[Dshield] Wireless MAC Authentication options.

John B. Holmblad jholmblad at aol.com
Thu Aug 25 15:19:06 GMT 2005


Moses,

in a Microsoft environment you CAN if you choose support certificate 
based authentication of the client as well. I have tested this out and 
it does work. This is useful because, it is possible to configure the 
client (in a Microsoft network) to authenticate to the AP when the 
system is powered up so that the computer can authenticate to the AD 
domain controller and computer based (as opposed to user based AD/Group 
Policy profiles can be downloaded even before a user logs on. In fact, 
in such a scenario it is also possible to have a re-authentication to 
the AP occur once the user does log on. That way the sysadmin can make 
sure that not only is the computer allowed to enter the network via the 
wireless AP but also that the specific user is permitted to do so. 
Clearly MS-CHAP-V2 is easier for the sysadmin to set up, especially in a 
Windows Workgroup network that does not have a server configured with, 
say Certificate Services, to easily create and issue computer 
certificates for the clients or. alternatively, have such client 
certificates requested by the clients..

Here is the url to the results of my research on this:

       http://www.sans.org/rr/whitepapers/honors/1494.php

and there is plenty of info available from the Microsoft www site on how 
to set up certficate based authentication in an 802.11 wireless 
environment. Microsoft Press also has a Mictext, "Windiwos 2003 PKI 
Certificate Security" that has a section pertaining to wireless networking.

-- 
Best Regards,

John Holmblad

Televerage International
GSEC Gold,GCWN Gold,GGSC-0100,NSA-IAM

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net



More information about the list mailing list