|
Home > Archive > Radius Server > September 2006 > CA Role in 802.1x
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Can anyone explain the role of CA in 802.1x authentication process? Why do we
need the CA? Where are the public and private key stored and when they are
used ? I know how to set CA up to work with 802.1x but I am confused how it
works and when it is used in the whole 802.1x authentication process.
Thanks a lot.
--
Andy
| |
| James McIllece [MS] 2006-09-05, 1:35 pm |
| =?Utf-8?B?QW5keQ==?= <Andy@discussions.microsoft.com> wrote in
news:1BA177E0-7E23-4B0E-8227-609B5BB3092E@microsoft.com:
> Can anyone explain the role of CA in 802.1x authentication process?
> Why do we need the CA? Where are the public and private key stored and
> when they are used ? I know how to set CA up to work with 802.1x but I
> am confused how it works and when it is used in the whole 802.1x
> authentication process.
>
> Thanks a lot.
The CA is not used during the authentication process, but the certificate
it has issued to clients and/or servers is used.
You can find an explanation of the authentication process in the IAS
Technical Reference at Windows Server TechCenter:
http://technet2.microsoft.com/Windo...89d5-fdaf-430c-
9ef4-318f8c15baf11033.mspx?mfr=true
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Hi James,
Thanks for your quick reply. I guess my question wasn't clear. What I'd like
to know is why we need CA in setting up 802.1x.
Thanks
--
Andy
"James McIllece [MS]" wrote:
> =?Utf-8?B?QW5keQ==?= <Andy@discussions.microsoft.com> wrote in
> news:1BA177E0-7E23-4B0E-8227-609B5BB3092E@microsoft.com:
>
>
> The CA is not used during the authentication process, but the certificate
> it has issued to clients and/or servers is used.
>
> You can find an explanation of the authentication process in the IAS
> Technical Reference at Windows Server TechCenter:
>
> http://technet2.microsoft.com/Windo...89d5-fdaf-430c-
> 9ef4-318f8c15baf11033.mspx?mfr=true
>
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
| |
| James McIllece [MS] 2006-09-05, 7:43 pm |
| =?Utf-8?B?QW5keQ==?= <Andy@discussions.microsoft.com> wrote in
news:387BCCB8-DBC3-4CCC-8AB5-D31392592DCA@microsoft.com:
> Hi James,
>
> Thanks for your quick reply. I guess my question wasn't clear. What
> I'd like to know is why we need CA in setting up 802.1x.
>
> Thanks
Ah OK. The need for certificates is caused by the authentication methods
you choose to use. With Windows Server 2003, you can deploy wireless with
the following authentication methods:
PEAP-MS-CHAP v2 -- this requires only a server certificate that client
computers trust, while users are authenticated with password-based
credentials. This is the recommended auth method for wireless because it
provides strong security and ease of use (especially if you enable fast
reconnect, which allows users to move between APs that are configured as
RADIUS clients to the same IAS server without having to re-enter their
credentials every time they encounter a new AP.)
PEAP-TLS or EAP-TLS -- These require a server certificate on the IAS server
and a client cert on clients or on a smart card. This is harder to deploy
than the method above but it adds security strength.
HTH...
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Hi James,
Let's say I have EAP-TLS setup correctly and I have only one CA on the
network. What will happen if CA goes down or is taken offline. Are users able
to authentication and login to the network?
--
Andy
"James McIllece [MS]" wrote:
> =?Utf-8?B?QW5keQ==?= <Andy@discussions.microsoft.com> wrote in
> news:387BCCB8-DBC3-4CCC-8AB5-D31392592DCA@microsoft.com:
>
>
> Ah OK. The need for certificates is caused by the authentication methods
> you choose to use. With Windows Server 2003, you can deploy wireless with
> the following authentication methods:
>
> PEAP-MS-CHAP v2 -- this requires only a server certificate that client
> computers trust, while users are authenticated with password-based
> credentials. This is the recommended auth method for wireless because it
> provides strong security and ease of use (especially if you enable fast
> reconnect, which allows users to move between APs that are configured as
> RADIUS clients to the same IAS server without having to re-enter their
> credentials every time they encounter a new AP.)
>
> PEAP-TLS or EAP-TLS -- These require a server certificate on the IAS server
> and a client cert on clients or on a smart card. This is harder to deploy
> than the method above but it adds security strength.
>
> HTH...
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
| |
| James McIllece [MS] 2006-09-06, 7:48 pm |
| =?Utf-8?B?QW5keQ==?= <Andy@discussions.microsoft.com> wrote in
news:96A19608-2550-476A-871E-9281EF495C4B@microsoft.com:
> Hi James,
> Let's say I have EAP-TLS setup correctly and I have only one CA on the
> network. What will happen if CA goes down or is taken offline. Are
> users able to authentication and login to the network?
Yes. The CA is not contacted by IAS while it authenticates and authorizes
connection requests.
IAS does make sure that it trusts the issuer of the certificate, though --
it does this by looking in the Trusted Root certification Authorities
certificate store for the Local Computer. If there is a CA cert there from
the CA that issued the connecting user or client cert, IAS trusts the cert.
(It also checks other properties of the cert to verify that it is valid and
meets the minimum client certificate requirements).
IAS also periodically queries either the CA or AD (can't recall right now)
for the most recent certificate revocation list (CRL). Info on CRLs is in
Certificate Services Help on the box.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|
|