locked
How to Authenticate Wireless clients via Certificate based information RRS feed

  • Question

  • I'm looking for a solution to accomplish the following:

    I want to be able to have a wireless client (OS doesn't matter) to be able to authenticate to my network for internet access mainly, via a certifictate he/she already was issued from a corporate CA. 

    For example, a user comes into my building with his/her laptop (not a member of my domain) and has their corporate certificate installed on their machine. I want a policy in my network that says, if a user that has a certificate issued by corportateX.com, than authenticate them.

    I want to use 2008 to do this but I'm open to anything as long as I accomplish this.

    Thanks,


    Friday, July 17, 2009 7:19 PM

Answers

  • Hi,

    You can authenticate this way with IPsec, but not quite this specifically with PEAP. With PEAP, you can trust certain Root CAs and and not trust other CAs. A server certificate is required, but the client certificate is optional. So, if the NPS server has a server authentication certificate from Company A, and the client trusts the Root CA for company A, then a secure channel can be established for authentication. I think that is as far as you can go with PEAP in terms of certificate auth. IPsec is a lot more flexible.

    You also might want to look at AD Federation Services, but this is a little outside what you are asking about.

    -Greg
    Saturday, August 22, 2009 6:56 PM

All replies

  • Hi,

    Can you give me more details on the scenario

    1. Is the user part of the domain?
    2. How are you getting the certificate if he is not part of the domain.
    3. What should be the experience If the user doesn't have the certificate, Should he get the access to the network?

    Thanks,
    Srinivasulu.
    Tuesday, July 21, 2009 10:00 PM
  • Hi,

    If the user is part of the domain corporateX.com, You can use EAP-TLS or PEAP-TLS authentication type with user authentication set in the Wireless connection properties to authenticate him based on the user certificate.

    You can get more details on the EAP and PEAP here http://technet.microsoft.com/en-us/library/cc770622(WS.10).aspx.


    Thanks,
    Srinivasulu.
    Tuesday, July 21, 2009 10:08 PM
  • 1. The user is not part of the domain.
    2. The certificate is issued by another company.
    3. If their certificate doesn't match my policy than they are denied access

    So the scenario is ......

    A user has a corporate certificate issued from company A.com

    That user comes to my Company and needs access. I want to be able to authenticate him/her based on who their certificate was issued from.

    For example, lets say that the user had a certificate issued from Company A.com's CA.

    I want to the ability or policy that says, Anyone with a certificate issued by Company A.com ......authenticate them and allow them access to my wireless network.



    Is there a way to accomplish this?

    I currently have Server 2008 domain controllers and a CA.


    Thanks for your help.


    Tuesday, July 21, 2009 10:28 PM
  • Hi,

    You can authenticate this way with IPsec, but not quite this specifically with PEAP. With PEAP, you can trust certain Root CAs and and not trust other CAs. A server certificate is required, but the client certificate is optional. So, if the NPS server has a server authentication certificate from Company A, and the client trusts the Root CA for company A, then a secure channel can be established for authentication. I think that is as far as you can go with PEAP in terms of certificate auth. IPsec is a lot more flexible.

    You also might want to look at AD Federation Services, but this is a little outside what you are asking about.

    -Greg
    Saturday, August 22, 2009 6:56 PM