EAP-TLS using Windows 2000 client and IAS on Windows 2003

M

Mike Mullins

Has anyone any experience of using EAP-TLS with TKIP
where the clients are Windows 2000 domain logons, the
RADIUS server is Windows 2003 with IAS, using user
certificates issued using a Windows 2003 Enterprise CA?
 
A

Ace Fekay [MVP]

In
Mike Mullins said:
Has anyone any experience of using EAP-TLS with TKIP
where the clients are Windows 2000 domain logons, the
RADIUS server is Windows 2003 with IAS, using user
certificates issued using a Windows 2003 Enterprise CA?
Click to expand...

Is there a particular concern? I have some links if they are helpful...

Support WebCast How to Use Certificate Authority for Authentication:
http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc080901/wcblurb080901.asp



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
M

Mike Mullins

Particular concerns - yes.

1 Getting the cert on the users domain profile.
Does allowing autoenrollment mean that the cert is placed
in the users browser certificates as soon as they are
given an account, or log on? Do they really need to use
a browser to ask for a cert? Is their cert copied if
they have a portable profile to other machines?

2 Making the domain logon really transparent
Can the Wireless service on SP4 Win2k support EAP-
TLS "machine autologon to wireless network" just like it
does (in functionality) when using PEAP? If so how do I
get the client machine to have a cert itself? Or do I
need to use the 3Com client utility launcher.exe for
example each time "after" a user logs on to Windows?

3 Dumb users
If the answer to 2 is yes you must use the card vendors
client utility after cached Windows logon, how else can I
minimise the users contact with the wireless, so they
don't need an idiot card?
 
A

Ace Fekay [MVP]

Trying to go on memory for these questions.... please see inline...

In
Mike Mullins said:
Particular concerns - yes.

1 Getting the cert on the users domain profile.
Does allowing autoenrollment mean that the cert is placed
in the users browser certificates as soon as they are
given an account, or log on?
Yes

Do they really need to use
a browser to ask for a cert?
Click to expand...

Autoenrollment works with XP Pro in a domain. If the clients are W2k, they
need to request the cert at the internal certsrv site.

Is their cert copied if
they have a portable profile to other machines?
Click to expand...

Its part of their domain account. So yes, no matter where they are logged
on.
2 Making the domain logon really transparent
Can the Wireless service on SP4 Win2k support EAP-
TLS "machine autologon to wireless network" just like it
does (in functionality) when using PEAP? If so how do I
get the client machine to have a cert itself?
Click to expand...

I haven't test this, so can't give you a definite answer, but can only say
that the users need to request a cert. As for the wireless service on W2k, I
wasn't aware that SP4 added wireless functionality. I was using a 3rd party
software for that functionality in my old W2k latpop. XP has wireless built
in.
Or do I
need to use the 3Com client utility launcher.exe for
example each time "after" a user logs on to Windows?
Click to expand...

Not sure...

3 Dumb users
If the answer to 2 is yes you must use the card vendors
client utility after cached Windows logon, how else can I
minimise the users contact with the wireless, so they
don't need an idiot card?
Click to expand...

Sorry I can't answer all your questions. I have set this up with XP as
clients and its relatively easy once it's working, but have to admit did
have some issues in the beginning getting the cert thing straightened out.
Have you tried some of the wireless forums? There's a
microsoft.public.windows.networking.wireless that may be better suited for
the specific wireless questions.



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

EAP-TLS with a standalone CA 2
Vista clients and EAP-TLS authentication - problem with certificates 5
Wireless --> IAS authentication failure 0
IAS EAP-TLS Certificate Error 4
802.1x wireless client access with smatcards 1
Auto logon and off to activate WiFi 1
802.1X eap-tls authentication on vista 2
802.1x using EAP-TLS and RDP 1

Top