Flylib.com

Books Software

 
 
 

Category list


Group Policy and IEEE 802.1X Authentication


Buy on amazon.com >>
Davies J.
    << Previous page
    Table of contents
    Next page >>

    Group Policy and IEEE 802.1X Authentication

    Group Policy settings define the various components of the user’s desktop environment that a system administrator needs to manage; for example, the programs that are available to users, the programs that appear on the user ’s desktop, and Start menu options. Group Policy settings you specify are contained in a Group Policy object, which is in turn associated with selected Active Directory container objects: sites, domains, or organizational units. Group Policy includes settings for User Configuration, which affect users, and Computer Configuration, which affect computers.

    EAP-TLS and Computer Configuration Group Policy

    Updates to Computer Configuration Group Policy occur when the computer starts, achieves network connectivity, and locates a domain controller. The computer attempts to download the latest Computer Configuration Group Policy based on the computer’s membership in a domain system container.

    If a Windows wireless client configured to use EAP-TLS authentication does not have a computer certificate installed, it cannot authenticate to a wireless AP to obtain wireless LAN network connectivity. Therefore, the attempt to locate a domain controller and download the latest Computer Configuration Group Policy fails. This event is recorded in the event log.

    The solution to this problem is to install a computer certificate on the Windows wireless client so that wireless LAN network connectivity is present during the location of the domain controller and the download of the Computer Configuration Group Policy.

    EAP-TLS and User Configuration Group Policy

    Updates to User Configuration Group Policy occur when a user supplies correct credentials and logs on to the domain. If a computer certificate is not installed (and the computer has not authenticated itself against the wireless AP), the logon uses cached credentials. After the user certificate in the user’s certificate store becomes available, the Windows wireless client configured to use EAP-TLS authentication attempts to authenticate against the wireless AP. Depending on how long the wireless authentication takes, the download of the User Configuration Group Policy might also fail. This event is recorded in the event log.

    The solution to this problem is to install a computer certificate on the Windows wireless client. With an installed computer certificate, the Windows wireless client has wireless LAN network connectivity during the entire logon process, and therefore should always be able to download the latest User Configuration Group Policy.

    If you are using EAP-TLS for authentication, use both computer and user certificates.

    Using Third-Party CAs for Wireless Authentication

    You can use third-party CAs to issue certificates for wireless access as long as the certificates installed can be validated and have the appropriate properties.

    Certificates on IAS Servers

    For the computer certificates installed on the IAS servers, the following must be true:

    • They must be installed in the Local Computer certificate store.

    • They must have a corresponding private key. When you view the properties of the certificate, you should see the text You Have a Private Key That Corresponds To This Certificate on the General tab.

    • The cryptographic service provider for the certificates must support SChannel (Secure Channel). If not, the IAS server cannot use the certificate and it is not selectable from the properties of the Smart Card Or Other Certificate EAP type from the Authentication tab on the properties of a profile for a remote access policy.

    • They must contain the Server Authentication EKU. The OID for Server Authentication is 1.3.6.1.5.5.7.3.1.

    • They must contain the FQDN of the computer account of the IAS server computer in the Subject Alternative Name field.

    Additionally, the root CA certificates for the issuing CAs of the wireless client computer and user certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder.

    Certificates on Wireless Client Computers

    For the user and computer certificates installed on wireless client computers, the following must be true:

    • They must have a corresponding private key.

    • They must contain the Client Authentication EKU (OID 1.3.6.1.5.5.7.3.2).

    • Computer certificates must be installed in the Local Computer certificate store.

    • Computer certificates must contain the FQDN of the wireless client computer account in the Subject Alternative Name field.

    • User certificates must be installed in the Current User certificate store.

    • User certificates must contain the UPN of the user account in the Subject Alternative Name field.

    Additionally, the root CA certificates of the issuing CAs of the IAS server computer certificates must be installed in the Certificates (Local Computer)\Trusted Root Certification Authorities\Certificates folder.


    Buy on amazon.com >>
    Davies J.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy