Computer Authentication and User Authentication

Computer Authentication and User Authentication

EAP-TLS and PEAP-MS-CHAP v2 support both computer authentication and user authentication. Computer authentication is the authentication of the computer for wireless access. User authentication is the authentication of the user using the computer for wireless access. Computer authentication is needed so the computer can obtain access to the network attached to the wireless network to obtain an IP address configuration, locate Active Directory domain controllers, run logon scripts, download the latest Computer Configuration Group Policy settings, and perform other computer startup processes. If a user successfully logs on to the computer that is already connected to the wireless network via computer authentication, a user authentication process occurs to ensure that the user using the computer can remain connected to the wireless network.

Computer and User Authentication with EAP-TLS

To successfully authenticate a Windows wireless computer with a wireless access point (AP) and EAP-TLS, you must have a computer certificate, a user certificate, or both installed. Wireless clients running Windows XP, Windows Server 2003, and Windows 2000 can use EAP-TLS to authenticate the computer or the user logged on to the computer.

To authenticate the computer, the Windows wireless computer submits a computer certificate (along with its chain) stored in the Local Computer certificate store during EAP-TLS authentication. The Local Computer certificate store is always available, regardless of whether a user has logged on to the computer or who is logged on to the computer. More importantly, the Local Computer certificate store is available during the computer s startup process.

To authenticate the user logged on to the computer, the Windows wireless computer submits a user certificate stored in the Current User certificate store or on a smart card during EAP-TLS authentication. The user s certificate store is available only after the user has successfully logged on to the computer using the proper credentials. Each individual user that logs on to the computer has a separate user certificate store. The user certificate is not available during the startup process.

Without an installed computer certificate, a Windows wireless client computer that starts up within range of a wireless AP associates with it but authentication fails. A user can log on to a computer that does not have wireless LAN network connectivity using cached credentials. Once successfully logged on, the user s certificate store becomes available, and the subsequent authentication with the wireless AP succeeds using the installed user certificate.

Computer and User Authentication with PEAP-MS-CHAP v2

Computer authentication with PEAP-MS-CHAP v2 is done using the account name and password associated with the computer account for the computer, which is automatically assigned when the computer account is created. The credentials for computer authentication are always available and are used during the computer startup process to obtain access to the wireless network.

User authentication with PEAP-MS-CHAP v2 is done using an account name and password associated with the user of the computer. By default, the user s logon credentials (username and password) are automatically used to perform user authentication after the client successfully logs on to the computer. The automatic use of the user logon credentials can be configured from the properties of the MS-CHAP v2 PEAP type.

Controlling Computer and User Authentication with the AuthMode Registry Setting

The following registry setting controls the computer and user authentication behavior of Windows XP and Windows Server 2003:

AuthMode Key: HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global Value Type: REG_DWORD Valid Range: 0-2 Default value: 0 Present by default: No

AuthMode has the following values:

  • 0 Computer authentication mode

    If computer authentication is successful, no user authentication is attempted. If the user logon is successful before computer authentication, user authentication is performed. This is the default setting for Windows XP (prior to SP1).

  • 1 Computer authentication with re-authentication

    If computer authentication completes successfully, a subsequent user logon results in a re-authentication with user credentials. The user logon has to complete in 60 seconds or the existing network connectivity is terminated. The user credentials are used for subsequent authentication or re-authentication. Computer authentication is not attempted again until the user logs off the computer. This is the default setting for Windows XP (SP1 and later) and Windows Server 2003.

  • 2 Computer authentication only

    When a user logs on, it has no effect on the connection. Only computer authentication is performed.

The exception to this behavior is when you have a successful user logon and roam between wireless APs; then, user authentication is performed.

For changes to this setting to take effect, restart the Wireless Zero Configuration (WZC) service (for Windows XP) or the Wireless Configuration service (for Windows Server 2003).

NOTE
The AuthMode registry setting can be set in an Active Directory environment through the Computer Authentication setting on the IEEE 802.1x tab for a preferred wireless network within the Wireless Network (IEEE 802.11) Policies Group Policy extension. For more information, see Chapter 3, Windows Wireless Client Support.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net