01-07-2009 06:47 AM - edited 07-03-2021 04:57 PM
Which EAP method would be the most secure in this case, and fulfill these requirements:
1) Want to authenticate user's via LDAP to an Active Directory Database
2) Also want to require that they have a unique certificate on their PC's (Which we manually install on them).
3) Supports signal signon (pass-through) authentication from a Windows XP machine.
01-07-2009 05:26 PM
You can use EAP-TLS. That requires a server and a client side cert. You can use microsoft IAS (RADIUS) server for user auth that points to the AD database.
01-13-2009 01:26 PM
Keep in mind with Windows XP/2k3 (sp2/default client authentication)that if your users move from station to station, it does not support a 'cert roaming' environment. The problem I faced was if a doc used his laptop then tried to access one of our wireless carts on the floor, he couldn't login because his cert had never been applied to that cart and was already active on a different device. We ended up turning off client certificate authentication on XP and are only using 'computer certificate' authentiction. If you need more information on this I'd be glad to help. I'm unfamiliar on the IAS side as I use ACS.
01-13-2009 01:39 PM
Perhaps I am confused on the idea of client certificates. I was thinking I would put one universal certificate on the PC's that would have wireless access. I did not think that they would be a unique certificate per user.
How could I get away with requiring a 'company' certificate on each company PC and then just have them authenticate with their AD username (via LDAP/RADIUS)? Would this be machine certificates?
01-13-2009 03:46 PM
you could do PEAP as well. EAP-TLS requires a per user certificate, while PEAP only requires the Root CA certificate be installed on the end machines.
HTH,
Steve
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: