Using MS-CHAPv2 for user authentication and certificates for computer based wireless authentication
I'm having the following "is it possible" question:
Setup: all servers are windows server 2003 R2 sp2 standard edition, clients are windows xp sp3
* dc01: domain controller + radius
* ca01: windows standard edition, enterprise certificate authority
* wireless controller
* xpclients
Currently the customer has an environment for which on a per user base wireless access is granted or not. This uses ms-chapv2. So when they connect to the wireless connection, initialy the user credentials are provided and validated by the RADIUS server.
Now they want to be able to use some form of computer-level authentication so the clients have a proper logon to the domain and so that logonscripts are executed nicely. This can be achieved with "smartcard or certificate based" authentication where all domain clients get a client certificate from the enterprise CA.
Now I was wondering how can we "mix" this approach: use the computer certificates for computer wireless authentication, and afterwards have per user security by using their password.
Is it:
A) possible to configure PEAP as authentication method (based on ms-chapv2) but still have wireless connection while the client is not yet logged in? Withouth using third party tools
B) possible to configure "smart card or certificate" as authentication method, have computers authenticate based on a client certificate, but still have some security group in AD which controls which users are allowed to "reauthenticate" to the wireless lan
C) I am aware that using user certificates we could achieve this. But then I wonder the following:
C1) Can the default v1 user certificate template be autoenrolled? I'm aware that creating a custom user template (requires enterprise windows) would allow me to flag the autoenroll permission. But I'm wondering if it's possible withouth having to manually enroll for each user a certificate. Even considering theyd all stick to their own portable.
Odpovědi
- Hi,
Have you considered using Machine or User mode authentication mentioned here http://msdn.microsoft.com/en-us/library/ms706279(VS.85).aspx. With PEAP-MSCHAPV2 and Machine or User auth, I think you should be accomplish this.
Thanks,- Označen jako odpověďThomas Vuylsteke 8. července 2009 9:26
Všechny reakce
- Hi,
Have you considered using Machine or User mode authentication mentioned here http://msdn.microsoft.com/en-us/library/ms706279(VS.85).aspx. With PEAP-MSCHAPV2 and Machine or User auth, I think you should be accomplish this.
Thanks,- Označen jako odpověďThomas Vuylsteke 8. července 2009 9:26
We ended up using MS-Chapv2 with machine and user authentication. It worked fine as you described it.
thnx!
