Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 6, 2011 9:04 AM
Hi,
I wanna configure 2 different SSID, one dedicated to laptop WiFi connections, the other one for mobile devices. Laptops use a machine certificate to connect to the WiFi network, on the other hand, mobile devices use a user certificate. (both WiFis are protected by 802.1x-EAP TLS)
How can I configure the IAS Radius to achieve laptops connect to the LAPTOP-WiFi and mobile devices to the MOBILE-WiFi? may I difference between machine certificate and user certificate authentication?
Thanks a lot in advance.
All replies (3)
Thursday, October 6, 2011 11:27 PM ✅Answered
You can only use the user certificate for authentication, not the the machine cert.
EAP PEAP Double Authentication for Machine and User certificates - Apparently it's not supported:
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/cbb100b9-4343-4811-9127-bc0660b61956/?prof=required
I haven't configured a Cisco AP1231 as a RADIUS client to one IAS/NPS using multiple cert based authentication methods. What I've done in the past is configured two SSIDs - a secured SSID using PEAP, with a VLAN to the RADIUS (IAS) server, and a Guest SSID using WPA2 Personal that was VLAN'd to a guest network that didn't have access to the internal network.
What you want, if I understand it correctly, is to configure two SSIDs each with a different cert based authentication method. I believe for this you may need two RADIUS/IAS servers, one for each method. Maybe someone else can offer more specifics on this.
What I can also say, to control destination traffic for users, you can use a Cisco AP 1231 and configure various SSIDs, associate them with specific VLANs, and in AD, use GPOs to assign the SSIDs based on groups. But of course this depends on the AP you have and if it supports mulitple SSIDs and VLANs.
“What model of AP will you purchase?” Search the article for “Planning for Wireless AP Deployment”
http://technet.microsoft.com/en-us/library/dd363547(WS.10).aspx
Here are some of my notes:
RADIUS Server for 802.1X Wireless or Wired Connections
http://technet.microsoft.com/en-us/library/cc731853.aspx
Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide
http://araihan.wordpress.com/2009/11/11/windows-server-2008-how-to-configure-network-policy-server-nps-or-radius-server/
Planning NPS as a RADIUS server. Includes links with how-to's.
http://technet.microsoft.com/en-us/library/dd197604(WS.10).aspx
Securing Wireless LANs with Certificate Services
http://technet.microsoft.com/en-us/library/cc527055.aspx
802.1x wireless authentication contains Password-Based and Certificates authentication. You could use either of these two methods. I recommend using EAP-TLS or PEAP-TLS Certificates for non-domain machines (including iphones and blackberries)
Posted by James McIllece in thread:
Radius on non-domain machines (Issue with non-domain RRAS clients including Blackberrys and iPhones that can't login)
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/5af102de-e9e2-4468-8c5e-de703d87d395
"You can configure authentication in NPS network policies. The most secure authentication is EAP-TLS or PEAP-TLS, however those are somewhat difficult to deploy because you must deploy certificates either via smartcards or by enrolling/installing a certificate that is issued to the user (for non-domain joined machine use).
The certification authority (CA) that issues the user certificate must also be the CA that issued the server certificate to your NPS server.
Another option is to use PEAP-MS-CHAPv2, which requires a server certificate on the NPS server, but allows users to type in domain credentials (user name and password) to log on to the network. Even with this authentication method though the CA certificate must be in the Trusted Root Certification Authorities store on the client so that the client trusts the NPS server.
If you're interested in either of these methods, there are some good deployment guides - see the server certificates guide and user and computer certificates guide at:
Core Network Guides for Windows Server 2008 R2:
http://technet.microsoft.com/en-us/library/dd894464(WS.10).aspx
These guides describe using autoenrollment of certificates, which will work for you for server certificates; but you will need to review the AD Certificate Services documentation for information on enrolling certificates to non-domain member computers if you want to deploy user certificates.
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, October 13, 2011 1:46 PM
Hi Ace,
Yes, I need to configure two SSIDs each with a different cert based authentication method. I thought I could use the same IAS server, configuring each SSID with EAP-TLS authentication method, but establishing a difference between machine certificate and user certificate.
How can I avoid non-domain devices (like iPhone...) to connect to the laptop SSID???
Monday, October 31, 2011 5:49 AM
If you configure an 802.1x scheme using user certificates, and not installing the certificate on the iPhone, that will prevent them from connecting.
You can also add MAC based authentication to prevent them, and you can take advantage of using the “Calling-Station-ID” field in the user's AD properties, but that of course would require a complete list of MACs for all devices. However, you may take advantage of the first three bytes (first 6 digits) in the MAC address that is unique to each vendor:
Vendor/Ethernet/Bluetooth MAC Address Lookup and Search
http://www.coffer.com/mac_find/?string=apple
Enhance your 802.1x deployment security with MAC filtering
"Ever wanted to tighten the security to the point that only some machines are allowed access on 802.1x/Wireless network? Well here’s the solution, combine MAC filtering, with EAP Authentication and you get, User AND machine authentication all in one."
http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
You can also use DHCP enforcement:
Configuring Windows Server 2008 for NAP DHCP Enforcement (Step by Step w/screenshots)
http://www.techotopia.com/index.php/Configuring_Windows_Server_2008_NAP_DHCP_Enforcement
The better bet is to go with a full NAC (network access control) solution and using IPSec, such as using Windows Server 2008 NAP+NPA. There are third party solutions, too, such as from Cisco NAC, Aruba ECS, etc. Read the following discussion for more info:
Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How
http://airheads.arubanetworks.com/vBulletin/showthread.php?t=793
Thread: » Can I Block Ipods connecting to Network?
http://forums.whirlpool.net.au/archive/1387986
Network Access Protection
http://technet.microsoft.com/en-us/network/bb545879
Checklist: Configure NAP Enforcement for 802.1X Wired
http://technet.microsoft.com/en-us/library/cc730926(v=ws.10).aspxb
Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=733
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.