Computer cert/User cert 802.x Authentication query

Secure Home | Search | About

Lost Password?

Microsoft Applications Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Computer cert/User cert 802.x Authentication query

James Bullock

08-07-2007

RE: Computer cert/User cert 802.1x Authentication ...

Jam

08-08-2007

Re: Computer cert/User cert 802.1x Authentication ...

Steve Riley [MS...

08-15-2007

Posted by =?Utf-8?B?SmFtZXMgQnVsbG9jaw== on August 7, 2007, 5:20 am

If you were Registered and logged in, you could reply and use other advanced thread options

Hi there,

My question is this: we have our wireless setup pretty much identical to the
description in this white paper:
http://download.microsoft.com/download/f/d/d/fdd4d246-eabe-4a3e-a935-358532b5c168/StepSecureWirelessAcc.doc#_Toc100984847

We have a working, established PKI infrastructure and all Cisco 1100 ap's
globally. We are using microsoft IAS with both a user and computer RAP. both
of these appear to work fine and the network is firmly in production.

It seems to work very well on the whole, machines are connected whilst users
arent logged on so they receive gpo updates etc, when a user logs on they
authenticate fine, providing they have previously been on the computer whilst
it is connected to a wired network. If they havent been on the machine via a
wired connection before there first log on on that machine then the machine
does not have a local copy of their certificate, neither can it auto-enrol
their certificate as it has no connectivity once they are logged on.
Consequently the wireless sticks on authenticating or "no certificate" in
these circumstances.

What i'd like is to somehow allow people to request/enrol a certificate when
logging onto the machine for the first time over wireless (rather than having
to first put them on the wired network), is it possible to specify limited
access during logon so the users account is able to connect to the pki box
and enrol a new user certificate? maybe with an additional remote access
policy?

We have absolutely no problems with the distribution of computer certificates.

I acknowledge that its fully possible that my implementation is at fault
here! As i cant find any indication that the behaviour i'm experiencing has
been a problem for anyone else!

Any advice/pointers greatly appreciated.

Jim

Posted by =?Utf-8?B?SmFtZXMgQnVsbG9jaw== on August 8, 2007, 6:14 am

If you were Registered and logged in, you could reply and use other advanced thread options

Sorry, realised i'd not put the correct words in the header! any assistance
much appreciated.

"James Bullock" wrote:

> Hi there,

> My question is this: we have our wireless setup pretty much identical to the

> description in this white paper:

http://download.microsoft.com/download/f/d/d/fdd4d246-eabe-4a3e-a935-358532b5c168/StepSecureWirelessAcc.doc#_Toc100984847

> We have a working, established PKI infrastructure and all Cisco 1100 ap's

> globally. We are using microsoft IAS with both a user and computer RAP. both

> of these appear to work fine and the network is firmly in production.

> It seems to work very well on the whole, machines are connected whilst users

> arent logged on so they receive gpo updates etc, when a user logs on they

> authenticate fine, providing they have previously been on the computer whilst

> it is connected to a wired network. If they havent been on the machine via a

> wired connection before there first log on on that machine then the machine

> does not have a local copy of their certificate, neither can it auto-enrol

> their certificate as it has no connectivity once they are logged on.

> Consequently the wireless sticks on authenticating or "no certificate" in

> these circumstances.

> What i'd like is to somehow allow people to request/enrol a certificate when

> logging onto the machine for the first time over wireless (rather than having

> to first put them on the wired network), is it possible to specify limited

> access during logon so the users account is able to connect to the pki box

> and enrol a new user certificate? maybe with an additional remote access

> policy?

> We have absolutely no problems with the distribution of computer certificates.

> I acknowledge that its fully possible that my implementation is at fault

> here! As i cant find any indication that the behaviour i'm experiencing has

> been a problem for anyone else!

> Any advice/pointers greatly appreciated.

> Jim

Posted by Steve Riley [MSFT] on August 15, 2007, 6:25 am

If you were Registered and logged in, you could reply and use other advanced thread options

Try this:
http://technet2.microsoft.com/windowsserver/en/library/e5b6b735-1014-4ca4-a64a-ae97a3e782601033.mspx?mfr=true

Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley

> Sorry, realised i'd not put the correct words in the header! any

> assistance

> much appreciated.

> "James Bullock" wrote:

>> Hi there,

>> My question is this: we have our wireless setup pretty much identical to

>> the

>> description in this white paper:

http://download.microsoft.com/download/f/d/d/fdd4d246-eabe-4a3e-a935-358532b5c168/StepSecureWirelessAcc.doc#_Toc100984847

>> We have a working, established PKI infrastructure and all Cisco 1100 ap's

>> globally. We are using microsoft IAS with both a user and computer RAP.

>> both

>> of these appear to work fine and the network is firmly in production.

>> It seems to work very well on the whole, machines are connected whilst

>> users

>> arent logged on so they receive gpo updates etc, when a user logs on they

>> authenticate fine, providing they have previously been on the computer

>> whilst

>> it is connected to a wired network. If they havent been on the machine

>> via a

>> wired connection before there first log on on that machine then the

>> machine

>> does not have a local copy of their certificate, neither can it

>> auto-enrol

>> their certificate as it has no connectivity once they are logged on.

>> Consequently the wireless sticks on authenticating or "no certificate" in

>> these circumstances.

>> What i'd like is to somehow allow people to request/enrol a certificate

>> when

>> logging onto the machine for the first time over wireless (rather than

>> having

>> to first put them on the wired network), is it possible to specify

>> limited

>> access during logon so the users account is able to connect to the pki

>> box

>> and enrol a new user certificate? maybe with an additional remote access

>> policy?

>> We have absolutely no problems with the distribution of computer

>> certificates.

>> I acknowledge that its fully possible that my implementation is at fault

>> here! As i cant find any indication that the behaviour i'm experiencing

>> has

>> been a problem for anyone else!

>> Any advice/pointers greatly appreciated.

>> Jim

Similar Threads	Posted
Computer to Computer NtLmSsp authentication errors ?	October 6, 2006, 5:25 pm
US-Cert Update on New Attacks on Computer Infrastructure	August 28, 2008, 8:12 am
Computer authentication after login for 802.11i	February 28, 2007, 2:04 pm
Root CA cert expires, I renewed but I'm unable to request new cert	March 7, 2006, 3:16 pm
Commercial cert vs. Microsoft Certificate Services generated cert	June 21, 2007, 4:23 am
SSL Query	September 8, 2007, 1:38 pm
SQL Injection Query	May 1, 2006, 2:56 am
Microsoft CA query	December 14, 2006, 12:11 am
SQL Server Injection Query	April 27, 2006, 7:31 am
how do i export a cert from my ca?	February 16, 2006, 10:27 pm

The site map in XML format XML site map