Attn. MVPs/MSFT - Q: different authentication methods for computers/users

Is it possible to use computer pasword/soft cert for computer authentication
and a smart card for user authentication to wireless network?

I can create separate IAS policies but I'm unable to create different
connection settings for the same SSID for computer and user.

I will do more testing, but while my Cisco Aironet 1x00 APs are on their
way, I'd like any input on the following:

1. If I'll use PEAP, will that work if I'm authenticating users to Windows
using smart cards?
2. If authentication fails for the SSID at the top of the preference list,
will the client try the next SSID on the list (the idea is to have different
SSIDs for computers and users - as ugly as it sounds)

Appreciate any thoughts.

Cheers

Slav

Hi !
"S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is it possible to use computer pasword/soft cert for computer
authentication
> and a smart card for user authentication to wireless network?
>
> I can create separate IAS policies but I'm unable to create different
> connection settings for the same SSID for computer and user.
>
> I will do more testing, but while my Cisco Aironet 1x00 APs are on their
> way, I'd like any input on the following:
>
> 1. If I'll use PEAP, will that work if I'm authenticating users to Windows
> using smart cards?
> 2. If authentication fails for the SSID at the top of the preference list,
> will the client try the next SSID on the list (the idea is to have
different
> SSIDs for computers and users - as ugly as it sounds)
>
You can't SSID ( like MAC ) the property of BSS not of user
Arkady

> Appreciate any thoughts.
>
> Cheers
>
> Slav
>
>

A couple things planned for PEAP v.2 will help here. There will be a
cryptographic binding between the server's authentication method and the
client's, to prevent certain kinds of MITM attacks (which can be stopped now
if you use group policy to constrain the client to trust only a certain CA).
You'll also be able to choose different methods for computers and users.

Not sure what you really are looking for with your second point... SSIDs are
network names and therefore group together network elements like
authenticators (access points) and supplicants (computers)... I don't see a
way to assign an SSID to a person. Why do you need to do this?

Steve Riley
(E-Mail Removed)



"S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is it possible to use computer pasword/soft cert for computer
> authentication
> and a smart card for user authentication to wireless network?
>
> I can create separate IAS policies but I'm unable to create different
> connection settings for the same SSID for computer and user.
>
> I will do more testing, but while my Cisco Aironet 1x00 APs are on their
> way, I'd like any input on the following:
>
> 1. If I'll use PEAP, will that work if I'm authenticating users to Windows
> using smart cards?
> 2. If authentication fails for the SSID at the top of the preference list,
> will the client try the next SSID on the list (the idea is to have
> different
> SSIDs for computers and users - as ugly as it sounds)
>
> Appreciate any thoughts.
>
> Cheers
>
> Slav
>
>

Hi Steve:

"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> A couple things planned for PEAP v.2 will help here. There will be a
> cryptographic binding between the server's authentication method and the
> client's, to prevent certain kinds of MITM attacks (which can be stopped
now
> if you use group policy to constrain the client to trust only a certain
CA).
> You'll also be able to choose different methods for computers and users.

When PEAPv2 will be available for XP?

> Not sure what you really are looking for with your second point... SSIDs
are
> network names and therefore group together network elements like
> authenticators (access points) and supplicants (computers)... I don't see
a
> way to assign an SSID to a person. Why do you need to do this?

I can use different authentication for different SSID on the same AP. If XP
will retry second SSID on the list after failing authentication to the first
one, I can do peap authentication for computers and EAP-TLS for the users.

Still wondering if PEAPv0 will work if I authenticate users using smart
card. Can only test next week but would lie to know what to expect
beforehand.

Thank you!

Slav

> "S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Is it possible to use computer pasword/soft cert for computer
> > authentication
> > and a smart card for user authentication to wireless network?
> >
> > I can create separate IAS policies but I'm unable to create different
> > connection settings for the same SSID for computer and user.
> >
> > I will do more testing, but while my Cisco Aironet 1x00 APs are on their
> > way, I'd like any input on the following:
> >
> > 1. If I'll use PEAP, will that work if I'm authenticating users to
Windows
> > using smart cards?
> > 2. If authentication fails for the SSID at the top of the preference
list,
> > will the client try the next SSID on the list (the idea is to have
> > different
> > SSIDs for computers and users - as ugly as it sounds)
> >
> > Appreciate any thoughts.
> >
> > Cheers
> >
> > Slav
> >
> >
>
>

> When PEAPv2 will be available for XP?

Dunno. It's in the works, though.


> I can use different authentication for different SSID on the same AP. If
> XP
> will retry second SSID on the list after failing authentication to the
> first
> one, I can do peap authentication for computers and EAP-TLS for the users.
>
> Still wondering if PEAPv0 will work if I authenticate users using smart
> card. Can only test next week but would lie to know what to expect
> beforehand.

Interesting. Not something I've seen done before. Let us know what you
discover!

Steve Riley
(E-Mail Removed)



"S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Steve:
>
> "Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> A couple things planned for PEAP v.2 will help here. There will be a
>> cryptographic binding between the server's authentication method and the
>> client's, to prevent certain kinds of MITM attacks (which can be stopped
> now
>> if you use group policy to constrain the client to trust only a certain
> CA).
>> You'll also be able to choose different methods for computers and users.
>
> When PEAPv2 will be available for XP?
>
>> Not sure what you really are looking for with your second point... SSIDs
> are
>> network names and therefore group together network elements like
>> authenticators (access points) and supplicants (computers)... I don't see
> a
>> way to assign an SSID to a person. Why do you need to do this?
>
> I can use different authentication for different SSID on the same AP. If
> XP
> will retry second SSID on the list after failing authentication to the
> first
> one, I can do peap authentication for computers and EAP-TLS for the users.
>
> Still wondering if PEAPv0 will work if I authenticate users using smart
> card. Can only test next week but would lie to know what to expect
> beforehand.
>
> Thank you!
>
> Slav
>
>> "S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Is it possible to use computer pasword/soft cert for computer
>> > authentication
>> > and a smart card for user authentication to wireless network?
>> >
>> > I can create separate IAS policies but I'm unable to create different
>> > connection settings for the same SSID for computer and user.
>> >
>> > I will do more testing, but while my Cisco Aironet 1x00 APs are on
>> > their
>> > way, I'd like any input on the following:
>> >
>> > 1. If I'll use PEAP, will that work if I'm authenticating users to
> Windows
>> > using smart cards?
>> > 2. If authentication fails for the SSID at the top of the preference
> list,
>> > will the client try the next SSID on the list (the idea is to have
>> > different
>> > SSIDs for computers and users - as ugly as it sounds)
>> >
>> > Appreciate any thoughts.
>> >
>> > Cheers
>> >
>> > Slav
>> >
>> >
>>
>>
>
>

Done some testing:

PEAP v0 authentication when user logs on using smart card: it works. Tested
on a system with no cached user profile credentials: upon the system
startup, it connects to the wireless network (PEAP/computer auth), then
domain logon using smart card works too. Sounds like better solution to me.

Separate SSIDs for user/computer authentication: IAS doesn't support the
required RADIUS attribute, cannot create separate IAS profiles for different
SSIDs.

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...

> > I can use different authentication for different SSID on the same AP. If
> > XP
> > will retry second SSID on the list after failing authentication to the
> > first
> > one, I can do peap authentication for computers and EAP-TLS for the
users.
> >
> > Still wondering if PEAPv0 will work if I authenticate users using smart
> > card. Can only test next week but would lie to know what to expect
> > beforehand.
>
> Interesting. Not something I've seen done before. Let us know what you
> discover!
>
> Steve Riley
> (E-Mail Removed)

> Separate SSIDs for user/computer authentication: IAS doesn't support the
> required RADIUS attribute, cannot create separate IAS profiles for
> different
> SSIDs.

Slav, I'm still having trouble envisioning why this is a requirement. An
SSID is a network name. Access points belong to one network by virtue of the
SSID programmed into them. If my computer has authenticated to the access
point closest to me, and is therefore now a member of that SSID-named
network, why would I ever want my user account to authenticate to some other
SSID, which most likely means some other network?

Steve Riley
(E-Mail Removed)



"S. Pidgorny <MVP>" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Done some testing:
>
> PEAP v0 authentication when user logs on using smart card: it works.
> Tested
> on a system with no cached user profile credentials: upon the system
> startup, it connects to the wireless network (PEAP/computer auth), then
> domain logon using smart card works too. Sounds like better solution to
> me.
>
> Separate SSIDs for user/computer authentication: IAS doesn't support the
> required RADIUS attribute, cannot create separate IAS profiles for
> different
> SSIDs.
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>
> "Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
>
>> > I can use different authentication for different SSID on the same AP.
>> > If
>> > XP
>> > will retry second SSID on the list after failing authentication to the
>> > first
>> > one, I can do peap authentication for computers and EAP-TLS for the
> users.
>> >
>> > Still wondering if PEAPv0 will work if I authenticate users using smart
>> > card. Can only test next week but would lie to know what to expect
>> > beforehand.
>>
>> Interesting. Not something I've seen done before. Let us know what you
>> discover!
>>
>> Steve Riley
>> (E-Mail Removed)
>
>

Steve, that was just a bad idea. As PEAP works welll when user authenticates
with a smart card, there is no reason to go into complexity of having
separate SSIDs.

Frankly, I had to demonstrate all different applications of the smart card
to some business people. I could configure smart card authentication for
wireless network so that Windows asks me to select a certificate, requests
PIN etc. That works well but I wasn't happy about the fact the computer
doesn't get authenticated - so I started to look at different authentication
for computers and users. I will do my demonstration but I will recommend
against smart card authentication for corporate wireless connectivity as
PEAP provides seamless secure wireless network authentication to smart card
users - mind you, I cannot use EAP-TLS in this case (soft certs and smart
cards are different settings for the wireless connection)

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-



"Steve Riley [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> > Separate SSIDs for user/computer authentication: IAS doesn't support the
> > required RADIUS attribute, cannot create separate IAS profiles for
> > different
> > SSIDs.
>
> Slav, I'm still having trouble envisioning why this is a requirement. An
> SSID is a network name. Access points belong to one network by virtue of
the
> SSID programmed into them. If my computer has authenticated to the access
> point closest to me, and is therefore now a member of that SSID-named
> network, why would I ever want my user account to authenticate to some
other
> SSID, which most likely means some other network?
>
> Steve Riley
> (E-Mail Removed)