Computer CA issues in a wireless environment

Answered Question
Nov 28th, 2008
User Badges:

Hi there


I am trying to install wireless security environment in a costumer network. All cisco devices, WLC and APs are working correctly with guest users, Web Auth.


I would like to install computer certificates for employers. I have installed a root CA in a windows server 2003 enterprise and IAS in other windows server 2003 in the domain. I configure WPA2+801.X in the WLC and WPA2+PEAP with MSCHAPv2 in the employer computer and install a computer certificate in ti. The problem is I get to authenticate inside the networking employ environment straight away with or without certificated.


Some one knows if I need use something else to stop the domain users without the computer certificated and validate computers with it??


thank you very much in advance,


Oscar

Correct Answer by Vinay Saini about 8 years 7 months ago

Hii Oscar ,


As i understood that your requirement is to allow specific users only to access the network that have client side certificate , right ?


SO if that is the case you have to use EAP-TLS , you have to provide client side cerificate to all users.


for this :


Client/Laptop : select WPA2+AES , with EAP-TLS


SSID on Controller: WPA2+AES with 802.1x


Radius : should support EAP-TLS and you need to install proper Certs there


Hope this helps


Vinay

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Vinay Saini Fri, 11/28/2008 - 05:27
User Badges:
  • Cisco Employee,

Hii


I guess you are looking for a solution where you want both client and server side certs. In that case you need to use EAP-TLS , which checks both Client and server certs for Auth.


PEAP doent use client side certs.


Thanks

Vinay

Oscar Cardiel Fri, 11/28/2008 - 06:56
User Badges:

Thanks Vinay for your answer.


Do you know if I can certificate only the computer?, that is, a corporate user with a certificate computer get login and a corporate user without certificate computer don't get login.


Thank you in advance,


Oscar


Correct Answer
Vinay Saini Fri, 11/28/2008 - 07:13
User Badges:
  • Cisco Employee,

Hii Oscar ,


As i understood that your requirement is to allow specific users only to access the network that have client side certificate , right ?


SO if that is the case you have to use EAP-TLS , you have to provide client side cerificate to all users.


for this :


Client/Laptop : select WPA2+AES , with EAP-TLS


SSID on Controller: WPA2+AES with 802.1x


Radius : should support EAP-TLS and you need to install proper Certs there


Hope this helps


Vinay

Oscar Cardiel Fri, 11/28/2008 - 08:03
User Badges:

You are right, I am going to try it.


Thank you very much for your help.


All the best there,


Oscar

andrew.butterworth Thu, 12/11/2008 - 06:08
User Badges:
  • Gold, 750 points or more

One thing to be aware of is the 802.1x supplicant behaviour on the client. 1st thing you need to ensure the MS client is used as the Cisco one doesn't support machine authentication (the last time I looked or tried it didn't anyway?). The 2nd is the supplicant re-authentication behaviour. By default the MS client will use Machine Authentication when a user is not logged on but once a user logs on it will attempt to use User Authentication.

When I tested this in the lab a while ago it opens up a sort of security hole - i.e. you only want to allow machines to access the Wireless network that are valid (domain members), however a user could put a certificate on a home laptop via the wired network or by importing one and then use this to authenticate himself on an invalid machine. You can change the supplicant behaviour to only perform Machine Authentication to prevent this either by modifying the registry or using a Group Policy. You must also restrict which users (machines) are allowed to access the Wireless network with the Radius Policy as well.

Microsoft recommend Machine Authentication with User Re-Authentication however with their IAS (Radius) Server you can't enforce this as there is no state tracking of machine/user authentication. Cisco ACS 4.x has this added functionality with a dot1x feature called Machine Access Restrictions. This tracks machine authentication and only allows user authentication from machines that are already authenticated. It uses the Radius Attribute 'Calling-Station-ID' to track this.


Personally I would enforce Machine-Only authentication and use a restrictive IAS policy to only allow Machines to authenticate.


Andy

Oscar Cardiel Thu, 12/11/2008 - 06:41
User Badges:

Dear Andy,


Many thanks for your reply, it is highly appreciated.


Oscar

Actions

This Discussion

 

 

Trending Topics - Security & Network