The thought of a complete PKI has put us off this....
--- Many people tend to be in the same boat. We are looking at integrating our Badge IDs and Smart Cards so I see a a full blown PKI initiative in the works.
This seems O.K. We generated a cert internally, and this is how we intend to proceed...
Yes, XP SP2 would be great, especially being able to configure GPOs in the domains.
You still seem to need to run the GPO Editor on a W2003 Server. Is there a way to run this on an XP-SP2 Workstation? I have not found one. And since my original post I have been looking at what is needed to update the Schema to the Windows2003 Level. This seems to be really horrid. Has any one any good pointers on how-to and gotcha articles on this? The more I read the more nervous I get, and the further up the scale the risk assessment on my draft change request goes...
--- I'm not understanding this problem. Is this because you don't have the Admin Templates loaded on your XP workstation to modify the GPO settings?
With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as "If useri s member of domain grant access, else deny" kind of stuff, to more granular rules.
Does this still work for domains in 2K mode. I don't seem to get any access unless the "remote access" flag is on in AD even though I have set policies on IAS...
---- when I first started this project we were in 2K mode for the domain, but the IAS box was a windows 2003 Member Server. You need to have the users Remote Access Flag set to "Determine by Policy" for IAS to work. In 2K mode user's are created with the defaiult of "Deny", while in 2K3 mode they are defaulted with "Determine by Policy".
Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon WLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively.
1. If you allow the machine to authenticate, won't policy apply and logon scripts run any way? (That is set to machine access with user re-authentication in the GPO).
-- The old VPN scenario applies here. The user has to logon to the box with cache'd credentials (logon Script can't run since the machine is not connected yet), once they are logged on the WLAN connects and authenticates based on the logged on user. The GINA plugin just allows a pre-auth to open the WLAN connection before the Windows Logon happens. We are using user authentication, not Machine authentication so I need user interaction.
2. I have not tried any W2k boxes, but I have not managed to get any XP boxes to authenticate with WPA/EAP-PEAP when using third party tools to config the cards. I have tried IBM, Intel & 3-COM cards but all seem to fail to authenticate. As soon as I enable the Zero Config windows takes over and all works fine...
-- We have used both the DELL client piece, and the 3COM client piece with success. though the management of these is horrible due to the lack of good replication of configurations.
Jef
Dave,Hoping some of this makes sense,
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
