EAP-TLS Authentication

EAP-TLS Authentication

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication requires computer and user certificates on the wireless client, the addition of EAP-TLS as an EAP type to the remote access policy for wireless access, and a reconfiguration of the wireless network connection.

DC1

To configure DC1 to provide autoenrollment for computer and user certificates, do the following:

  • Create a Certificate Templates snap-in

  • Create a certificate template for wireless users

  • Configure a certificate template

  • Enable a certificate template and user and computer certificate autoenrollment

To create a Certificate Templates snap-in

  1. Click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in, and then click Add.

  3. Under Snap-in, double-click Certificate Templates, click Close, and then click OK.

  4. In the console tree, click Certificate Templates. All of the certificate templates will be displayed in the details pane.

    graphic

To create a certificate template for wireless users

  1. In the details pane of the Certificate Templates snap-in, click the User template.

  2. On the Action menu, click Duplicate Template.

  3. In the Template Display Name field, type Wireless User Certificate Template.

    graphic

To configure a certificate template

  1. In the Properties Of New Template dialog box, make sure that the Publish Certificate In Active Directory check box is selected.

  2. Click the Security tab.

  3. In the Group Or User Names field, click Domain Users.

  4. In the Permissions For Domain Users list, select the Read, Enroll, and Autoenroll check boxes.

    graphic

  5. Click the Subject Name tab and ensure that Include E-Mail Name In Subject Name and E-mail Name boxes are cleared.

    graphic

    NOTE
    These two options are disabled for this test tab configuration because an e-mail name was not entered for the WirelessUser account in the Active Directory Users and Computers snap-in.

  6. Click OK.

To enable the certificate template and user and computer certificate autoenrollment

  1. Open the Certification Authority snap-in.

  2. In the console tree, expand Example CA, and then click Certificate Templates.

    graphic

  3. On the Action menu, point to New, and then click Certificate To Issue.

  4. Click Wireless User Certificate Template.

    graphic

  5. Click OK.

  6. Open the Active Directory Users And Computers snap-in.

  7. In the console tree, double-click Active Directory Users And Computers, right-click the example.com domain, and then click Properties.

  8. On the Group Policy tab, click Default Domain Policy, and then click Edit. This opens the Group Policy Object Editor snap-in.

  9. In the console tree, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies, and then click Automatic Certificate Request Settings.

    graphic

  10. Right-click Automatic Certificate Request Settings, point to New, and then click Automatic Certificate Request.

  11. On the Welcome To The Automatic Certificate Request Setup Wizard page, click Next.

  12. On the Certificate Template page, click Computer.

    graphic

  13. Click Next. On the Completing The Automatic Certificate Request Setup Wizard page, click Finish. The Computer certificate type now appears in the details pane of the Group Policy Object Editor snap-in.

    graphic

  14. In the console tree, expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.

    graphic

  15. In the details pane, double-click Autoenrollment Settings.

  16. Click Enroll Certificates Automatically. Select the Renew Expired Certificates, Update Pending Certificates, And Remove Revoked Certificates check box. Select the Update Certificates That Use Certificate Templates check box.

    graphic

  17. Click OK.

IAS1

To configure IAS1 to use EAP-TLS authentication, perform the following steps:

  1. Open the Internet Authentication Service snap-in.

  2. In the console tree, click Remote Access Policies.

  3. In the details pane, double-click Wireless Access To Intranet. The Wireless Access To Intranet Properties dialog box is displayed.

    graphic

  4. Click Edit Profile, and then click the Authentication tab.

    graphic

  5. On the Authentication tab, click EAP Methods. The Select EAP Providers dialog box is displayed.

    graphic

  6. Click Add. The Add EAP dialog box is displayed.

    graphic

  7. Click Smart Card Or Other Certificate, and then click OK. The Smart Card Or Other Certificate type is added to the list of EAP providers.

    graphic

  8. Click Edit. The Smart Card Or Other Certificate Properties dialog box is displayed.

    graphic

  9. The properties of the computer certificate issued to the IAS1 computer are displayed. This step verifies that IAS has an acceptable computer certificate installed to perform EAP-TLS authentication. Click OK.

  10. Click Move Up to make the Smart Card Or Other Certificate EAP provider the first in the list.

    graphic

  11. Click OK to save changes to EAP providers. Click OK to save changes to the profile settings.

  12. Click OK to save changes to the remote access policy.

This will allow the Wireless access to intranet remote access policy to authorize wireless connections using the EAP-TLS authentication method.

CLIENT1

To configure CLIENT1 to use EAP-TLS authentication, perform the following steps:

  1. Update computer and user configuration Group Policy settings and obtain a computer and user certificate for the wireless client computer immediately, by typing gpupdate at a command prompt. You must be logged on to the domain, either via your previously-created PEAP-MS-CHAP v2 wireless connection or by connecting to the hub.

  2. To obtain properties for the WIR_TST_LAB wireless network click Start, click Control Panel, double-click Network Connections, and then right-click your wireless network connection.

  3. Click Properties, click the Wireless Networks tab, click WIR_TST_LAB, and then click Configure.

  4. On the Authentication tab, select Smart Card Or Other Certificate for the EAP type.

    graphic

  5. Click OK to exit the Wireless Network Properties dialog box, and then click OK to exit the Wireless Network Connection Properties dialog box.

  6. The wireless network connection reconnects using EAP-TLS authentication.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net