very interesting, I only have 1 person using each laptop and only as a
backup to the wired network, so I think I can get away with only user certs,
as if someone logs into the computer without the right account I don't want
them to be able to get on. So I guess for me using just Uers Certs would be
the way to go.
"kb80" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You can actually use both if you like or one or the other. It really
> depends on the environment. Certificates that are placed in the
> Machine/Computer store will allow the machine to be authenticated with a
> user is not logged into the machine.
>
> As a test, you may want to assign a static IP address to the wireless
> connection. Then start a continuous ping to that client's IP address so
> that you can see when and how the authentication occurs. Now, remove the
> certificate from the user store and import it or another valid certificate
> into the Computer/Machine store. So basically you now have only a machine
> certificate. Now if you log out of the machine to the point where you see
> the Windows GINA (Ctrl+Alt+Delete) screen, you should notice that you are
> able to ping the machine's IP because the "machine" has been
> authenticated. However, if you now log into the machine, you should notice
> that the ping stops and the wireless connection does not authenticate.
> This is because by default Windows will try to use a "user" certificate to
> authenticate when you log into the machine.
>
> So, in summary, to get the best of both worlds, the ideal would be to have
> both machine and user certificates as without machine certificates the
> wireless connection will not be established prior to login which will
> likely prevent access to Active Directory, Novell EDir, etc.. (Barring
> cached credentials and what not that can make one think they are hitting
> AD)
>
> You can however use the "AuthMode" registry setting under
> HKLM\Software\Microsoft\EAPOL\Parameters\General\G lobal to control whether
> windows will only use machine authentication or a combo of both etc..
> However, in my practices the limitation to this setting is roaming. If
> only machine authentication is used and a user is logged in and roams or
> looses connection, XP isn't smart enough to re-use machine authentication
> and thus tries to use user authentication which in my case I don't have
> user certificates due to the numerous users that log into the local
> machine, oh and the fact that this particular customer is a Novell
> environment. I'm still looking for a way around this.
>
> Hope this helps.
>
> Cheers
>
> "C Kelley" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> I've setup everything for a EAP-TLS wireless networking and everything is
>> working great I just have one question, I thought that for EAP-TLS to
>> work the client computer needed a user and computer cert... it seems that
>> all its need is a user cert does that sound right? I have a laptop that
>> connects just fine with no computer cert.. Of course the IAS server has a
>> computer cert... but I thought for sure that the client needed both for
>> some reason.
>>
>>
>
>
|
Similar Threads
Linear Mode
