|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
question about EAP-TLSI've setup everything for a EAP-TLS wireless networking and everything is
working great I just have one question, I thought that for EAP-TLS to work the client computer needed a user and computer cert... it seems that all its need is a user cert does that sound right? I have a laptop that connects just fine with no computer cert.. Of course the IAS server has a computer cert... but I thought for sure that the client needed both for some reason. You can actually use both if you like or one or the other. It really
depends on the environment. Certificates that are placed in the Machine/Computer store will allow the machine to be authenticated with a user is not logged into the machine. As a test, you may want to assign a static IP address to the wireless connection. Then start a continuous ping to that client's IP address so that you can see when and how the authentication occurs. Now, remove the certificate from the user store and import it or another valid certificate into the Computer/Machine store. So basically you now have only a machine certificate. Now if you log out of the machine to the point where you see the Windows GINA (Ctrl+Alt+Delete) screen, you should notice that you are able to ping the machine's IP because the "machine" has been authenticated. However, if you now log into the machine, you should notice that the ping stops and the wireless connection does not authenticate. This is because by default Windows will try to use a "user" certificate to authenticate when you log into the machine. So, in summary, to get the best of both worlds, the ideal would be to have both machine and user certificates as without machine certificates the wireless connection will not be established prior to login which will likely prevent access to Active Directory, Novell EDir, etc.. (Barring cached credentials and what not that can make one think they are hitting AD) You can however use the "AuthMode" registry setting under HKLM\Software\Microsoft\EAPOL\Parameters\General\Global to control whether windows will only use machine authentication or a combo of both etc.. However, in my practices the limitation to this setting is roaming. If only machine authentication is used and a user is logged in and roams or looses connection, XP isn't smart enough to re-use machine authentication and thus tries to use user authentication which in my case I don't have user certificates due to the numerous users that log into the local machine, oh and the fact that this particular customer is a Novell environment. I'm still looking for a way around this. Hope this helps. Cheers Show quoteHide quote "C Kelley" <n*@na.com> wrote in message news:%23KtIjSPuGHA.1216@TK2MSFTNGP03.phx.gbl... > I've setup everything for a EAP-TLS wireless networking and everything is > working great I just have one question, I thought that for EAP-TLS to work > the client computer needed a user and computer cert... it seems that all > its need is a user cert does that sound right? I have a laptop that > connects just fine with no computer cert.. Of course the IAS server has a > computer cert... but I thought for sure that the client needed both for > some reason. > > very interesting, I only have 1 person using each laptop and only as a
backup to the wired network, so I think I can get away with only user certs, as if someone logs into the computer without the right account I don't want them to be able to get on. So I guess for me using just Uers Certs would be the way to go. Show quoteHide quote "kb80" <k***@home.net> wrote in message news:OK7wClVuGHA.452@TK2MSFTNGP05.phx.gbl... > You can actually use both if you like or one or the other. It really > depends on the environment. Certificates that are placed in the > Machine/Computer store will allow the machine to be authenticated with a > user is not logged into the machine. > > As a test, you may want to assign a static IP address to the wireless > connection. Then start a continuous ping to that client's IP address so > that you can see when and how the authentication occurs. Now, remove the > certificate from the user store and import it or another valid certificate > into the Computer/Machine store. So basically you now have only a machine > certificate. Now if you log out of the machine to the point where you see > the Windows GINA (Ctrl+Alt+Delete) screen, you should notice that you are > able to ping the machine's IP because the "machine" has been > authenticated. However, if you now log into the machine, you should notice > that the ping stops and the wireless connection does not authenticate. > This is because by default Windows will try to use a "user" certificate to > authenticate when you log into the machine. > > So, in summary, to get the best of both worlds, the ideal would be to have > both machine and user certificates as without machine certificates the > wireless connection will not be established prior to login which will > likely prevent access to Active Directory, Novell EDir, etc.. (Barring > cached credentials and what not that can make one think they are hitting > AD) > > You can however use the "AuthMode" registry setting under > HKLM\Software\Microsoft\EAPOL\Parameters\General\Global to control whether > windows will only use machine authentication or a combo of both etc.. > However, in my practices the limitation to this setting is roaming. If > only machine authentication is used and a user is logged in and roams or > looses connection, XP isn't smart enough to re-use machine authentication > and thus tries to use user authentication which in my case I don't have > user certificates due to the numerous users that log into the local > machine, oh and the fact that this particular customer is a Novell > environment. I'm still looking for a way around this. > > Hope this helps. > > Cheers > > "C Kelley" <n*@na.com> wrote in message > news:%23KtIjSPuGHA.1216@TK2MSFTNGP03.phx.gbl... >> I've setup everything for a EAP-TLS wireless networking and everything is >> working great I just have one question, I thought that for EAP-TLS to >> work the client computer needed a user and computer cert... it seems that >> all its need is a user cert does that sound right? I have a laptop that >> connects just fine with no computer cert.. Of course the IAS server has a >> computer cert... but I thought for sure that the client needed both for >> some reason. >> >> > > 
Other interesting topics
wireless network connection setup...cant bridge to wired network
Xp won't connect to other members of workgroup but can ping? Limited or No Connectivity - HELP!!! File Sharing Issue PCAMPR5 NDIS Protocol Driver Wireless help please?? Network Key Can't connect to deskstop Internet Gateway Icon disappears after repairing connection wireless security |
|||||||||||||||||||||||
