Can we do without user authentication?

Discussion in 'Wireless Networking' started by Al Blake, Oct 5, 2004.

  1. Al Blake

    Al Blake Guest

    Setting up a WLAN of 250+ laptops - all Windows XP SP1.
    Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
    60+ Cisco 1200 APs using EAP-TLS for authentication.

    We need a system that is:
    a) Totally transparent to end-users
    (ie logging onto WLAN is same as logging onto Wired LAN)
    b) Is secure and not easily hacked
    (we are a high school so we dont need defense grade security but we do
    want to take all due care and do better than static WEP)
    c) Easy to administer through AD (we cant possibly manage certificates

    After a bit of experimentation and a lot of swearing we have setup one AP +
    IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
    user certificate authentication but this was a real headache - especially
    getting all the users certificates on to the laptops they *might* log on
    to) - and very slow (due to the re-authentication when a user logs on).
    So we just found the setting in AD to require computer authenitcation *all*
    the time.
    This works much more reliably but (here's the question)

    what are we giving up?

    Realistically what downsides can anyone see by only requiring the laptop to
    authenticate itself using its own certificate (and presumably then getting a
    secure WEP channel established) over which the user can then authenticate
    with the standard domain username & password, just like they do with a wired
    logon? Isnt the level of encryption the same anyway? What would we gain for
    all the hassle of requiring user certificates (2000+) as well?

    Any comments? Any big holes here?

    Al Blake, Canberra, Australia
    Al Blake, Oct 5, 2004
    1. Advertisements

  2. Al Blake

    Jeff Durham Guest

    I had thought about this too setting up my environment and it sounds
    reasonable to me. Since the machine has to have a computer certificate that
    you provided, only those computers will be able to connect to the wireless

    Jeff Durham, Oct 5, 2004
    1. Advertisements

  3. Al Blake

    Al Blake Guest

    Hey Jeff,
    Good to hear from you again.
    Seems to me that setting up a user certificate infrastructure that we dont
    need, which will be continuously issuing 1000s of certs of an extra
    complication if we can do without it. The machine certs will be farily
    static as we dont buy new laptops that often :(

    Do you know how the WEP encryption is established when you use EAP-TLS? I
    have got mine working and havent had to input WEP keys (not practical on
    hundreds of machines)....but I would like to know how the AP and client
    decide what WEP key to use?
    Is it randomly generated once the certificate has been verified?


    Al Blake, Oct 5, 2004
  4. Hi Al,

    Once 802.1X authentication has completed the AP will send a WEP key to
    802.1X supplicant (ie. the laptop). It is randomly generated by the AP. I'm
    sure that the AP is not basing the WEP key generated on any information
    within the certificate.

    In answer to your original question concerning user authentication and
    have you considered using PEAP-MSCHAPv2 instead of EAP-TLS? PEAP-MSCHAPv2
    should enable you to do user authentication without having to have all the
    users certs on
    the laptop.

    Chris Gual [MSFT]
    Chris Gual [MSFT], Oct 7, 2004
  5. Al Blake

    Al Blake Guest

    Thanks for the feedback Chris,
    No we havent considered PEAP-MSChapv2, but why would we want to?
    I mean the user has to login using theor domain username and password anyway
    (just like on the wire) and if we have already authenticated the machine
    (using PEAP-TLS) and we are encrypting the channel so that hopefully no-one
    can steal the logon info off the WLAN then what additional benefit would we
    achevie over using the PEAP-TLS just to validate the machine?

    I may be missing something here?
    Also, if we were to consider PEAP-MSChapv2 would the user have to relogon
    for the wireless (ie a secondary logon). that would be total overkisl for
    someo our users who can only just about logon once ;)


    Al Blake, Oct 11, 2004
  6. Hi Al,

    If you use just machine authentication with 802.1X (with any EAP type),
    anyone logged into the machine can access the wireless network. This
    includes accounts which are local to the machine and are not domain
    accounts. It also means that as a domain administrator, that you will be
    able to control access to the wireless network on a machine basis rather
    than a user basis (ie. you can deny access to the network to machine1, but
    not to user1). If this type of authenticaion control is sufficient, then you
    could use either EAP-TLS, PEAP-MSCHAPv2 or PEAP-TLS as EAP types. Both TLS
    types use certificates to authenticate, but MSCHAPv2 uses a
    username/password to authenticate.

    If you use user authentication with 802.1X (with any EAP type) then only
    users which are allowed remote access by the IAS / Domain controller will be
    able to access the wireless network. You could conceivably allow someone to
    log in and use a machine without letting them onto the network. Using a
    certificate based approach (EAP-TLS or PEAP-TLS) would require that each
    user have a certificate on the machine in order to access the network.
    PEAP-MSCHAPv2 would just use a username/password, and by default it is
    configured to automatically use the same username/password used to login via
    the domain for 802.1X authentication.

    So, either method might work for you. I just wanted to let you know
    that it was possible to do user authentication without having certs on all
    the machines.

    Chris Gual [MSFT]
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Chris Gual [MSFT], Oct 12, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.