I am trying to install wireless security environment in a costumer network. All cisco devices, WLC and APs are working correctly with guest users, Web Auth.
I would like to install computer certificates for employers. I have installed a root CA in a windows server 2003 enterprise and IAS in other windows server 2003 in the domain. I configure WPA2+801.X in the WLC and WPA2+PEAP with MSCHAPv2 in the employer computer and install a computer certificate in ti. The problem is I get to authenticate inside the networking employ environment straight away with or without certificated.
Some one knows if I need use something else to stop the domain users without the computer certificated and validate computers with it??
One thing to be aware of is the 802.1x supplicant behaviour on the client. 1st thing you need to ensure the MS client is used as the Cisco one doesn't support machine authentication (the last time I looked or tried it didn't anyway?). The 2nd is the supplicant re-authentication behaviour. By default the MS client will use Machine Authentication when a user is not logged on but once a user logs on it will attempt to use User Authentication.
When I tested this in the lab a while ago it opens up a sort of security hole - i.e. you only want to allow machines to access the Wireless network that are valid (domain members), however a user could put a certificate on a home laptop via the wired network or by importing one and then use this to authenticate himself on an invalid machine. You can change the supplicant behaviour to only perform Machine Authentication to prevent this either by modifying the registry or using a Group Policy. You must also restrict which users (machines) are allowed to access the Wireless network with the Radius Policy as well.
Microsoft recommend Machine Authentication with User Re-Authentication however with their IAS (Radius) Server you can't enforce this as there is no state tracking of machine/user authentication. Cisco ACS 4.x has this added functionality with a dot1x feature called Machine Access Restrictions. This tracks machine authentication and only allows user authentication from machines that are already authenticated. It uses the Radius Attribute 'Calling-Station-ID' to track this.
Personally I would enforce Machine-Only authentication and use a restrictive IAS policy to only allow Machines to authenticate.
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...