Setting up XP+IAS+Auto-enrollment wireless LAN?

Environment: Windows 2003 Native AD LAN
12 Windows 2003 servers, inclduing IAS running on W2k3 Enterprise
600 Windows XP SP2 laptops/desktops.

Proposal: Provide seamless, secure wireless connectivity for 250+ XP SP2
Laptops through Cisco 1200 APs.

I have searched around for as much information as I can on technet/MSDN
regarding setting up wireless LANs and securing them using auto-enrolled
certificates from a certificate server....but I am getting confused with
terminalogy and where I need to go next. Most of the white paers and
examples seem to relate to smartcard setup - which we ar enot doing.

So far I have configured a test OU in my AD and placed a single laptop in
there. I have rebooted the laptop and it gets issued with a certificate
automatically which is exactly what I want to happen. Questions:

a) The example I had told me to use a 'User certificate' template to
autoenrol the machine. Is this correct or should I have created a copy of a
'computer' certificate and used that on the machine OU (is there any
difference between a computer certificate and a user certificate in Windows
Certificate services).

b) If we are going to use the autoenrolled certificates as the basis for
security in our WLAN setup do we need to auto-enrol certificates for users
AND computers? (ie should the user OU and the computer OU be setup to issue
certs?)

c) What next? Once I have got certificates automatically issued for the user
and/or the computer how do I setup the whole thing so that the Access points
use them? I have configured the access points to use my IAS server as radius
for authentication and know that is working form the point of view of
authenticating my telnet login to the AP....but what do I need to tell them
to use the certs?

d) Can someone confirm whether we still need WEP if we are using EAP?

e) What do we need to setup on the IAS server to support EAP?

I am sorry this is so vague but I thought I had it sorted for a while and
then just got more confused with all the terminalogy and options.
If anyone can point me at a white paper 'setting up IAS to support EAP and
autoenrolled certificates' I would really appreciate it!

Regards
Al Blake, Canberra, Australia

In article <#(E-Mail Removed)>, in the
microsoft.public.windows.server.security news group, Al Blake
<(E-Mail Removed)> says...

> I am sorry this is so vague but I thought I had it sorted for a while and
> then just got more confused with all the terminalogy and options.
> If anyone can point me at a white paper 'setting up IAS to support EAP and
> autoenrolled certificates' I would really appreciate it!
>
http://www.microsoft.com/technet/Sec.../pkiwire/swlan
..mspx
--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

To add:

auto-enrollment:
http://www.microsoft.com/technet/pro.../autoenro.mspx

MSS wireless:
http://www.microsoft.com/downloads/d...displaylang=en

Wireless PEAP:
http://www.microsoft.com/downloads/d...displaylang=en



--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Paul Adare - MVP - Microsoft Virtual PC" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed) om...
> In article <#(E-Mail Removed)>, in the
> microsoft.public.windows.server.security news group, Al Blake
> <(E-Mail Removed)> says...
>
>> I am sorry this is so vague but I thought I had it sorted for a while and
>> then just got more confused with all the terminalogy and options.
>> If anyone can point me at a white paper 'setting up IAS to support EAP
>> and
>> autoenrolled certificates' I would really appreciate it!
>>
> http://www.microsoft.com/technet/Sec.../pkiwire/swlan
> .mspx
> --
> Paul Adare
> This posting is provided "AS IS" with no warranties, and confers no
> rights.