iPhone and iPod touches - PEAP Machine Authentication Configuration Example

Document

Dec 29, 2011 4:36 AM
Dec 29th, 2011


Introduction

iPhone and iPod touches - PEAP Machine Authentication Configuration Example

Scenario

New wireless infrastructure is deployed using 4404 WLC's and 1131 Cisco Access Points, 2 WLAN's one secured using RADIUS (Microsoft IAS on Win2K3) and PEAP.  The other a public guest access using the WLC web authorization.

Now the iPhones and iPod touches are able to connect to the secure WLAN with only their AD credentials. They are then prompted to accept the certificate and granted access to the secure WLAN. The domain machines require certificate to be installed via group policy, but the question is how the Apple devices are pulling down the cert?

How to block this behavior?  These devices should only use the guest web-auth access.

Solution

If all machines run Windows, then simply switch over to machine authentication. That will require a small of amount of reconfiguring on IAS box (only validate machine accounts, not user accounts).  On the Windows machines, it depends on what revision of XP you are running. SP2 and earlier computers are configured for machine auth in one manner (registry), SP3 machines in another (XML).  Either way, your best bet is to use a GPO (group policy object) with Wireless Zero Config.  If not running Wireless Zero Config in wireless supplicant, then the GPO route won't work.  The GPO route is nice because we can enforce the proper settings for our network, keep network at the top of the preferred wireless network list, and disable ad-hoc wireless networking on the client.  Change the Wireless GPO do use machine authentication only and then changed the RADIUS policy to authenticate only Domain Computers.

Alternate solution could be, use one Windows 2003 servers to host a PKI that issues machine certs to all network computers.

1. Step By Step Configuration Example

How to enable computer-only authentication for an 802.1X-based network in Windows Vista / XP in Windows Server 2008

To enable computer-only authentication for an 802.X-based network in Windows Vista and in Windows Server 2008 for a wired network connection and for a wireless network connection, or in Windows XP SP3 for a wired network connection, follow these steps:

  1. Create a profile.

    Use one of the following procedures, depending on whether you are using a wired or a wireless network connection and as appropriate for your operating system.    
    • Wired network connection (on Windows Vista or on Windows Server 2008)

      Create an 802.1X-based network profile on a wired network connection. To do this, follow these steps:
      1. Right-click the network connection icon in the notification area at the far right of the taskbar, and then click Network and Sharing Center.
      2. Under Tasks, click Manage Network Connections.
      3. Right-click the network connection that you want to configure, and then clickProperties.

         User Account Control permission If you are prompted for an administrator password or confirmation, type your password, or click Continue.
      4. Click the Authentication tab, specify the settings that you want, and then click OK.
    • Wired network connection (on Windows XP SP3)
      1. Before you create an 802.1X-based network profile in Windows XP SP3, the Wired AutoConfig service must be started and set to Automatic startup. To do this, follow these steps:
        1. Click Start, click Run, type services.msc, and then click OK.
        2. Locate the Wired AutoConfig service, right-click the service, and then clickProperties.
        3. Change the startup type to Automatic, click Apply, then then click Start.
        4. Click OK to exit the Wired AutoConfig Properties dialog box.
      2. Create an 802.1X-based network profile on a wired network connection. To do this, follow these steps:
        1. Click Start, click Settings, and then click Network Connections.
        2. Right-click the network connection that you want to configure, and then click Properties.
        3. Click the Authentication tab, specify the settings that you want, and then click OK.
    • Wireless network connection (on Windows Vista and on Windows Server 2008)

      Create an 802.1X-based network profile on a wireless network connection. To do this, follow these steps:
      1. Right-click the network connection icon in the notification area at the far right of the taskbar, and then click Network and Sharing Center.
      2. Under Tasks, click Manage Wireless Networks.
      3. Click Add. The Wireless Network Wizard starts.
      4. Follow the instructions that are displayed on the screen to create a wireless network profile.
    • Wireless network connection (on Windows XP SP3)

      This step does not apply to Windows XP SP3 wireless network connections. Continue to set AuthMode for wireless XP SP3. See the "Authmode (on Windows XPSP3 Wireless connections)" section later in this article for more information.
  2. Export the network profile information to an XML file. To do this, follow these steps, as appropriate for the operating system that you are running.

    Profile export (on Windows Vista, on Windows Server 2008, and on Windows XP SP3 (Wired connections))

    Note Windows XP SP3 and earlier versions of Windows XP do not support the netsh wlan command interface. For Windows XP SP3 wireless connections, continue to set AuthMode for wireless Windows XP SP3. See the "Authmode (on Windows XP SP3 (Wireless connections))" section later in this article for more information.
    1. Click Start Start button, type cmd in the Start Search box, right-click cmd in the Programs list, and then click Run as administrator.

       User Account Control permission

      If you are prompted for an administrator password or confirmation, type your password, or click Continue.
    2. At the command prompt, type one of the following lines, depending on whether you are using a wired or a wireless network connection, and then press ENTER.    
      • If you are using a wired network connection, type the following line:netsh lan export profile folder=c:\
      • If you are using a wireless network connection (This command is not valid for Windows XP SP3), type the following line:netsh wlan export profile folder=c:\
  3. Set the Authmode.

    Modify the network profile in the XML file to specify computer-only authentication, as appropriate for the operating system that you are running.

    Authmode (on Windows Vista, on Windows Server 2008, and on Windows XP SP3 (Wired connections))

    Note Windows XP SP3 and earlier versions of Windows XP do not support the netsh wlan command interface. For Windows XP SP3 wireless connections, continue to set AuthMode for wireless Windows XP SP3. See the "Authmode (on Windows XP SP3 (Wireless connections))" section later in this article.

    To do this, follow these steps:
    1. Start Notepad, and then open the XML file.
    2. In the XML file, locate the section that contains the OneX settings. The following is an example of this section:
      OneX xmlns="http://www.microsoft.com/networking/OneX/v1">                              
      <cacheUserData>false</cacheUserData>                              
      <authMode>machineOrUser</authMode>                               
      <EAPConfig>...</EAPConfig>                </OneX>
    3. Modify the <authMode> line as follows:

      <authMode>machine</authMode>

      The following is an example of the section that contains the OneX settings after it is modified:

    4. OneX xmlns="http://www.microsoft.com/networking/OneX/v1">                              
      <cacheUserData>false</cacheUserData>                              
      <authMode>machine</authMode>                               
      <EAPConfig>...</EAPConfig>                </OneX>
    5. Save, and then close the XML file.

      The authMode (OneX) element specifies the kind of credentials that are used for authentication. The following table describes the values that the authMode (OneX) element uses.
      ValueDescription
      machineOrUserUse computer-only credentials or user-only credentials. When a user is logged on, the user's credentials are used for authentication. When no user is logged on, computer-only credentials are used for authentication.
      machineUse computer-only credentials.
      userUse user-only credentials.
      guestUse guest-only credentials.
      For more information about the authMode (OneX) element, visit the following Microsoft Web site:http://msdn2.microsoft.com/en-us/library/ms706279.aspx
    Authmode (on Windows XP SP3 (Wireless connections))

    To set the value of the AuthMode registry entry for Windows XP SP3 wireless connections, follow these steps:
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and then click the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
    3. Double-click AuthMode, type the authentication mode in the Value box, and then click OK.
    4. Exit Registry Editor.
    5. Restart the computer.
    The AuthMode registry entry is only valid for Windows XP SP3 wireless network connections. The following table lists the authentications mode for each value of the AuthMode registry entry.
    ValueAuthentication mode
    0Use the default Windows XP authentication
    1Always perform user authentication when a user logs on
    2Perform computer authentication only
  4. Add the network profile that you modified. To do this, type one of the following lines at the command prompt, depending on whether the network profile is for a wired or a wireless network connection. Then, press ENTER.

    Profile Add (on Windows Vista, on Windows Server 2008, and on Windows XP SP3 (Wired only))
    • If the network profile is for a wired network connection, type the following line:netsh lan add profile filename=PathofXMLFile
    • If the network profile is for a wireless network connection, type the following line:netsh wlan add profile filename=PathOfXMLFile

2. Source

How to enable computer-only authentication for an 802.1X-based network in Windows Vista / XP Service Pack 3 in Windows Server 2008

Related Links

This document was generated from the following discussion: iPhone and Secure Wireless - PEAP

Average Rating: 0 (0 ratings)

Comments

Actions

Login or Register to take actions

This Document

Posted December 29, 2011 at 4:36 AM
Stats:
Comments:1 Avg. Rating:0
Views:5656 Contributors:1
Shares:0

Related Content

Documents Leaderboard