Obtaining a Certificate for IEEE 802.1X Authentication

Autoenrollment is the automatic requesting and issuing of certificates based on Group Policy settings. There are two types of autoenrollment:

• Autoenrollment of computer certificates

  Supported by Windows 2000 and Windows Server 2003 CAs and Windows XP, Windows Server 2003, and wireless clients running Windows 2000 and Microsoft 802.1X Authentication Client.

• Autoenrollment of user certificates

  Supported by both Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition CAs and Windows XP and Windows Server 2003 wireless clients.

Autoenrollment requires an enterprise CA.

Autoenrollment of Computer Certificates

Autoenrollment of computer certificates is done through Computer Configuration Group Policy. By configuring the Automatic Certificate Request Settings Group Policy setting, you can have the computers that are members of the domain system containers to which the Group Policy object applies automatically request a certificate of specified types when Computer Configuration Group Policy settings are refreshed. The Automatic Certificate Request Settings Group Policy setting is found in the Group Policy Editor snap-in of the Management Console under Computer Configuration\Windows Settings\Security Settings\Public Key Policies in the Group Policy snap-in, as shown in Figure 6-8.

Figure 6-8. The Group Policy location for autoenrollment of computer certificates.

For wireless client access and for the IAS server, configure the Automatic Certificate Request Settings Group Policy setting to automatically request the Computer certificate. The Computer certificate (as named in the Certificate Template dialog box of the Automatic Certificate Request Setup Wizard) is stored in the Local Computer certificate store of the member computer; it contains both the User Authentication and Server Authentication EKUs. The OID for the Server Authentication EKU is 1.3.6.1.5.5.7.3.1, and the OID for Client Authentication EKU is 1.3.6.1.5.5.7.3.2.

EAP-TLS in Windows requires that the certificate offered for validation by the authenticating client contain the Client Authentication EKU and that the certificate offered for validation by the authenticating server contain the Server Authentication EKU. If both of these conditions are not met, the authentication fails.

Because the autoenrolled “Computer” certificate contains both the Client Authentication and Server Authentication EKUs, it can be used by both a Windows wireless client to perform computer authentication and by the IAS server as the authenticating server.

Autoenrollment of User Certificates

Autoenrollment of user certificates is done through User Configuration Group Policy. By configuring a certificate template to issue user certificates and the Autoenrollment Settings Group Policy setting, you can have the users who are members of the domain system container to which the Group Policy object applies automatically request a user certificate when User Configuration Group Policy settings are refreshed. The Autoenrollment Settings Group Policy setting is found in the Group Policy snap-in under User Configuration\Windows Settings\Security Settings\Public Key Policies, as shown in Figure 6-9.

Figure 6-9. The location of the Autoenrollment Settings Group Policy setting.

For wireless client access, configure the Autoenrollment Settings Group Policy setting to automatically request a user certificate template that is created using the Certificate Templates snap-in. To modify template properties, you must use a CA that is running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

For more information about configuring the certificate template and configuring autoenrollment of user certificates for a Windows Server 2003, Enterprise Edition CA, see Chapter 8, “Intranet Wireless Deployment Using EAP-TLS.”

Requesting a Certificate via the Web

Requesting a certificate via the Web, also known as Web enrollment, is done with Microsoft Internet Explorer. For the address, type http:// servername /certsrv , where servername is the computer name of the Windows 2000 Server or Windows Server 2003 CA that is also running Internet Information Services (IIS). A Web-based wizard takes you through the steps of requesting a certificate. The location where the certificate is stored (whether it is the Current User store or the Local Computer store) is determined by the Use Local Machine Store check box when performing an advanced certificate request. By default, this option is disabled, and certificates are stored in the Current User store. You must have local administrator privileges to store a certificate in the Local Computer store.

You can use Web enrollment with either an enterprise or standalone CA.

Requesting a Certificate Using the Certificates Snap-in

Another way to request a certificate is by using the Certificates snap-in.

To request a certificate to store in the current user store

1. Open the Certificates-Current User\Personal folder.

2. Right-click the Personal folder, point to All tasks , and then click Request New Certificate.

A Certificate Request Wizard guides you through the steps of requesting a certificate. For wireless access, the certificate requested for the Current User store must have the Client Authentication EKU.

To request a certificate to store in the local computer store

1. Open the Certificates (Local Computer)\Personal folder.

2. Right-click the Personal folder, point to All tasks, and then click Request New Certificate.

A Certificate Request Wizard guides you through the steps of requesting a certificate. For wireless access, the certificate requested for the Local Computer store must have the Client Authentication EKU. For the certificate installed on the IAS server, the certificate requested for the Local Computer store must have the Server Authentication EKU.

To request a certificate using the Certificates snap-in, you must use an enterprise CA.

Importing a Certificate Using the Certificates Snap-In

All the preceding ways of requesting a certificate assume that network connectivity already exists, such as using the Ethernet port on a laptop. For those configurations in which the only network connectivity is wireless, which cannot be obtained without certificates, you can also import a certificate file from a floppy disk, CD-ROM, or other recordable media using the Certificates snap-in.

To import a certificate to store in the current user store

1. Open the Certificates-Current User\Personal folder.

2. Right-click the Personal folder, point to All Tasks, and then click Import.

A Certificate Import Wizard guides you through the steps of importing a certificate from a certificate file. For wireless access, the certificate imported into the Current User store must have the Client Authentication EKU.

To import a certificate to store in the local computer store

1. Open the Certificates (Local Computer)\Personal folder.

2. Right-click the Personal folder, point to All tasks, and then click Import.

A Certificate Import Wizard guides you through the steps of importing a certificate from a certificate file. For a Windows wireless client, the certificate imported into the Local Computer store must have the Client Authentication EKU. For the certificate installed on the IAS server, the certificate imported into the Local Computer store must have the Server Authentication EKU.

It is also possible to import a certificate by double-clicking a certificate file that is stored in a folder or sent in an e-mail message. Although this works for certificates created with Windows CAs, this method does not work for third-party CAs. The recommended method of importing certificates is to use the Certificates snap-in.

If you use PEAP-MS-CHAP v2, you might have to install the root CA certificate of the issuing CA of the computer certificates that are installed on your IAS servers. To obtain the root CA certificate, first export the root CA certificate to a file (*.P7B) from the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder on the IAS server. For an individual wireless client computer, import the root CA certificate file into the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder on the wireless client. To distribute the root CA certificate to all wireless client computers in an Active Directory environment, see “Configuring Wireless Client Computers” in Chapter 10, “Intranet Wireless Deployment Using PEAP-MS-CHAP v2.”

Creating a Program or Script Using CAPICOM