Wireless and Certificates

Unanswered Question
Apr 6th, 2010

Folks - I am somewhat confused about how certficates can work with Wireless. We have WCS with 2 WiSM controllers with about 80 AP's in the field. We have the SSID to the network "hidden", and also have enabled WPA2/AES. We still use WPA/TKIP for some of the older equipment we need to support.

I am tring to determine the method for setting up a certificate requirement to connect to the corporate wireless network.  I know that there are options in the (windows) clients that allow us to "Validate server certificate", but that can be disabled (unchecked).

Without having to create a personal certificate for every user, is there a way to prevent someone from connecting to the wireless network without having our certificate already installed on thier computer - even if they have a valid AD credentials?

Example - one of the group brought in an IPad and was able to connect to the production network w/o having to import/have our primary certificate installed. He was prompted to accept the certificate presented by our SecureACS/Tacacs+ server.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Robert.N.Barrett_2 Tue, 04/06/2010 - 05:22

Don,

Sounds like you are using PEAP with AD credentials.  If all of your machines are Windows machines, then you can switch to PEAP machine authentication (and you need to enable machine auth on your ACS server).  No extra certificates required, and only machines that have AD credentials can connect to the wireless network.  Another option is to deploy certificates via AD.  Microsoft includes everything you need to roll your own PKI with Windows Server.  Set up your certificate authority, publish the certs, and off you go.  For Windows computers, the rollout is easy via Autoenrollment.  For other OS's, it's not that difficult.  There is a great article on setting up PEAP and EAP-TLS in a lab on Microsoft's web site.  It's a little old from a wireless perspective, but the certificate info is still pretty valid.

Lots of good resources at:

http://technet.microsoft.com/en-us/network/bb530679.aspx


(lab article is about 3/4 of the way down the list)

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network