802.1x Authentication over Wireless

  • Thread starter mike.elam@gmail.com
  • Start date
M

mike.elam@gmail.com

I have implemented 802.1x with certificates in my Windows domain. I am
able to autoenroll computers and user certificates at login if they
are connected to the wire. Is it possible for the computer to push the
user certificate over the wireless link. I don't want to have my users
log on with the wire before they can connect onto the wireless. The
machine connects as a computer to the wireless and allows a domain
account to login. Once the domain account logs in, the wireless
disconnects with "Windows was unable to find a certificate to log you
on to the network XXXXXXX".

I can't really see why if the certificate was already issued to the
user and is published in Active Directory, why it IAS server can't
provide the certifcate to the machine and connect the user to the
wireless network.

My IAS is using Server 2003. My Certificate Authority is on another
Server 2003 machine. I am using Cisco Access Points controlled by a
Cisco WLAN Controller.

Please help.
 
P

Paul Adare

On Thu, 15 Nov 2007 11:05:36 -0800 (PST), mike.elam@gmail.com wrote:

> I have implemented 802.1x with certificates in my Windows domain. I am
> able to autoenroll computers and user certificates at login if they
> are connected to the wire. Is it possible for the computer to push the
> user certificate over the wireless link. I don't want to have my users
> log on with the wire before they can connect onto the wireless. The
> machine connects as a computer to the wireless and allows a domain
> account to login. Once the domain account logs in, the wireless
> disconnects with "Windows was unable to find a certificate to log you
> on to the network XXXXXXX".
>
> I can't really see why if the certificate was already issued to the
> user and is published in Active Directory, why it IAS server can't
> provide the certifcate to the machine and connect the user to the
> wireless network.
>
> My IAS is using Server 2003. My Certificate Authority is on another
> Server 2003 machine. I am using Cisco Access Points controlled by a
> Cisco WLAN Controller.

You don't understand how 802.1x works nor why certificates are published to
Active Directory. If you're implementing 802.1x for WiFi then presumably
you only want authorized users and computers to access your WiFi network.
How do you supposed that your WiFi infrastructure is supposed to determine
who is allowed to access your network in order to get certificates issued
in the first place? You've got a chicken and egg situation here. You're
only allowing those with valid certificates to have access to your WiFi
network yet you seem to think that the infrastructure can magically
discriminate between those that are accessing it to get certificates and
those that simply should not have access.


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
One person's error is another person's data.
 
L

Lutz

Hi, a few things are not clear to me. But if you would have WLAN with
separated VLANs, you could allow WLAN-clients without authentication
to the certificate enrollment page. After that with the certificate
you can but the user on VLAN 2 with access to the company's network.
How it can also work. Let the users request certificates when they are
on the wire!
Otherwise you have to train the users to connect to different SSIDs or
you have to think about are more sophisticated access point and radius
server.
Keep it simple!
R, Lutz





On Nov 15, 12:05 pm, mike.e...@gmail.com wrote:
> I have implemented 802.1x with certificates in my Windows domain. I am
> able to autoenroll computers and user certificates at login if they
> are connected to the wire. Is it possible for the computer to push the
> user certificate over the wireless link. I don't want to have my users
> log on with the wire before they can connect onto the wireless. The
> machine connects as a computer to the wireless and allows a domain
> account to login. Once the domain account logs in, the wireless
> disconnects with "Windows was unable to find a certificate to log you
> on to the network XXXXXXX".
>
> I can't really see why if the certificate was already issued to the
> user and is published in Active Directory, why it IAS server can't
> provide the certifcate to the machine and connect the user to the
> wireless network.
>
> My IAS is using Server 2003. My Certificate Authority is on another
> Server 2003 machine. I am using Cisco Access Points controlled by a
> Cisco WLAN Controller.
>
> Please help.
 
You must log in or register to reply here.

Similar threads

R
Explicit EAP error 0x9009030C. Authentication failed due to a user credentials mismatch on NPS server
Replies
0
Views
30
ronnieshih
R
C
Windows 10 802.1x EAP-TEAP user re-authentication not working
Replies
0
Views
58
Claus Juhl Pedersen
C
C
Windows 10 802.1x EAP-TEAP user re-authentication not working
Replies
0
Views
54
Claus Juhl Pedersen
C
B
Public CA for Microsoft NPS authentication - WPA2-Enterprise with 802.1X authentication (Microsoft: Protected EAP (PEAP)
Replies
0
Views
112
Bandith Khorn
B
D
OpenSSL Certificates used for NPS EAP - Reason Code 295 (CA certificates is not trusted by the policy provider)
Replies
0
Views
43
Dave Baddorf
D
Back
Top Bottom