Configuring the Certificate Infrastructure

Configuring the Certificate Infrastructure

For computer authentication with EAP-TLS, you must install a computer certificate, also known as a machine certificate, on the wireless client computer. A computer certificate is used to authenticate the wireless client computer so that the computer can obtain network connectivity to the enterprise intranet and receive computer configuration through Group Policy updates prior to user login. For user authentication with EAP-TLS, you must use a user certificate stored on a smart card or stored on the wireless client computer. A user certificate is used to authenticate the user of the wireless client computer after a successful login.

A computer certificate is installed on the IAS server computer so that the IAS server has a certificate to send to the wireless client computer for mutual authentication during EAP-TLS authentication, regardless of whether the wireless client computer authenticates with a computer certificate or a user certificate. The computer and user certificates submitted by the wireless client and IAS server during EAP-TLS authentication must conform to the requirements specified in the Using Third-Party CAs for Wireless Authentication section of Chapter 6, Certificates and Public Key Infrastructure.

In a typical enterprise deployment, the PKI consists of a single root certification authority (CA) in a three-level hierarchy consisting of root CA/intermediate CAs/issuing CAs. Issuing CAs are configured to issue computer certificates and user certificates. When the computer or user certificate is installed on the wireless client, the issuing CA certificate, intermediate CA certificates, and root CA certificate are also installed. When the computer certificate is installed on the IAS server computer, the issuing CA certificate, intermediate CA certificates, and root CA certificate are also installed. The issuing CA for the IAS server certificate can be different from the issuing CA for the wireless client certificates. In this case, both the wireless client and the IAS server computer must have all the required certificates needed to perform certificate validation for EAP-TLS authentication.

If you use EAP-TLS authentication, install both user and computer certificates on wireless client computers.

If you already have a certificate infrastructure for EAP-TLS authentication and use RADIUS for dial-up or virtual private network (VPN) remote access connections, you can skip some of the certificate infrastructure steps. You can use the same certificate infrastructure for wireless connections. However, you must ensure that computer certificates are installed for computer authentication. Although smart cards are recommended for EAP-TLS-based remote access connections, you must use user certificates stored on the computer for user authentication of wireless connections (rather than using smart cards) for computers running Windows XP (prior to SP1). For computers running Windows Server 2003, Windows XP (SP1 or later), or Windows 2000, you can use either user certificates stored on the computer or a smart card for user authentication.

TIP
Certificates obtained from issuing CAs that are from the same root CA hierarchy chain up to the same root CA certificate. In Windows Server 2003, Windows XP, and Windows 2000, you can view the certificate chain from the Certification Path tab in the properties of a certificate in the Certificates snap-in. You can view the installed root CA certificates in the Trusted Root Certification Authorities\Certificates folder, and you can view the intermediate CA certificates in the Intermediate Certification Authorities\Certificates folder.

Installing a Certificate Infrastructure

When installing a certificate infrastructure, use the following best practices:

  • Plan your public key infrastructure (PKI) before deploying CAs.

  • The root CA should be offline, and its signing key should be secured by a Hardware Security Module (HSM) and kept in a vault to minimize potential for key compromise.

  • Enterprise organizations should not issue certificates to users or computers directly from the root CA, but rather should deploy the following:

    • An offline root CA

    • Offline intermediate CAs

    • Online issuing CAs (using Windows Server 2003 or Windows 2000 Certificate Services as an enterprise CA)

This CA hierarchy provides flexibility and insulates the root CA from attempts to compromise its private key by malicious users. The offline root and intermediate CAs do not have to be Windows Server 2003 or Windows 2000 CAs. Issuing CAs can be subordinates of a third-party CA.

  • Backing up the CA database, the CA certificate, and the CA keys is essential to protect against the loss of critical data. The CA should be backed up on a regular basis (daily, weekly, or monthly), based on the number of certificates issued over the same interval. The more certificates issued, the more frequently you should back up the CA.

  • You should review the concepts of security permissions and access control in Windows because enterprise CAs issue certificates based on the security permissions of the certificate requester.

Additionally, if you want to take advantage of autoenrollment for computer certificates, use Windows 2000 or Windows Server 2003 Certificate Services and then create an enterprise CA as the issuing CA. If you want to take advantage of autoenrollment for user certificates, use Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition, Certificate Services and then create an enterprise CA as the issuing CA.

More Info
For more information about single- or multi-level certificate infrastructures, see Chapter 6, Certificates and Public Key infrastructure. For additional information about PKI and the Windows 2000 Certificate Services including deployment instructions and best practices, see the Windows 2000 Security Services Web site at http://www.microsoft.com/windows2000/technologies/security /default.asp. For additional information about Windows Server 2003 security services, see the Windows Server 2003 Security Services Web site at http: //www.microsoft.com/windowsserver2003/technologies/security/default.mspx.

Configuring Autoenrollment for Computer Certificates

If you use a Windows Server 2003 or Windows 2000 Certificate Services enterprise CA as an issuing CA, you can install a computer certificate on IAS servers and wireless client computers by configuring Group Policy for the autoenrollment of computer certificates for members of an Active Directory system container.

To configure computer certificate enrollment for an enterprise CA, do the following:

  1. Open the Active Directory Users And Computers snap-in.

  2. In the console tree, double-click Active Directory Users And Computers, right-click the appropriate Active Directory system container, and then click Properties.

  3. On the Group Policy tab, click the appropriate Group Policy object (the default object is Default Domain Policy) and then click Edit.

  4. In the console tree, open Computer Configuration; then Windows Settings; then Security Settings; then Public Key Policies; then Automatic Certificate Request Settings.

  5. Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request. The Automatic Certificate Request Wizard appears.

  6. Click Next.

  7. In Certificate Templates, click Computer and then click Next.

  8. If you have more than one enterprise-issuing CA, click the correct enterprise CA, click Next, and then click Finish.

After the domain is configured for autoenrollment of computer certificates, each computer that is a member of the domain system container requests a computer certificate when the computer configuration Group Policy is refreshed. By default, the Winlogon service polls for changes in Group Policy every 90 minutes. To force a refresh of computer Group Policy, restart the computer or type secedit /refreshpolicy machine_policy (for a computer running Windows 2000) or gpupdate /target:computer (for a computer running Windows XP or Windows Server 2003) at a command prompt.

Perform this procedure for each domain system container as appropriate.

If you use a Windows Server 2003 or Windows 2000 enterprise CA as an issuing CA, configure autoenrollment of computer certificates to install computer certificates on all computers. Ensure that all appropriate domain system containers are configured for autoenrollment of computer certificates, either through inheriting Group Policy settings of a parent system container or explicit configuration.

Configuring Autoenrollment for User Certificates

If you use a Windows Server 2003, Enterprise Edition or a Windows Server 2003, Datacenter Edition enterprise CA as an issuing CA, you can install user certificates through autoenrollment. However, only Windows XP and Windows Server 2003 wireless clients support user certificate autoenrollment.

To configure user certificate enrollment for an enterprise CA, do the following:

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-In and then click Add.

  3. Under Snap-In, double-click Certificate Templates, click Close, and then click OK.

  4. In the console tree, click Certificate Templates. All certificate templates are displayed in the details pane.

  5. In the details pane, click the User template.

  6. On the Action menu, click Duplicate Template.

  7. In the Display Name field, type the name of the new user certificate template (for example, WirelessAccess).

  8. Make sure that the Publish Certificate In Active Directory check box is selected.

  9. Click the Security tab.

  10. In the Group Or User Names field, click Domain Users.

  11. In the Permissions For Domain Users list, select the Read, Enroll, and Autoenroll permission check boxes and then click OK. The following figure shows the resulting configuration.

    graphic

  12. Open the Certification Authority snap-in.

  13. In the console tree, open Certification Authority; then your CA name; then Certificate Templates.

  14. On the Action menu, point to New and then click Certificate To Issue.

  15. Click the name of the newly created user certificate template (for example, WirelessAccess) and then click OK.

  16. Open the Active Directory Users And Computers snap-in.

  17. In the console tree, double-click Active Directory Users And Computers, right-click the appropriate Active Directory system container, and then click Properties.

  18. On the Group Policy tab, click the appropriate Group Policy object (the default object is Default Domain Policy) and then click Edit.

  19. In the console tree, open User Configuration; then Windows Settings; then Security Settings; then Public Key Policies.

  20. In the details pane, double-click Autoenrollment Settings.

  21. Click Enroll Certificates Automatically.

  22. Select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates check box.

  23. Select the Update Certificates That Use Certificate Templates check box. The following figure shows the resulting configuration.

    graphic

  24. Click OK.

Perform this procedure for each domain system container, as appropriate.

If you use a Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition enterprise CA as an issuing CA, configure autoenrollment of user certificates to install user certificates on all computers running Windows XP or Windows Server 2003. Ensure that all appropriate domain system containers are configured for autoenrollment of user certificates, either through the inheriting of Group Policy settings of a parent system container or by explicit configuration.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net