locked
Smart Card with NAP RRS feed

  • Question

  • Hi there!
    Please, tell me about Smart Card and NAP. Can I use a smart card for authenticate users in domain?
    For example.
    1) Boot up a computer.
    2) A computer want to obtain a IP address, but switch will deny access to network, because authentication 802.1x is not complited - right?
    3) A computer will show login screen for user authentication in domain - right?
    4) And if I plug in a smart card in computer, can it authenticate me in domain and in switch? IP address not present yet - right?

    Forgive, my bad English Smile
    Saturday, March 15, 2008 5:46 AM

Answers

  • Hey KnStrelkov. Yes, you can enable smart-card based logon to your domain on all your domain-joined PCs. This method of logging-on to Windows is only supported by today’s version of NAP if you are using Microsoft VPN. To be clear, you can logon to Windows and connect a VPN at the same time – if you use this method the client will be subject to NAP policy compliance and network access restrictions over the VPN connection.

     

    You may also use NAP + 802.1X enforcement for machine / user based authentication (as the previous answerer indicated). This will be a separate process from logging-on to the machine (the user would be prompted for the smart card after he receives a desktop to perform the user-based 802.1X authentication. The machine authentication happens at boot, usually before anyone logs-on to the system...

     

    Please check out the NAP blog for a ton of stuff to read and watch… Cheers!

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Saturday, April 26, 2008 11:16 PM

All replies

  • Hello ;

     

    You have to use both computer and user authentication to eleminate this problem. I mean , You need a computer certificate for computer authentication and a user certificate for user reauthentication.

     

    Regards.

     

    Tuesday, March 18, 2008 1:35 PM
  • Hey KnStrelkov. Yes, you can enable smart-card based logon to your domain on all your domain-joined PCs. This method of logging-on to Windows is only supported by today’s version of NAP if you are using Microsoft VPN. To be clear, you can logon to Windows and connect a VPN at the same time – if you use this method the client will be subject to NAP policy compliance and network access restrictions over the VPN connection.

     

    You may also use NAP + 802.1X enforcement for machine / user based authentication (as the previous answerer indicated). This will be a separate process from logging-on to the machine (the user would be prompted for the smart card after he receives a desktop to perform the user-based 802.1X authentication. The machine authentication happens at boot, usually before anyone logs-on to the system...

     

    Please check out the NAP blog for a ton of stuff to read and watch… Cheers!

     

     

    {Jeff Sigman}{Senior Program Manager & NAP Hero}{Enterprise Security Group}

    {NAP Blog, FAQ, Forum, MSDN, Site and my bloÿg}

    Saturday, April 26, 2008 11:16 PM