802.1x machine auth w/ certificate authority

ebell · ‎09-01-2011

Two quick questions ...

I am building a lab for 802.1x, I want to use peap w/ mschap v2 and I want to do machine authentication only. I have AD and CA services running on a test windows 2003 server. I have ACS setup, my AD is connected, my switch is configured and now I am stuck on the CA portion and I am not sure if I am doing it right, I can't seem to find documentation that outlines this piece specific to the scenerio I described above, perhaps someone can give me a hand.

I browse to the CA, request a certificate > advanced certificate request > create and submit request to this CA >

From this point I am suppose to select a certificate template. The docs I have found say to use a "webserver" template and select the option to "export keys to file". When I attempt this the export key option is greyed out. I google and some people say only Enterprise edition supports this, I am running Enterprise R2 so I don't see the problem. All of the other templates available allow me to export except for webserver.

1) my question is for the lab scenerio I detailed above what type of certifcate template should I be using? if your answer is a "webserver" template can you perahps tell me why I cannot export to a file?

2) Do my client machines require a certificate to be installed prior to connecting to the 802.1x switch? from what I read using peap mschap v2 coupled with machine authentication you do not require a certificate on each machine. During initial 802.1x authentication the certificate will be pushed from the ACS over to the client. I believe the one caveat is that the client machine will require to be modified to list the new CA or ACS server as a trusted root authority. I need some clarity on this subject, I will not have the option to install a certicate on each machine prior to 802.1x auth. Please confirm

Any help is appreciated, thanks!

If there are any links that someone can provide that have details on this setup please share

greenberg.j · ‎09-22-2011

I am going through this process currently also, and I can tell you what I have gathered so far.

These notes are applicable to Machine, or Machine & User authentication, Wired and/or Wireless 802.1x.

The certificate must be present on each client machine in order to connect. The thing that I am finding annoying is that when we used the Microsoft IAS Radius, the certificate enrollment was seamless. The domain clients just seemed to "automatically" have the certificate installed on their machines (pushed down by the Domain), that matches the certificate presented by the IAS Radius server during the authentication process (Of course, because it's all within the same domain). Easy as pie, windows magic...

But suppose we want to use Cisco ACS or our own radius server ? Well the first thing I tried was to use a Certificate signed by our internal Linux CA. The Windows domain administrator was not able to set up the Linux CA as a "trusted intermediate", which I don't fully understand. Instead he asked me to purchase a certificate from a Trusted CA such as Verisign or DigiCert. By the way I found a list of Microsoft trusted Intermediates here:

http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx

The Windows Domain Administrator will do 3 things :

1) Configure Certificate Auto-Enrollment Policy for the Certificate we purchase

2) Configure the Wired & Wireless Autoconfig service settings Group Policy Objects

3) Set the Wired Autoconfig service to start.

I will have to

1) Generate the CSR & Import the puchased signed certificate into the ACS(s).

Now, that said, there must be an easier way to do this! If anyone has notes on whether or not the following is possible, it would be appreciated & interesting:

1) Can the Windows Domain sign my CSR ? If so - how

2) Can the Windows Domain be configured to trust our Linux CA ? If so - how

Good luck to you dot1xers