The certificate that protects the EAP exchange is the IAS server's
certificate, this is also the certificate that your client uses to
authenticate the IAS server (if you use mutual auth). So the MS-CHAP v2 is
being used inside the TLS tunnel. This means that you don't need a client
cert. You are correct though, in order to configure the client, you do need
to have access to the domain to process the login without cached
credentials.
To achieve this , add the Domain Computers Group (or the Computer accounts
separately) to whatever group you use for wireless authentication. The
computers are then able to authenticate to using their machine accounts.
This access should allow you to process the login while still in the context
of the machine assuming that it retains the previous user's wireless
settings. Some vendors hardware may not support this. The only way to know
for sure is give it a try.
To automatically configure each user's account, you would need a win2003 DC
and actually if you are using WPA, that is currently not supported for auto
config via GPO. That's coming ins 2003 server sp1.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"Tech" <(E-Mail Removed)> wrote in message
news:eu79Ce$(E-Mail Removed)...
>I am using EAP MS-CHAP v2 and a wireless certificate. Does this make
>sense? But what i am noticing is that i need to log on the machine first,
>configure the wireless with the SSID and PEAP and than except the
>certificate. I would like to do all this via group policies but i was told
>that i need to have 2003 DC and we are still at 2000.
>
>
> Mark Gamache wrote:
>> Are you using MS-CHAP v2 or a TLS certificate inside of the PEAP
>> connection? If you are using MS-CHAP v2, there should be no need for the
>> user to logon via the wire first. If you are using certs, then you need
>> to provision the cert before they can authenticate, so you would need to
>> have another method to acquire the cert.
>>
>> Cheers,
>>
Similar Threads
Linear Mode
