EAP-TLS and getting a new user to log in on a wireless network

pkapoor · ‎04-08-2005

I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.

My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.

How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.

After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?

Paras

followurself · ‎04-04-2006

check the below link and read server requirements.

http://support.microsoft.com/default.aspx?scid=kb;en-us;814394

The stanalone ca needs to be trusted by AD

http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb

What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.

You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.

Please rate the post if it helps

Andrew.Hanson · ‎04-06-2006

Hi pkapoor,

You will have to have a CA (either Root or Issuing) that will integrate with AD and that means Enterprise. So I would definitely recommend an Enterprise CA (either Root or Issuing).

Once your running an integrated CA, machine certs and user certs can be deployed automatically with a GPO (I think WinXP only). This means that now, your workstations can connect on their own to the wireless infrastructure and receive logon scripts, updates, etc. Also, when a new user logs onto the workstation (that is already associated) a whole new EAP-TLS session starts but this time using the user credentials (not machines). Now, I gotta warn you, I am not absolutely certain on this or its mechanics but maybe someone else will post with confirmation. However, I think that AD will recognize the user and apply the GPO and automatically generate and insert the cert into the user's newly created profile on their behalf. Allowing them to log on for the first time.

Thats my 2 cents! Let me know if it at all helps.

Sincerely,

Drew

pkapoor · ‎04-07-2006

Hello Drew,

Since my post, I have found out that an Enterprise CA is required. However, since we did not have one and the prospects of installing one did not meet my timelines for WLAN deployment, I have setup the network as such:

PCs need to be wired to the network to get a cert for the user. Once issued and installed, the PC is taken off the wired network and moved into the WLAN where it will successfully authenticate that user who requested the cert. This is not what I'd have liked to do but meets the purpose of operations because those PCs in the WLAN are training PCs and have a common user login for all. Besides that, the only laptops that venture into my network have to pass through my department anyways to be authorized first. So, if required, we install the cert for those users.

Thanks for taking time and posting your recommendations.

Paras

paaboagye · ‎06-24-2015

Hi Paras,

i need assistance with the same setup. Can you guide me.

I have a standalone Microsoft CA with ACS 5.3 and WLC 5508 with APs. I want Client machines to have certificates exactly like your working scenario.

Thanks