802.1x authentication..

Hi,

I'm setting up a wireless network, I have a cisco 350 series AP and going to
use the Windows Server 2003 IAS as the radius server. I would like to
control the client based on the MAC address and the Active Directory user
logon. The IAS server is a member of the AD. I have install a standalone
certificate server on the IAS server. On the Cisco AP, I have checked the
EAP, MAC and USER authentication for radius security settings. The questions
:

1) How do I control the users based on the MAC address and the logon without
using any certificates ?
2) If with certificates, how do I do that ?
3) In the IAS, what authentication type that I supposed to use ? for
question no. (1) and (2) ?

Thank you.

Rgrds,
Zul

It looks like you have done some interesting stuff.

1. Forget about MAC authentication. It is of no real value
2. You need to decide whether you want users to authenticate with a
certificate or a username and password.
3. Make sure the IAS server had been authorized in AD

If clients will use certificates, you need to:
1. uninstall the CA and make it an Enterprise CA
2. issue user certs to the clients
3. setup a policy for EAP-TLS in IAS

If you use passwords:
1. Make sure your IAS server has a certificate in its local machine store
that is valid for server authentication
2. Setup a policy using PEAP with passwords in IAS.

I hope that gets you started.


Cheers

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Zul J" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I'm setting up a wireless network, I have a cisco 350 series AP and going
> to use the Windows Server 2003 IAS as the radius server. I would like to
> control the client based on the MAC address and the Active Directory user
> logon. The IAS server is a member of the AD. I have install a standalone
> certificate server on the IAS server. On the Cisco AP, I have checked the
> EAP, MAC and USER authentication for radius security settings. The
> questions :
>
> 1) How do I control the users based on the MAC address and the logon
> without using any certificates ?
> 2) If with certificates, how do I do that ?
> 3) In the IAS, what authentication type that I supposed to use ? for
> question no. (1) and (2) ?
>
> Thank you.
>
> Rgrds,
> Zul
>

Hi,

Can I have both, authenticate with a certificate and a username/password ?
In other words, the client must have the certificate installed and must
login with the username/password to have the access.

Thanks.

Rgrds,
Zul

"Mark Gamache" <(E-Mail Removed)> wrote in message
news:OgTBsw%(E-Mail Removed)...
> It looks like you have done some interesting stuff.
>
> 1. Forget about MAC authentication. It is of no real value
> 2. You need to decide whether you want users to authenticate with a
> certificate or a username and password.
> 3. Make sure the IAS server had been authorized in AD
>
> If clients will use certificates, you need to:
> 1. uninstall the CA and make it an Enterprise CA
> 2. issue user certs to the clients
> 3. setup a policy for EAP-TLS in IAS
>
> If you use passwords:
> 1. Make sure your IAS server has a certificate in its local machine store
> that is valid for server authentication
> 2. Setup a policy using PEAP with passwords in IAS.
>
> I hope that gets you started.
>
>
> Cheers
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Zul J" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>> I'm setting up a wireless network, I have a cisco 350 series AP and going
>> to use the Windows Server 2003 IAS as the radius server. I would like to
>> control the client based on the MAC address and the Active Directory user
>> logon. The IAS server is a member of the AD. I have install a standalone
>> certificate server on the IAS server. On the Cisco AP, I have checked the
>> EAP, MAC and USER authentication for radius security settings. The
>> questions :
>>
>> 1) How do I control the users based on the MAC address and the logon
>> without using any certificates ?
>> 2) If with certificates, how do I do that ?
>> 3) In the IAS, what authentication type that I supposed to use ? for
>> question no. (1) and (2) ?
>>
>> Thank you.
>>
>> Rgrds,
>> Zul
>>
>
>

Hi,

I found one article on the Microsoft site related to using a certificate :

http://www.microsoft.com/technet/sec...tc/peap_0.mspx

but it is more to those users who are a member of the AD domain (using a
group policy), most of our notebook or wireless clients are a standalone
users.

Rgrds,
Zul


"Zul J" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I'm setting up a wireless network, I have a cisco 350 series AP and going
> to use the Windows Server 2003 IAS as the radius server. I would like to
> control the client based on the MAC address and the Active Directory user
> logon. The IAS server is a member of the AD. I have install a standalone
> certificate server on the IAS server. On the Cisco AP, I have checked the
> EAP, MAC and USER authentication for radius security settings. The
> questions :
>
> 1) How do I control the users based on the MAC address and the logon
> without using any certificates ?
> 2) If with certificates, how do I do that ?
> 3) In the IAS, what authentication type that I supposed to use ? for
> question no. (1) and (2) ?
>
> Thank you.
>
> Rgrds,
> Zul
>

If you use L2TP/IPSec then you can use a computer cert to create the IPSec
connection and then username and password to authenticate the user.

--
Mark Gamache
Certified Security Solutions
http://www.css-security.com



"Zul J" <(E-Mail Removed)> wrote in message
news:O%(E-Mail Removed)...
> Hi,
>
> Can I have both, authenticate with a certificate and a username/password ?
> In other words, the client must have the certificate installed and must
> login with the username/password to have the access.
>
> Thanks.
>
> Rgrds,
> Zul
>
> "Mark Gamache" <(E-Mail Removed)> wrote in message
> news:OgTBsw%(E-Mail Removed)...
>> It looks like you have done some interesting stuff.
>>
>> 1. Forget about MAC authentication. It is of no real value
>> 2. You need to decide whether you want users to authenticate with a
>> certificate or a username and password.
>> 3. Make sure the IAS server had been authorized in AD
>>
>> If clients will use certificates, you need to:
>> 1. uninstall the CA and make it an Enterprise CA
>> 2. issue user certs to the clients
>> 3. setup a policy for EAP-TLS in IAS
>>
>> If you use passwords:
>> 1. Make sure your IAS server has a certificate in its local machine store
>> that is valid for server authentication
>> 2. Setup a policy using PEAP with passwords in IAS.
>>
>> I hope that gets you started.
>>
>>
>> Cheers
>>
>> --
>> Mark Gamache
>> Certified Security Solutions
>> http://www.css-security.com
>>
>>
>>
>> "Zul J" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi,
>>>
>>> I'm setting up a wireless network, I have a cisco 350 series AP and
>>> going to use the Windows Server 2003 IAS as the radius server. I would
>>> like to control the client based on the MAC address and the Active
>>> Directory user logon. The IAS server is a member of the AD. I have
>>> install a standalone certificate server on the IAS server. On the Cisco
>>> AP, I have checked the EAP, MAC and USER authentication for radius
>>> security settings. The questions :
>>>
>>> 1) How do I control the users based on the MAC address and the logon
>>> without using any certificates ?
>>> 2) If with certificates, how do I do that ?
>>> 3) In the IAS, what authentication type that I supposed to use ? for
>>> question no. (1) and (2) ?
>>>
>>> Thank you.
>>>
>>> Rgrds,
>>> Zul
>>>
>>
>>
>
>

Thanks...

"Mark Gamache" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> If you use L2TP/IPSec then you can use a computer cert to create the IPSec
> connection and then username and password to authenticate the user.
>
> --
> Mark Gamache
> Certified Security Solutions
> http://www.css-security.com
>
>
>
> "Zul J" <(E-Mail Removed)> wrote in message
> news:O%(E-Mail Removed)...
>> Hi,
>>
>> Can I have both, authenticate with a certificate and a username/password
>> ? In other words, the client must have the certificate installed and must
>> login with the username/password to have the access.
>>
>> Thanks.
>>
>> Rgrds,
>> Zul
>>
>> "Mark Gamache" <(E-Mail Removed)> wrote in message
>> news:OgTBsw%(E-Mail Removed)...
>>> It looks like you have done some interesting stuff.
>>>
>>> 1. Forget about MAC authentication. It is of no real value
>>> 2. You need to decide whether you want users to authenticate with a
>>> certificate or a username and password.
>>> 3. Make sure the IAS server had been authorized in AD
>>>
>>> If clients will use certificates, you need to:
>>> 1. uninstall the CA and make it an Enterprise CA
>>> 2. issue user certs to the clients
>>> 3. setup a policy for EAP-TLS in IAS
>>>
>>> If you use passwords:
>>> 1. Make sure your IAS server has a certificate in its local machine
>>> store that is valid for server authentication
>>> 2. Setup a policy using PEAP with passwords in IAS.
>>>
>>> I hope that gets you started.
>>>
>>>
>>> Cheers
>>>
>>> --
>>> Mark Gamache
>>> Certified Security Solutions
>>> http://www.css-security.com
>>>
>>>
>>>
>>> "Zul J" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Hi,
>>>>
>>>> I'm setting up a wireless network, I have a cisco 350 series AP and
>>>> going to use the Windows Server 2003 IAS as the radius server. I would
>>>> like to control the client based on the MAC address and the Active
>>>> Directory user logon. The IAS server is a member of the AD. I have
>>>> install a standalone certificate server on the IAS server. On the Cisco
>>>> AP, I have checked the EAP, MAC and USER authentication for radius
>>>> security settings. The questions :
>>>>
>>>> 1) How do I control the users based on the MAC address and the logon
>>>> without using any certificates ?
>>>> 2) If with certificates, how do I do that ?
>>>> 3) In the IAS, what authentication type that I supposed to use ? for
>>>> question no. (1) and (2) ?
>>>>
>>>> Thank you.
>>>>
>>>> Rgrds,
>>>> Zul
>>>>
>>>
>>>
>>
>>
>
>