[Dshield] Wireless MAC Authentication options.

Hernandez, Moses MHernandez3 at mercymiami.org
Mon Aug 29 13:54:04 GMT 2005


John
  I have not seen that certificate enrollment feature with auto
enrollment yet. I will need to explore it more. The only problem with
rolling out the dot1x authentication is not on the LAN vendors at all
but with Microsoft! Microsoft does not give out a GPO for NIC
Authentication settings. Matter of fact, they do not have any way of
doing it except manually. I am very fortunate to have only 1500 machines
to do this on. Can you imagine my old campus with over 5000? It would've
never happened! We are still rolling out dot1x in preparation for NAC. I
truly believe that the reason Microsoft will not help out with dot1x
deployment on the wired side is because of NAP (there own version of
NAC). When they finish the NAP implementation and are forced into a
dot1x enterprise scenario we may see a change. 

  If anyone on the list has a way of rolling out dot1x settings to wired
LAN NICs please let me know, because we have been unable to find a way.
Wireless NICs have Authentication/Encryption GPO's but not wired! 

  Additionally the Certificate rollout will be something I will look
into. Right now we are looking at how we rollout a better authentication
method than passwords. Certificate based authentication with pins was an
idea.

Thanks!

Moses Hernandez, CISSP, CCNP, CCSA


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of John B. Holmblad
Sent: Thursday, August 25, 2005 3:55 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Wireless MAC Authentication options.

Moses,

you are definitely ahead of the industry at large if you are rolling out

802.1x for all your wired as well as wireless LAN access. It does 
mystify me why companies are not more agressive about using 802.1x on 
anenterprise wide basis especially given all the time and $ spent on 
other security measures. In discussions I have had in the past on this 
question, some have asserted that the slow absorbtion of 802.1x in the 
market is because the LAN switch suppliers have been slow to provide 
802.1x support.

You also reveal a subtelty of which I was not aware, that is, that the 
Microsoft wireless network configuration option to "authenticate as 
computer when computer information is available" is operatvie with the 
case of EAP-MSCHAP V2 based authentication as well as with certificate 
based authentication. I would assume then that the OS is using the ID 
and password for the computer account for the client computer in 
question, which would of course have to be registered in AD for this to 
work with Microsoft's Radius Server, IAS.

Regarding the increased complexity of preparing/issuing computer 
certificates in an AD domain environment I assume you are aware  that 
with Group Policy, and for client computers running either Windows 2000 
Pro, or Server, 2003 Server, or Windows XP you can have the clients 
configured to automatically receive their certficiates. Of course you 
also have to have Certificate Services  running for this to work and 
thereafter you have to carefully secure your cert server if you choose 
to keep it running.

    The procecdure,Automatic Certificate Request Settings - ACRS, is
    used for 2000 Pro and 2000 Server client systems (it can also
    "serve" certs to XP and 2003 Server client systems). The downside
    with this procedure is that ACRS will only issue X.509 version 1
    certs which are somewhat obsolete. ACRS is supported by both 2000
    and 2003 Server Certificate Services.

    The procedure,  Autoenrollment Settings can be  used to issue certs
    for  Windows XP and 2003 Server systems and this method is
    perferable because the certs are issued as X.509 version 2 certs.
    The are two limtations here however: a) the procedure is NOT
    supported for clients running 2000 Pro or 2000 Server, and b) Cert
    Services has to be running on a Windows 2003 Server because the
    procedure is NOT supported on 2000 Sever Cert Services.

-- 
Best Regards,

John Holmblad

Televerage International
GSEC Gold,GCWN Gold,GGSC-0100,NSA-IAM

(H) 703 620 0672
(M) 703 407 2278
(F) 703 620 5388

primary email address:     jholmblad at aol.com
backup email address:      jholmblad at verizon.net


_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************
**********************************************************************************************
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***
**********************************************************************************************




More information about the list mailing list