EAP-TLS doing only machine authentication

followurself · ‎03-12-2006

We want to implement a wireless secure network using eap-tls. We are using ACS appliance 3.3 version and trapeze access points. The clients are windows XP. During testing at lab ,wedidnt use Active directory. The ca in the lab was installed on standlone server, acs 4.0 on the same machine. on the acs we created the users in the local database of acs and used the certificates with the same user name to te clients. So it was working fine with user certificates.

Now we want to do the same in the production environment using AD.

Questions:

Does CA need to exist on the server being domain controller or it can be a standlone CA running on a server within the AD domain.

we want only machine authentication to happen using EAP-TLS and not the user authentication.

apart from enabling eap-machine authentication, installing CA certificates and mapping the groups -both the computer accounts and user accounts. do we need anything else to be done on the ACS

pradeepde · ‎03-17-2006

The following document may be helpful for you . It talks about the deployment of EAP-TLS authentication.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

manish.gaur · ‎04-23-2006

Hi follow

i am also doing he same thing but ina diff environment not for the device inside the company network but i am lookin for something when i can have the macine authentication for the easy vpn users accessing the company network , so m/c authentication need to be done over the vpn tunnel for the easy vpn users using the certificate issued by the domain controller

Have one query from where r u getting the certificate for m/c authentication from a windows based certificate authority or as in my process the certificate issued by the domain controller for all domain m/c

Please guide me

Thanks & regards

Manish

jafrazie · ‎04-23-2006

A few things here:

* You need a CA "somewhere". It need not be on a domain controller. It can be a standalone private CA that you can setup, or you could purchase certs, and let someone else bother with this "burden" (like Verisign, Entrust, etc.). The CA need not be part of the domain either, but AD can help distribute certs, and cert-trust.

* If you want only machine authentication to happen using EAP-TLS and not the user authentication, then you need to specialize your supplicant config. Assuming it's Windows, this is available via registry keys, and is not a default setting.

* The only other thing you'd need to really do on ACS (apart from a vanilla config) is to explicitly enable/permit machine auth for Windows in the backend db config portion.

* As for VPN, this (802.1X) won't work well unless you also manage/operate the first L2 hop the computer plugs into (since it needs to be setup to talk to your RADIUS server, etc.)

Hope this helps,

followurself · ‎04-23-2006

Thanx for the reply. If we use standalone CA how can AD distribute machine certifcates. As i knw we have to enroll manually and if we do manually whts shd be the CN field, shd it be the hostname or a fully qualified domain name. If using standalone CA and trusted in AD ,is there a option to do autoenrollment.

jafrazie · ‎04-23-2006

auto-enrollment from AD can be an option for you. This should help:

<http://download.microsoft.com/download/b/0/e/b0e2a363-0044-4327-8f17-020818f57234/Wired_depl.doc>