[Dshield] Wireless MAC Authentication options.

John B. Holmblad jholmblad at aol.com
Thu Aug 25 19:55:03 GMT 2005


Moses,

you are definitely ahead of the industry at large if you are rolling out 
802.1x for all your wired as well as wireless LAN access. It does 
mystify me why companies are not more agressive about using 802.1x on 
anenterprise wide basis especially given all the time and $ spent on 
other security measures. In discussions I have had in the past on this 
question, some have asserted that the slow absorbtion of 802.1x in the 
market is because the LAN switch suppliers have been slow to provide 
802.1x support.

You also reveal a subtelty of which I was not aware, that is, that the 
Microsoft wireless network configuration option to "authenticate as 
computer when computer information is available" is operatvie with the 
case of EAP-MSCHAP V2 based authentication as well as with certificate 
based authentication. I would assume then that the OS is using the ID 
and password for the computer account for the client computer in 
question, which would of course have to be registered in AD for this to 
work with Microsoft's Radius Server, IAS.

Regarding the increased complexity of preparing/issuing computer 
certificates in an AD domain environment I assume you are aware  that 
with Group Policy, and for client computers running either Windows 2000 
Pro, or Server, 2003 Server, or Windows XP you can have the clients 
configured to automatically receive their certficiates. Of course you 
also have to have Certificate Services  running for this to work and 
thereafter you have to carefully secure your cert server if you choose 
to keep it running.

    The procecdure,Automatic Certificate Request Settings - ACRS, is
    used for 2000 Pro and 2000 Server client systems (it can also
    "serve" certs to XP and 2003 Server client systems). The downside
    with this procedure is that ACRS will only issue X.509 version 1
    certs which are somewhat obsolete. ACRS is supported by both 2000
    and 2003 Server Certificate Services.

    The procedure,  Autoenrollment Settings can be  used to issue certs
    for  Windows XP and 2003 Server systems and this method is
    perferable because the certs are issued as X.509 version 2 certs.
    The are two limtations here however: a) the procedure is NOT
    supported for clients running 2000 Pro or 2000 Server, and b) Cert
    Services has to be running on a Windows 2003 Server because the
    procedure is NOT supported on 2000 Sever Cert Services.

-- 
Best Regards,

John Holmblad

Televerage International
GSEC Gold,GCWN Gold,GGSC-0100,NSA-IAM

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net



More information about the list mailing list