locked
802.1X using HCS RRS feed

  • Question

  • I try to configure 802.1X authentication using a Health Certificate Server, but i don't see how to define the policies needed:

    Somehow I have to give a connecting client restricted access to the network to allow it to get a certificate from the HCS, right? After getting the certificate the client should re-authenticate to get full network access. But how can i instruct the client to re-authenticate after getting the cert. and how can I catch the first connection request, when the computer has no certificate, i.e. what exactly happens, if the client tries to connect to the network but has no certificate (authentication failure?)?

     

    Thank you for any help.

    Wednesday, February 28, 2007 5:40 PM

Answers

  • ChowTok - Although it is technically posible to create a health certificate based 802.1x deployment of NAP our work to support 802.1x based napped is currently focused on in-band exchanges using PEAP not EAP-TLS and health certificates.

    For a good hardware independent walkthough of how to do a PEAP based 802.1x deployment see: http://www.microsoft.com/downloads/details.aspx?FamilyID=8a0925ee-ee06-4dfb-bba2-07605eff0608&displaylang=en.

    If you really want to configure a EAP-TLS based deployment its posible but its not optimum today from a deployment standpoint, what you need to do is to enable the IPSEC QEC (it subscribes for health certificates), configure which HRAs to hit (see the IPSEC step by step guide), configure 802.1x via group policy to use EAP-TLS and machine certificates, make sure there is only a single machine certificate, and configure your health policies on the NPS based on the IPSEC step by step guide.

    This should in theory work, but again its not a tested scenario; we are investigating future support of out of band (health certificate based) EAP enforcement but the above is the only way to do it today.

    Ryan

     

     

    Wednesday, February 28, 2007 10:28 PM