[Dshield] Wireless MAC Authentication options.
John B. Holmblad
jholmblad at aol.com
Thu Aug 25 19:55:03 GMT 2005
you are definitely ahead of the industry at large if you are rolling out
802.1x for all your wired as well as wireless LAN access. It does
mystify me why companies are not more agressive about using 802.1x on
anenterprise wide basis especially given all the time and $ spent on
other security measures. In discussions I have had in the past on this
question, some have asserted that the slow absorbtion of 802.1x in the
market is because the LAN switch suppliers have been slow to provide
You also reveal a subtelty of which I was not aware, that is, that the
Microsoft wireless network configuration option to "authenticate as
computer when computer information is available" is operatvie with the
case of EAP-MSCHAP V2 based authentication as well as with certificate
based authentication. I would assume then that the OS is using the ID
and password for the computer account for the client computer in
question, which would of course have to be registered in AD for this to
work with Microsoft's Radius Server, IAS.
Regarding the increased complexity of preparing/issuing computer
certificates in an AD domain environment I assume you are aware that
with Group Policy, and for client computers running either Windows 2000
Pro, or Server, 2003 Server, or Windows XP you can have the clients
configured to automatically receive their certficiates. Of course you
also have to have Certificate Services running for this to work and
thereafter you have to carefully secure your cert server if you choose
to keep it running.
The procecdure,Automatic Certificate Request Settings - ACRS, is
used for 2000 Pro and 2000 Server client systems (it can also
"serve" certs to XP and 2003 Server client systems). The downside
with this procedure is that ACRS will only issue X.509 version 1
certs which are somewhat obsolete. ACRS is supported by both 2000
and 2003 Server Certificate Services.
The procedure, Autoenrollment Settings can be used to issue certs
for Windows XP and 2003 Server systems and this method is
perferable because the certs are issued as X.509 version 2 certs.
The are two limtations here however: a) the procedure is NOT
supported for clients running 2000 Pro or 2000 Server, and b) Cert
Services has to be running on a Windows 2003 Server because the
procedure is NOT supported on 2000 Sever Cert Services.
GSEC Gold,GCWN Gold,GGSC-0100,NSA-IAM
(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388
primary email address: jholmblad at aol.com
backup email address: jholmblad at verizon.net
More information about the list