11-10-2011 05:58 AM - edited 03-10-2019 06:32 PM
Hi forumers'
Asking,
question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?
thanks
Noel
Solved! Go to Solution.
11-11-2011 08:34 PM
Noel
Answers
question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?
Yes since most protocols used by endpoints is peap (eap-mschapv2) this is the only way to get this to work, since ldap doesnt support this protocol. If you are using eap-tls you can choose to use AD as an LDAP store.
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
Once authentication is succeeded (assuming user authentication) the machine will have open access to the network to join the domain, if performing machine authentication the workstation will have to be joined already prior to being released to the dot1x network. The workstation only trusts the ACS with the certificate presented for authentication, it doesnt have any other information and doesnt know if it is part of the domain.
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?
GPO to endpoints for the root CA shouldnt be a problem, but it would be best to have your root CA sign the ACS CSR if that is what you are asking. You will have to also enable a GPO to validate the server certificate (but I havent done this before but I am sure it exists on which root CA to trust).
thanks
Tarik Admani
11-11-2011 08:34 PM
Noel
Answers
question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?
Yes since most protocols used by endpoints is peap (eap-mschapv2) this is the only way to get this to work, since ldap doesnt support this protocol. If you are using eap-tls you can choose to use AD as an LDAP store.
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
Once authentication is succeeded (assuming user authentication) the machine will have open access to the network to join the domain, if performing machine authentication the workstation will have to be joined already prior to being released to the dot1x network. The workstation only trusts the ACS with the certificate presented for authentication, it doesnt have any other information and doesnt know if it is part of the domain.
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?
GPO to endpoints for the root CA shouldnt be a problem, but it would be best to have your root CA sign the ACS CSR if that is what you are asking. You will have to also enable a GPO to validate the server certificate (but I havent done this before but I am sure it exists on which root CA to trust).
thanks
Tarik Admani
11-12-2011 03:28 AM
Hi Tarik,
Thanks for the reply. So it's always good to get the ACS join as doamin computer and issue CSR to let the CA server signed of it.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide