Discussion:
802.1x XP --> HP Procurve --> IAS using eap-tls (computer auth o
(too old to reply)
Don Murphy
2008-04-11 21:06:01 UTC
Permalink
I have the following example working:

802.1x XP --> HP Procurve --> IAS

using eap-tls on Windows Server 2003. I will be able to deploy the root
certs for the IAS server and will be able to deploy the computer certs for
the XP workstation via group policy with no problems.

What I want to attempt to do is to authenticate using the domain joined
computer credentials/certs at my rootCA certs only. I do not want to deploy
user certs. Is there a reg hack for this?

I don't think my switches support peap so I want to do this with eap-tls.

The whole goal I am trying to accomplish is only allow specific domain
joined computers access to the network.

Thanks,

Don
Don Murphy
2008-04-11 22:00:03 UTC
Permalink
Well I found this.

http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2003-03/1865.html

Am I still secure using this if I turn off using user auth?
Post by Don Murphy
802.1x XP --> HP Procurve --> IAS
using eap-tls on Windows Server 2003. I will be able to deploy the root
certs for the IAS server and will be able to deploy the computer certs for
the XP workstation via group policy with no problems.
What I want to attempt to do is to authenticate using the domain joined
computer credentials/certs at my rootCA certs only. I do not want to deploy
user certs. Is there a reg hack for this?
I don't think my switches support peap so I want to do this with eap-tls.
The whole goal I am trying to accomplish is only allow specific domain
joined computers access to the network.
Thanks,
Don
Don Murphy
2008-04-11 23:07:07 UTC
Permalink
I must be misunderstanding something.

I have eap-tls configured and working with a hp procurve switch. My IAS
rule checks for my computer account to be in a domain. I am using the
default Windows XP SP2 authentication NIC properties.

Domain user accounts have NO bearing on weather I am allowed to log in or
not. I thought eap-tls used computer and user certs. What am I missing.
As I said befor all I want is to deploy computer and root certs and have the
machine auth with the computer account only.

Don
Post by Don Murphy
Well I found this.
http://www.derkeiler.com/Newsgroups/microsoft.public.win2000.security/2003-03/1865.html
Am I still secure using this if I turn off using user auth?
Post by Don Murphy
802.1x XP --> HP Procurve --> IAS
using eap-tls on Windows Server 2003. I will be able to deploy the root
certs for the IAS server and will be able to deploy the computer certs for
the XP workstation via group policy with no problems.
What I want to attempt to do is to authenticate using the domain joined
computer credentials/certs at my rootCA certs only. I do not want to deploy
user certs. Is there a reg hack for this?
I don't think my switches support peap so I want to do this with eap-tls.
The whole goal I am trying to accomplish is only allow specific domain
joined computers access to the network.
Thanks,
Don
Mimmus
2008-04-16 11:55:03 UTC
Permalink
A switch supports only 802.1x, not TLS or PEAP! You can use whatever you
like.
I prefer EAP-PEAP because I have not to deploy certificates (but I need only
one for server, also homemade is good, you don't need to have a CA).
And then I can authenticate with user or computer account.

Bye
Domenico

Loading...