Sent: 20 April 2006 14:10
To: [email protected]
Subject: RE: [ActiveDir] Setting Wireless Config via GPO
Dave,
The certs can be used in fifferent ways. If you are using EAP-TLS which uses the Certs to authenticate the user and the server, you will need a CA to issue this. This would require a PKI solution to be in place. While not hard or impossible in 2003, just something you want to be cautious about.
The thought of a complete PKI has put us off this....
using EAP-PEAP method, the Cert is only used to identify the server to the client, and open a secure tunnel so the password credentials can be sent over. Once the user is authenticated, then the connection is secured through the 2 choices of wireless encryption. You do not need a CA For this, and can request an IAS certificate from Verisign I believe still.
This seems O.K. We generated a cert internally, and this is how we intend to proceed...
Yes, XP SP2 would be great, especially being able to configure GPOs in the domains.
You still seem to need to run the GPO Editor on a W2003 Server. Is there a way to run this on an XP-SP2 Workstation? I have not found one. And since my original post I have been looking at what is needed to update the Schema to the Windows2003 Level. This seems to be really horrid. Has any one any good pointers on how-to and gotcha articles on this? The more I read the more nervous I get, and the further up the scale the risk assessment on my draft change request goes...
With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as "If useri s member of domain grant access, else deny" kind of stuff, to more granular rules.
Does this still work for domains in 2K mode. I don't seem to get any access unless the "remote access" flag is on in AD even though I have set policies on IAS...
Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon WLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively.
1. If you allow the machine to authenticate, won't policy apply and logon scripts run any way? (That is set to machine access with user re-authentication in the GPO).
2. I have not tried any W2k boxes, but I have not managed to get any XP boxes to authenticate with WPA/EAP-PEAP when using third party tools to config the cards. I have tried IBM, Intel & 3-COM cards but all seem to fail to authenticate. As soon as I enable the Zero Config windows takes over and all works fine...
Jef
Dave,
Hoping some of this makes
sense,
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
