Can we do without user authentication?

Setting up a WLAN of 250+ laptops - all Windows XP SP1.
Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
users?)
60+ Cisco 1200 APs using EAP-TLS for authentication.

We need a system that is:
a) Totally transparent to end-users
(ie logging onto WLAN is same as logging onto Wired LAN)
b) Is secure and not easily hacked
(we are a high school so we dont need defense grade security but we do
want to take all due care and do better than static WEP)
c) Easy to administer through AD (we cant possibly manage certificates
manually)

After a bit of experimentation and a lot of swearing we have setup one AP +
IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
user certificate authentication but this was a real headache - especially
getting all the users certificates on to the laptops they *might* log on
to) - and very slow (due to the re-authentication when a user logs on).
So we just found the setting in AD to require computer authenitcation *all*
the time.
This works much more reliably but (here's the question)

what are we giving up?

Realistically what downsides can anyone see by only requiring the laptop to
authenticate itself using its own certificate (and presumably then getting a
secure WEP channel established) over which the user can then authenticate
with the standard domain username & password, just like they do with a wired
logon? Isnt the level of encryption the same anyway? What would we gain for
all the hassle of requiring user certificates (2000+) as well?

Any comments? Any big holes here?

Regards
Al Blake, Canberra, Australia

I had thought about this too setting up my environment and it sounds
reasonable to me. Since the machine has to have a computer certificate that
you provided, only those computers will be able to connect to the wireless
network.

Jeff


"Al Blake" <(E-Mail Removed)> wrote in message
news:%23PF8w$(E-Mail Removed)...
> Setting up a WLAN of 250+ laptops - all Windows XP SP1.
> Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
> users?)
> 60+ Cisco 1200 APs using EAP-TLS for authentication.
>
> We need a system that is:
> a) Totally transparent to end-users
> (ie logging onto WLAN is same as logging onto Wired LAN)
> b) Is secure and not easily hacked
> (we are a high school so we dont need defense grade security but we do
> want to take all due care and do better than static WEP)
> c) Easy to administer through AD (we cant possibly manage certificates
> manually)
>
> After a bit of experimentation and a lot of swearing we have setup one AP
> +
> IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
> user certificate authentication but this was a real headache - especially
> getting all the users certificates on to the laptops they *might* log on
> to) - and very slow (due to the re-authentication when a user logs on).
> So we just found the setting in AD to require computer authenitcation
> *all*
> the time.
> This works much more reliably but (here's the question)
>
> what are we giving up?
>
> Realistically what downsides can anyone see by only requiring the laptop
> to
> authenticate itself using its own certificate (and presumably then getting
> a
> secure WEP channel established) over which the user can then authenticate
> with the standard domain username & password, just like they do with a
> wired
> logon? Isnt the level of encryption the same anyway? What would we gain
> for
> all the hassle of requiring user certificates (2000+) as well?
>
> Any comments? Any big holes here?
>
> Regards
> Al Blake, Canberra, Australia
>
>

Hey Jeff,
Good to hear from you again.
Seems to me that setting up a user certificate infrastructure that we dont
need, which will be continuously issuing 1000s of certs of an extra
complication if we can do without it. The machine certs will be farily
static as we dont buy new laptops that often

Do you know how the WEP encryption is established when you use EAP-TLS? I
have got mine working and havent had to input WEP keys (not practical on
hundreds of machines)....but I would like to know how the AP and client
decide what WEP key to use?
Is it randomly generated once the certificate has been verified?

Anyone?

Al.


"Jeff Durham" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I had thought about this too setting up my environment and it sounds
> reasonable to me. Since the machine has to have a computer certificate
that
> you provided, only those computers will be able to connect to the wireless
> network.
>
> Jeff
>
>
> "Al Blake" <(E-Mail Removed)> wrote in message
> news:%23PF8w$(E-Mail Removed)...
> > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
> > Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
> > users?)
> > 60+ Cisco 1200 APs using EAP-TLS for authentication.
> >
> > We need a system that is:
> > a) Totally transparent to end-users
> > (ie logging onto WLAN is same as logging onto Wired LAN)
> > b) Is secure and not easily hacked
> > (we are a high school so we dont need defense grade security but we
do
> > want to take all due care and do better than static WEP)
> > c) Easy to administer through AD (we cant possibly manage certificates
> > manually)
> >
> > After a bit of experimentation and a lot of swearing we have setup one
AP
> > +
> > IAS + two laptops to use EAP-TLS. We started off by requiring Computer +
> > user certificate authentication but this was a real headache -
especially
> > getting all the users certificates on to the laptops they *might* log on
> > to) - and very slow (due to the re-authentication when a user logs on).
> > So we just found the setting in AD to require computer authenitcation
> > *all*
> > the time.
> > This works much more reliably but (here's the question)
> >
> > what are we giving up?
> >
> > Realistically what downsides can anyone see by only requiring the laptop
> > to
> > authenticate itself using its own certificate (and presumably then
getting
> > a
> > secure WEP channel established) over which the user can then
authenticate
> > with the standard domain username & password, just like they do with a
> > wired
> > logon? Isnt the level of encryption the same anyway? What would we gain
> > for
> > all the hassle of requiring user certificates (2000+) as well?
> >
> > Any comments? Any big holes here?
> >
> > Regards
> > Al Blake, Canberra, Australia
> >
> >
>
>

Hi Al,

Once 802.1X authentication has completed the AP will send a WEP key to
the
802.1X supplicant (ie. the laptop). It is randomly generated by the AP. I'm
pretty
sure that the AP is not basing the WEP key generated on any information
contained
within the certificate.

In answer to your original question concerning user authentication and
certificates,
have you considered using PEAP-MSCHAPv2 instead of EAP-TLS? PEAP-MSCHAPv2
should enable you to do user authentication without having to have all the
users certs on
the laptop.

Chris Gual [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Al Blake" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hey Jeff,
> Good to hear from you again.
> Seems to me that setting up a user certificate infrastructure that we dont
> need, which will be continuously issuing 1000s of certs of an extra
> complication if we can do without it. The machine certs will be farily
> static as we dont buy new laptops that often
>
> Do you know how the WEP encryption is established when you use EAP-TLS? I
> have got mine working and havent had to input WEP keys (not practical on
> hundreds of machines)....but I would like to know how the AP and client
> decide what WEP key to use?
> Is it randomly generated once the certificate has been verified?
>
> Anyone?
>
> Al.
>
>
> "Jeff Durham" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> I had thought about this too setting up my environment and it sounds
>> reasonable to me. Since the machine has to have a computer certificate
> that
>> you provided, only those computers will be able to connect to the
>> wireless
>> network.
>>
>> Jeff
>>
>>
>> "Al Blake" <(E-Mail Removed)> wrote in message
>> news:%23PF8w$(E-Mail Removed)...
>> > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
>> > Using 2003 Enterprise to auto-enroll certificates for machines (+ maybe
>> > users?)
>> > 60+ Cisco 1200 APs using EAP-TLS for authentication.
>> >
>> > We need a system that is:
>> > a) Totally transparent to end-users
>> > (ie logging onto WLAN is same as logging onto Wired LAN)
>> > b) Is secure and not easily hacked
>> > (we are a high school so we dont need defense grade security but we
> do
>> > want to take all due care and do better than static WEP)
>> > c) Easy to administer through AD (we cant possibly manage certificates
>> > manually)
>> >
>> > After a bit of experimentation and a lot of swearing we have setup one
> AP
>> > +
>> > IAS + two laptops to use EAP-TLS. We started off by requiring Computer
>> > +
>> > user certificate authentication but this was a real headache -
> especially
>> > getting all the users certificates on to the laptops they *might* log
>> > on
>> > to) - and very slow (due to the re-authentication when a user logs on).
>> > So we just found the setting in AD to require computer authenitcation
>> > *all*
>> > the time.
>> > This works much more reliably but (here's the question)
>> >
>> > what are we giving up?
>> >
>> > Realistically what downsides can anyone see by only requiring the
>> > laptop
>> > to
>> > authenticate itself using its own certificate (and presumably then
> getting
>> > a
>> > secure WEP channel established) over which the user can then
> authenticate
>> > with the standard domain username & password, just like they do with a
>> > wired
>> > logon? Isnt the level of encryption the same anyway? What would we gain
>> > for
>> > all the hassle of requiring user certificates (2000+) as well?
>> >
>> > Any comments? Any big holes here?
>> >
>> > Regards
>> > Al Blake, Canberra, Australia
>> >
>> >
>>
>>
>
>

Thanks for the feedback Chris,
No we havent considered PEAP-MSChapv2, but why would we want to?
I mean the user has to login using theor domain username and password anyway
(just like on the wire) and if we have already authenticated the machine
(using PEAP-TLS) and we are encrypting the channel so that hopefully no-one
can steal the logon info off the WLAN then what additional benefit would we
achevie over using the PEAP-TLS just to validate the machine?

I may be missing something here?
Also, if we were to consider PEAP-MSChapv2 would the user have to relogon
for the wireless (ie a secondary logon). that would be total overkisl for
someo our users who can only just about logon once

Al.



"Chris Gual [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Al,
>
> Once 802.1X authentication has completed the AP will send a WEP key to
> the
> 802.1X supplicant (ie. the laptop). It is randomly generated by the AP.
> I'm pretty
> sure that the AP is not basing the WEP key generated on any information
> contained
> within the certificate.
>
> In answer to your original question concerning user authentication and
> certificates,
> have you considered using PEAP-MSCHAPv2 instead of EAP-TLS? PEAP-MSCHAPv2
> should enable you to do user authentication without having to have all the
> users certs on
> the laptop.
>
> Chris Gual [MSFT]
> --
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
> "Al Blake" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hey Jeff,
>> Good to hear from you again.
>> Seems to me that setting up a user certificate infrastructure that we
>> dont
>> need, which will be continuously issuing 1000s of certs of an extra
>> complication if we can do without it. The machine certs will be farily
>> static as we dont buy new laptops that often
>>
>> Do you know how the WEP encryption is established when you use EAP-TLS? I
>> have got mine working and havent had to input WEP keys (not practical on
>> hundreds of machines)....but I would like to know how the AP and client
>> decide what WEP key to use?
>> Is it randomly generated once the certificate has been verified?
>>
>> Anyone?
>>
>> Al.
>>
>>
>> "Jeff Durham" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> I had thought about this too setting up my environment and it sounds
>>> reasonable to me. Since the machine has to have a computer certificate
>> that
>>> you provided, only those computers will be able to connect to the
>>> wireless
>>> network.
>>>
>>> Jeff
>>>
>>>
>>> "Al Blake" <(E-Mail Removed)> wrote in message
>>> news:%23PF8w$(E-Mail Removed)...
>>> > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
>>> > Using 2003 Enterprise to auto-enroll certificates for machines (+
>>> > maybe
>>> > users?)
>>> > 60+ Cisco 1200 APs using EAP-TLS for authentication.
>>> >
>>> > We need a system that is:
>>> > a) Totally transparent to end-users
>>> > (ie logging onto WLAN is same as logging onto Wired LAN)
>>> > b) Is secure and not easily hacked
>>> > (we are a high school so we dont need defense grade security but we
>> do
>>> > want to take all due care and do better than static WEP)
>>> > c) Easy to administer through AD (we cant possibly manage certificates
>>> > manually)
>>> >
>>> > After a bit of experimentation and a lot of swearing we have setup one
>> AP
>>> > +
>>> > IAS + two laptops to use EAP-TLS. We started off by requiring Computer
>>> > +
>>> > user certificate authentication but this was a real headache -
>> especially
>>> > getting all the users certificates on to the laptops they *might* log
>>> > on
>>> > to) - and very slow (due to the re-authentication when a user logs
>>> > on).
>>> > So we just found the setting in AD to require computer authenitcation
>>> > *all*
>>> > the time.
>>> > This works much more reliably but (here's the question)
>>> >
>>> > what are we giving up?
>>> >
>>> > Realistically what downsides can anyone see by only requiring the
>>> > laptop
>>> > to
>>> > authenticate itself using its own certificate (and presumably then
>> getting
>>> > a
>>> > secure WEP channel established) over which the user can then
>> authenticate
>>> > with the standard domain username & password, just like they do with a
>>> > wired
>>> > logon? Isnt the level of encryption the same anyway? What would we
>>> > gain
>>> > for
>>> > all the hassle of requiring user certificates (2000+) as well?
>>> >
>>> > Any comments? Any big holes here?
>>> >
>>> > Regards
>>> > Al Blake, Canberra, Australia
>>> >
>>> >
>>>
>>>
>>
>>
>
>

Hi Al,

If you use just machine authentication with 802.1X (with any EAP type),
anyone logged into the machine can access the wireless network. This
includes accounts which are local to the machine and are not domain
accounts. It also means that as a domain administrator, that you will be
able to control access to the wireless network on a machine basis rather
than a user basis (ie. you can deny access to the network to machine1, but
not to user1). If this type of authenticaion control is sufficient, then you
could use either EAP-TLS, PEAP-MSCHAPv2 or PEAP-TLS as EAP types. Both TLS
types use certificates to authenticate, but MSCHAPv2 uses a
username/password to authenticate.

If you use user authentication with 802.1X (with any EAP type) then only
users which are allowed remote access by the IAS / Domain controller will be
able to access the wireless network. You could conceivably allow someone to
log in and use a machine without letting them onto the network. Using a
certificate based approach (EAP-TLS or PEAP-TLS) would require that each
user have a certificate on the machine in order to access the network.
PEAP-MSCHAPv2 would just use a username/password, and by default it is
configured to automatically use the same username/password used to login via
the domain for 802.1X authentication.

So, either method might work for you. I just wanted to let you know
that it was possible to do user authentication without having certs on all
the machines.

Chris Gual [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Al Blake" <(E-Mail Removed)> wrote in message
news:u%(E-Mail Removed)...
> Thanks for the feedback Chris,
> No we havent considered PEAP-MSChapv2, but why would we want to?
> I mean the user has to login using theor domain username and password
> anyway (just like on the wire) and if we have already authenticated the
> machine (using PEAP-TLS) and we are encrypting the channel so that
> hopefully no-one can steal the logon info off the WLAN then what
> additional benefit would we achevie over using the PEAP-TLS just to
> validate the machine?
>
> I may be missing something here?
> Also, if we were to consider PEAP-MSChapv2 would the user have to relogon
> for the wireless (ie a secondary logon). that would be total overkisl for
> someo our users who can only just about logon once
>
> Al.
>
>
>
> "Chris Gual [MSFT]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi Al,
>>
>> Once 802.1X authentication has completed the AP will send a WEP key to
>> the
>> 802.1X supplicant (ie. the laptop). It is randomly generated by the AP.
>> I'm pretty
>> sure that the AP is not basing the WEP key generated on any information
>> contained
>> within the certificate.
>>
>> In answer to your original question concerning user authentication and
>> certificates,
>> have you considered using PEAP-MSCHAPv2 instead of EAP-TLS?
>> PEAP-MSCHAPv2
>> should enable you to do user authentication without having to have all
>> the users certs on
>> the laptop.
>>
>> Chris Gual [MSFT]
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Al Blake" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hey Jeff,
>>> Good to hear from you again.
>>> Seems to me that setting up a user certificate infrastructure that we
>>> dont
>>> need, which will be continuously issuing 1000s of certs of an extra
>>> complication if we can do without it. The machine certs will be farily
>>> static as we dont buy new laptops that often
>>>
>>> Do you know how the WEP encryption is established when you use EAP-TLS?
>>> I
>>> have got mine working and havent had to input WEP keys (not practical on
>>> hundreds of machines)....but I would like to know how the AP and client
>>> decide what WEP key to use?
>>> Is it randomly generated once the certificate has been verified?
>>>
>>> Anyone?
>>>
>>> Al.
>>>
>>>
>>> "Jeff Durham" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> I had thought about this too setting up my environment and it sounds
>>>> reasonable to me. Since the machine has to have a computer certificate
>>> that
>>>> you provided, only those computers will be able to connect to the
>>>> wireless
>>>> network.
>>>>
>>>> Jeff
>>>>
>>>>
>>>> "Al Blake" <(E-Mail Removed)> wrote in message
>>>> news:%23PF8w$(E-Mail Removed)...
>>>> > Setting up a WLAN of 250+ laptops - all Windows XP SP1.
>>>> > Using 2003 Enterprise to auto-enroll certificates for machines (+
>>>> > maybe
>>>> > users?)
>>>> > 60+ Cisco 1200 APs using EAP-TLS for authentication.
>>>> >
>>>> > We need a system that is:
>>>> > a) Totally transparent to end-users
>>>> > (ie logging onto WLAN is same as logging onto Wired LAN)
>>>> > b) Is secure and not easily hacked
>>>> > (we are a high school so we dont need defense grade security but
>>>> > we
>>> do
>>>> > want to take all due care and do better than static WEP)
>>>> > c) Easy to administer through AD (we cant possibly manage
>>>> > certificates
>>>> > manually)
>>>> >
>>>> > After a bit of experimentation and a lot of swearing we have setup
>>>> > one
>>> AP
>>>> > +
>>>> > IAS + two laptops to use EAP-TLS. We started off by requiring
>>>> > Computer +
>>>> > user certificate authentication but this was a real headache -
>>> especially
>>>> > getting all the users certificates on to the laptops they *might* log
>>>> > on
>>>> > to) - and very slow (due to the re-authentication when a user logs
>>>> > on).
>>>> > So we just found the setting in AD to require computer authenitcation
>>>> > *all*
>>>> > the time.
>>>> > This works much more reliably but (here's the question)
>>>> >
>>>> > what are we giving up?
>>>> >
>>>> > Realistically what downsides can anyone see by only requiring the
>>>> > laptop
>>>> > to
>>>> > authenticate itself using its own certificate (and presumably then
>>> getting
>>>> > a
>>>> > secure WEP channel established) over which the user can then
>>> authenticate
>>>> > with the standard domain username & password, just like they do with
>>>> > a
>>>> > wired
>>>> > logon? Isnt the level of encryption the same anyway? What would we
>>>> > gain
>>>> > for
>>>> > all the hassle of requiring user certificates (2000+) as well?
>>>> >
>>>> > Any comments? Any big holes here?
>>>> >
>>>> > Regards
>>>> > Al Blake, Canberra, Australia
>>>> >
>>>> >
>>>>
>>>>
>>>
>>>
>>
>>
>
>