Securing wireless with certificates on clients

pbuch · ‎01-28-2009

I have a customer that wants to use certificates to authenticate clients on a wireless network.

I cant se how this is to be implemented

Can someone here point me in the right direction ??

/PerB

srosenthal · ‎02-03-2009

Do you want to implement just server side certificates or both server and user side?

Here are some documents to read over.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

Seth

c.fuller · ‎02-03-2009

I would use PEAP user authentication. It only requires a server side SSL digital certificate so don't have to visit each client. It's secure and easy to manage. You install the certificate on your authentication server.

You normally have to renew the SSL certificate and reinstall annually though.

Chuck

rduke · ‎02-04-2009

Hey guys,

FYI the server certficate used in PEAP is only protecting you from connecting to a fake wireless AP with the same SSID. All you have to do is uncheck the box "validate server certificate" to bypass any certificate checks so that may not be what you are looking for. You may want to look at TLS or PEAP with TLS. I have not used either, so I don't have any first hand experience with those, but they use client based certificates so that would authenticate your client with something beyond the usual user name and password. With PEAP only, all you need is a valid user name and password. You can use most any computer to connect if you do not validate the server cert on the client.

Randy

pbuch · ‎02-04-2009

Thanks !

The idea is to have certs on all the clients. Usernames and passwords has to be simple in this implementation. PEAP with TLS sounds like the solution to test.

/PerB