Solved: ACS in the Active Directory environment

yong khang NG · ‎11-10-2011

Hi forumers'

Asking,

question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?

question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?

question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?

thanks

Noel

Tarik Admani · ‎11-11-2011

Noel

Answers

question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?

Yes since most protocols used by endpoints is peap (eap-mschapv2) this is the only way to get this to work, since ldap doesnt support this protocol. If you are using eap-tls you can choose to use AD as an LDAP store.

question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?

Once authentication is succeeded (assuming user authentication) the machine will have open access to the network to join the domain, if performing machine authentication the workstation will have to be joined already prior to being released to the dot1x network. The workstation only trusts the ACS with the certificate presented for authentication, it doesnt have any other information and doesnt know if it is part of the domain.

question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?

GPO to endpoints for the root CA shouldnt be a problem, but it would be best to have your root CA sign the ACS CSR if that is what you are asking. You will have to also enable a GPO to validate the server certificate (but I havent done this before but I am sure it exists on which root CA to trust).

thanks

Tarik Admani

View solution in original post

Tarik Admani · ‎11-11-2011

Noel

Answers

question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer?

Yes since most protocols used by endpoints is peap (eap-mschapv2) this is the only way to get this to work, since ldap doesnt support this protocol. If you are using eap-tls you can choose to use AD as an LDAP store.

question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?

Once authentication is succeeded (assuming user authentication) the machine will have open access to the network to join the domain, if performing machine authentication the workstation will have to be joined already prior to being released to the dot1x network. The workstation only trusts the ACS with the certificate presented for authentication, it doesnt have any other information and doesnt know if it is part of the domain.

question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case, ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?

GPO to endpoints for the root CA shouldnt be a problem, but it would be best to have your root CA sign the ACS CSR if that is what you are asking. You will have to also enable a GPO to validate the server certificate (but I havent done this before but I am sure it exists on which root CA to trust).

thanks

Tarik Admani

yong khang NG · ‎11-12-2011

Hi Tarik,

Thanks for the reply. So it's always good to get the ACS join as doamin computer and issue CSR to let the CA server signed of it.

thanks