.
    >
    > Separate SSIDs for user/computer authentication: IAS doesn't support the
    > required RADIUS attribute, cannot create separate IAS profiles for
    > different
    > SSIDs.
    >
    > --
    > Svyatoslav Pidgorny, MVP, MCSE
    > -= F1 is the key =-
    >
    > "Steve Riley [MSFT]" <> wrote in message
    > news:#...
    >
    >> > I can use different authentication for different SSID on the same AP.
    >> > If
    >> > XP
    >> > will retry second SSID on the list after failing authentication to the
    >> > first
    >> > one, I can do peap authentication for computers and EAP-TLS for the

    > users.
    >> >
    >> > Still wondering if PEAPv0 will work if I authenticate users using smart
    >> > card. Can only test next week but would lie to know what to expect
    >> > beforehand.

    >>
    >> Interesting. Not something I've seen done before. Let us know what you
    >> discover! :)
    >>
    >> Steve Riley
    >>

    >
    >
    Steve Riley [MSFT], Dec 17, 2004
    #6
  7. S. Pidgorny

    S. Pidgorny Guest

    Steve, that was just a bad idea. As PEAP works welll when user authenticates
    with a smart card, there is no reason to go into complexity of having
    separate SSIDs.

    Frankly, I had to demonstrate all different applications of the smart card
    to some business people. I could configure smart card authentication for
    wireless network so that Windows asks me to select a certificate, requests
    PIN etc. That works well but I wasn't happy about the fact the computer
    doesn't get authenticated - so I started to look at different authentication
    for computers and users. I will do my demonstration but I will recommend
    against smart card authentication for corporate wireless connectivity as
    PEAP provides seamless secure wireless network authentication to smart card
    users - mind you, I cannot use EAP-TLS in this case (soft certs and smart
    cards are different settings for the wireless connection)

    --
    Svyatoslav Pidgorny, MVP, MCSE
    -= F1 is the key =-



    "Steve Riley [MSFT]" <> wrote in message
    news:...
    > > Separate SSIDs for user/computer authentication: IAS doesn't support the
    > > required RADIUS attribute, cannot create separate IAS profiles for
    > > different
    > > SSIDs.

    >
    > Slav, I'm still having trouble envisioning why this is a requirement. An
    > SSID is a network name. Access points belong to one network by virtue of

    the
    > SSID programmed into them. If my computer has authenticated to the access
    > point closest to me, and is therefore now a member of that SSID-named
    > network, why would I ever want my user account to authenticate to some

    other
    > SSID, which most likely means some other network?
    >
    > Steve Riley
    >
    S. Pidgorny, Dec 18, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. G Spot Tornado

    MVPs of the group unite! I need help! PLEASE!

    G Spot Tornado, Feb 3, 2006, in forum: Wireless Networking
    Replies:
    2
    Views:
    871
    G Spot Tornado
    Feb 3, 2006
  2. measekite

    Attn: Panasonic FZ5 Users and Canon S1-IS Users

    measekite, May 26, 2005, in forum: Digital Photography
    Replies:
    17
    Views:
    581
  3. Ramon F Herrera

    SIP Authentication methods available?

    Ramon F Herrera, Feb 7, 2007, in forum: Cisco
    Replies:
    0
    Views:
    534
    Ramon F Herrera
    Feb 7, 2007
  4. Replies:
    5
    Views:
    3,251
    Pavel A.
    Apr 11, 2008
  5. Giuen
    Replies:
    0
    Views:
    732
    Giuen
    Sep 12, 2008
Loading...

Share This Page