Monday, January 21, 2013 3:35 PM
I am expanding an exisiting wired 802.1x deployment which is using certificate based authentication and I was after some advise.
At present, there is a single 2008 Enterprise Root CA issuing certificates to 200 client devices, this will need to expand to 400. I have read in multiple locations that a single Enterprise root CA will be adequate for this deployment if certificates security requirments are not high, as opposed to installing an offline root CA and subordinate CAs, so just for basic authentication purposes. Is this correct?
Am I also right in thinking that NPS holds a local copy of the CRL so authentication can still succeed if the CA is down?
The deployment that I am looking at is multisite so is it advised to have a local NPS at each site with a central NPS as backup?
- Edited by willscott2013 Monday, January 21, 2013 3:36 PM
Monday, January 21, 2013 6:01 PM
The NPS server will cache a copy of the CRL (both base; and delta if implemented) until the CRL(s) expire. As soon as the CRL expires, all authentication attempts will fail (if you have strong CRL checking implemented).
It will not matter how many NPS servers you deploy, since you have a single point of failure in the CA. But, even with multiple CAs, you still run into the issue for all certs issued by the CA that fails.
Tuesday, January 22, 2013 9:09 AM
Thanks for this. So in this type of deployment will one Enterprise Root be ok with 2 NPS servers for radius redendancy? If the CA was to fail, how long will the NPS hold the cache before flushing? Can this CRL cache time be increased?
- Edited by willscott2013 Tuesday, January 22, 2013 9:10 AM
Tuesday, January 22, 2013 1:11 PM
The CRL cache time is simply based on your CRL publication interval. It sounds like a single CA will be fine, but really there is nothing you can do about the CRL caching, as you cannot predict when the CA will fail. It could fail with 1 min left to the next CRL publication (for example).
You could define some overlap period, but again, even if you say extend the CRL for 6 hours after the next publication, you will only get 6 hours plus one minute if it again fails one minute prior to the next CRL publication.
Bottom line, you need to monitor the CA using a script like CAMonitor.vbs or the CA management pack for SCOM
- Marked As Answer by willscott2013 Tuesday, January 22, 2013 3:05 PM
Tuesday, January 22, 2013 3:05 PMVery helpful. Thank you