10-30-2008 12:47 PM - edited 03-10-2019 04:09 PM
I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:
I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.
Thanks
-Raun
11-04-2008 09:40 AM
If you are using the MS Supplicant, you need the following registry settings:
"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"
"HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"
This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.
As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.
Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.
11-04-2008 11:52 AM
Thank you! I've looked at the authmode/supplicantmode in the past but had not tried it in trying to get user authentication working as well. I appreciate your answer on the roaming profiles, clears quite a bit up. I do have a question though. I've noticed with my laptop with the reg hack and machine authentication only, i seem to authenticate alot? Looking at my ACS server logs it can span between a few minutes to 30 minutes. Doesn't seemed to tied to the EAP timeout period either. Any ideas on this? I ask because I noticed at one point I lost my IP and then it reauthenticated.
11-04-2008 12:01 PM
I would guess that you are crossing from access point to access point. We do wired, so do not see this ;)
11-04-2008 12:03 PM
Yeah, I ment to put in my message that I was stationary. So not sure what it is. Trying PEAP-TLS with machine authentication, see what that does.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide