Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Barracuda Firewall ITT Tech - Official Site Cisco Courses Online

advertisement 
WPA-EAP
1 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
Barracuda Firewall
barracuda.com
Next Gen Capabilities w/L7. Leverages Cloud for Elasticity.
ITT Tech - Official
Site
itt-tech.edu
Associate, Bachelor Degree
Programs Browse Programs Now &
Learn More.
Home
Cisco Cours
Online
knowledgenet.com/C
Live Instructors. Han
Courses. Request Y
Today!
Domain Controller must be either Windows 2003 Enterprise or Windows 2008 Enterprise.
My environment: Domain Controller Windows 2008 enterprise
Client: Windows 7
Install Active Directory Certificate Services
Certificate Template Console
5/27/2014 9:37 PM
WPA-EAP
2 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
Grant "AutoEnrollment permission" to Authenticated Users
Issue the "Copy of Computer" certificate template
Create a new organizational unit: Certificate OU
Group Policy Management Console
Create a new GPO: certificate GPO and link it to Certificate OU
Certificate GPO
5/27/2014 9:37 PM
WPA-EAP
3 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
Computer Configuration
Windows Settings
Security Settings
Public Key Policies
Enable “Certificate Services Client – Auto Enrollment”
Connect the wireless Laptop with a network cable and join it to the domain and move the laptop computer object
into Certificate OU
From Domain Controller, open Certificate console and request a Domain Controller certificate.
From certificate Authority console, you will find the Laptop computer and domain controller have the computer
certificates granted.
Install “Network Policy and Access Services”
Click "Configure 802.1X"
Select "Secure Wireless Connections"
Add "RADIUS clients"
5/27/2014 9:37 PM
WPA-EAP
4 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
Authentication Method: Microsoft: Protected EAP (PEAP)
To confirm that you have a Domain Controller certificate available from NPS
5/27/2014 9:37 PM
WPA-EAP
5 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
Make sure that "Copy of Computer" certificate will not apply to the domain controller. If it does, the message "A
certificate could not be found that can be used with this Extensible Authentication Protocol" will show. That is why I
create a dedicated OU for wireless computers.
When this message shows, run CERTIFICATE console for domain controller computer and manually request the
domain controller certificate.
Create a "New Vista Wireless Network Policy"
Computer Configuration -- Windows Settings --Security Settings --Wireless Network (IEEE 802.11) Policies
Run gpupdate /force on Wireless Laptop or simply restart the laptop.
5/27/2014 9:37 PM
WPA-EAP
6 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
Unplug the network cable
You will find the wireless connection is automatically established.
However, if you disjoin the laptop from domain, the wireless connection cannot be established.
PEAP with EAP-MSCHAP v2 doesn't require certificates in client computers. But NPS server must have a server
certificate installed.
When you choose "Computer Authentication" in wireless client policy, the wireless client must have a computer
certificate.
To make the Computer Authentication work, you must configure the connection request policy in NPS as follows:
5/27/2014 9:37 PM
WPA-EAP
7 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
The above configuration will use PEAP with EAP-TLS. When using only computer credentials, Windows performs
802.1X authentication before displaying the Windows logon screen. This gives the wireless client computer early access
to networking resources such as Active Directory® domain controllers.
The good thing using PEAP with EAP-TLS is that the computer will connect to
wireless access point without user logging on.
When you choose "Smart Card or other certificate" authentication method, you must have either smart card or user
certificate. It will not use computer certificate.
5/27/2014 9:37 PM
WPA-EAP
8 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
I did successfully configure user certificate. After selecting authentication method with "User or Computer
Authentication" or "User Authentication", I select "Smart Cart or Other Certificate". A certificate is required prompted.
After a user certificate is requested and installed, the wireless connection is established. However, the wireless
connection cannot be automatically established before the user logon process. I cannot ping the wireless client when it
starts without logging on.
understanding:
"Smart Cart or Other Certification" authentication method is for user not computer.
How about wireless router with WPA2 Enterprise security?
5/27/2014 9:37 PM
WPA-EAP
9 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
If the NPS server is connected as shown above, NPS records "Method Authenticator attribute that is not valid."
5/27/2014 9:37 PM
WPA-EAP
10 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
To make the WPA2 Enterprise authentication work, you must connect the NPS server after WAN port.
Cannot pass the validating identity?
Please retype the RADIUS secret in wireless router or access point.
5/27/2014 9:37 PM
WPA-EAP
11 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
Retype the RADIUS client secret in NPS
Stop NPS service
Start NPS service
How about the iPhone or PDA to access the wireless network?
You must install the Certificate Service in standalone mode.
Install Certificate service in standalone mode (e.g. W2008.My.Com, which has ip address: 191.121.11.120)
5/27/2014 9:37 PM
WPA-EAP
12 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
For all computers, change the Internet Explorer for Internet Security zone to lowest.
http://191.121.11.120/certsrv
Click “Download CA certificate” and install it as follows:
Request a new certificate for NPS (network policy and access service) server
http://191.121.11.120/certsrv
“Advanced certificate request”
“Create and submit a request to this CA”
Request a new certificate for wireless client computer
http://191.121.11.120/certsrv
“Advanced certificate request”
“Create and submit a request to this CA”
If “Secure Wireless Connections” policy has the constraint to allow Domain Users group access, the client computer
will be prompted with a logon window.
When you get the following warning message, just click Connect button.
5/27/2014 9:37 PM
WPA-EAP
13 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
PEAP with EAP-MS-CHAP v2
Only the NPS or other RADIUS server is required to have a certificate.
Successful PEAP-MS-CHAP v2 authentication requires that the client trust the NPS server after examining the server certificate.
Drawback using EAP-MSCHAP v2
If a user has logged on to a wireless computer, he cannot log on wirelessly because there is no cached user name and password in the
system. Similarly, if the user password has been modified on ther domain but not wireless client computer, he cannot log on wirelessly.
PEAP with EAP-TLS
PEAP-TLS uses certificates for server authentication and either smart cards, which contain an embedded certificate, or certificates
enrolled to client computers that are stored on the local computer in the certificate store, for user and client computer authentication.
Wireless Single Sign On feature
GPO
Create a new Wireless Network (IEEE 802.11) Policies
Add a wireless connection
In Security tab and click Advanced button
5/27/2014 9:37 PM
WPA-EAP
14 of 14
http://www.1ask2.com/Windows7/WPA-EAP.html
When selecting Computer authentication only, Single Sign On cannot be selected.
When using only user credentials, Windows without Single Sign-On performs 802.1X authentication after the user logon process has
completed. This is the default setting.
The consequences of using only user credentials for wireless authentication are that a user cannot do an initial domain logon to a
computer because there are no locally cached credentials for his or her user account and there is no connectivity to the domain controller
to authenticate new logon credentials. Moreover, some domain logon operations will fail because there is no connectivity to the domain
controllers of the Active Directory domain at this time. Logon scripts, Group Policy updates, and user profile updates fail, resulting in
Windows event log errors
With Single Sign On, a Windows Vista wireless client can be configured to perform wireless network authentication with user credentials
before the user logon process. The wireless client will have same experience as wired client, such as processing logon scripts, user profile
updates, etc.
After selecting "user or computer authentication", I select "Enable Single Sign On for this network" and
"Perform immediately before User Logon". A new user tim@test.com can log on to domain wirelessly. Right
on.
Test for changing user password
Shutdown wireless client computer.
Modify the user password for tim@test.com
Turn on the wireless client computer.
You can log on with the old password. Shortly after, a prompt asks you to input the new password.
Without user logging on, the computer cannot connect to wireless access point.
5/27/2014 9:37 PM
Related documents
SCHOOL BOARD RECOGNITION
SCHOOL BOARD RECOGNITION
Child Protection study day 12th June 2007
Child Protection study day 12th June 2007
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
Internet Protocol - Blog Unsri
Internet Protocol - Blog Unsri
PAFCPIC "We Care Abuloy"
PAFCPIC "We Care Abuloy"
pdf - De La Salle University
pdf - De La Salle University
Download
advertisement