I'm setting up 802.1x (EAP-TLS) for wireless clients in the test environment. The Microsoft best practises documentation (http://technet.microsoft.com/en-us/library/bb457091.aspx) states that the most secure method of authentication is:
WPA2 with Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) authentication and both user and computer certificates
EAP-TLS is the strongest 802.1X authentication method supported by Windows-based wireless clients. EAP-TLS uses digital certificates to provide mutual authentication, in which the wireless client authenticates itself to the authentication server and vice versa. EAP-TLS authentication requires a public key infrastructure (PKI) to issue certificates and keep them current. For the highest security, configure your PKI to issue both user and computer certificates for wireless access.
Can someone please explain how you configure both your client and backend (Radius) infrastructure to process two certificates? From my experience, when you configure your supplicant you have to instruct it to present either a user cert OR a computer cert... not both. On Windowws XP you can do this via the EAPOL reg key I think.... on WIndows 7 you just select the drop down box....
Am I missing something, or is there a way to ensure both certificate types are presented by the client machine and authenticated by the Radius server?
Hmm OK - I've done some more research, and I think I have the answer. This type of authentication can't be done... at least not simultaneously.
Microsoft provide further detail here: http://technet.microsoft.com/en-us/library/cc754057(WS.10).aspx
EAP does not provide mechanisms that perform dual authentication — that is, the authentication of both the computer being used to access the network and the user who is attempting to connect. For this reason, you are not required to issue both computer and user certificates when you deploy EAP and PEAP with certificate-based authentication types.
They go onto explain how computer certificates can be issued (seperately to user certs).
Using autoenrollment. When you deploy certificates using autoenrollment, you configure the CA to automatically enroll certificates to computers that are members of the Domain Computers group and to users who are members of the Domain Users group. No additional hardware is required to autoenroll certificates, because the certificates are stored on the computer that is connecting to the network. When a computer receives a computer or user certificate from the CA, the certificate is stored locally in a data store named the certificate store.
In other words - you can authenticate via computer and user certificate - it just can't happen at the same time. Computer cert auth would happen at computer boot (pre GINA-logon) and I believe user cert authentication then happens again after user GINA-logon. Obviously you'd need two different Radius policies to accomodate this scenario.
If anyone has configured this scenario and has some pointers, let me know.