M. Eteum
2007-11-15 18:56:30 UTC
Hi,
I'm wondering if anyone have experience the below.
In order to satisfy the security for our wireless infrastructure, I've
implemented the WPA/TKIP with PEAP-MSCHAPv2 using Active Directory and
the Steel-Belted RADIUS. It somewhat works that is my Wireless Windows
XP Laptop are authenticated and granted access using the
username/password(but w/o Certificate Validation from the CA) to the
private network using the above encryption/authentication method.
Now that I have the Microsoft Enterprise CA running on the Standard
Windows Server 2003, I'd like to implement not only using the
username/password, but also, I'd like to be able to use the user and/or
computer certificate for added security.
Currently, I'm using the self-signed certificate comes with the
Steel-Belted RADIUS, but I'd rather to use the digital certificate from
our MS Enterprise CA.
My question:
1) How do I generate Server Certificate on the Enterprise CA for the
Steel-Belted RADIUS? I have to have a digital certificate file with
PKCS#12 format on the RADIUS server(????)
2) If I'd like to use both the computer and user certificate
authentication(EAP-TLS,EAP-TTLS, perhaps) for just our wireless laptop
users(and PDA,perhaps), what other certificate do I have to generate on
the CA and where to install them? Do I have to generate both computer &
user certificate and apply them on each laptop/user MANUALLY, or is
there a way to do it AUTOMATICALLY(thru Group Policy, perhaps)? How?
3) Since our wireless switch pass-it thru to the RADIUS server, do I
still need to install the certificate on the wireless switch?
4) Furthermore, since I'm using the Windows XP wireless client, what do
I have to configure on the client, eg. Validate Certificate Server, etc
....?
Thanks a bunch.
M.
I'm wondering if anyone have experience the below.
In order to satisfy the security for our wireless infrastructure, I've
implemented the WPA/TKIP with PEAP-MSCHAPv2 using Active Directory and
the Steel-Belted RADIUS. It somewhat works that is my Wireless Windows
XP Laptop are authenticated and granted access using the
username/password(but w/o Certificate Validation from the CA) to the
private network using the above encryption/authentication method.
Now that I have the Microsoft Enterprise CA running on the Standard
Windows Server 2003, I'd like to implement not only using the
username/password, but also, I'd like to be able to use the user and/or
computer certificate for added security.
Currently, I'm using the self-signed certificate comes with the
Steel-Belted RADIUS, but I'd rather to use the digital certificate from
our MS Enterprise CA.
My question:
1) How do I generate Server Certificate on the Enterprise CA for the
Steel-Belted RADIUS? I have to have a digital certificate file with
PKCS#12 format on the RADIUS server(????)
2) If I'd like to use both the computer and user certificate
authentication(EAP-TLS,EAP-TTLS, perhaps) for just our wireless laptop
users(and PDA,perhaps), what other certificate do I have to generate on
the CA and where to install them? Do I have to generate both computer &
user certificate and apply them on each laptop/user MANUALLY, or is
there a way to do it AUTOMATICALLY(thru Group Policy, perhaps)? How?
3) Since our wireless switch pass-it thru to the RADIUS server, do I
still need to install the certificate on the wireless switch?
4) Furthermore, since I'm using the Windows XP wireless client, what do
I have to configure on the client, eg. Validate Certificate Server, etc
....?
Thanks a bunch.
M.