Wireless 802.1X Fun Times

deanwebb · October 06, 2015, 06:47:16 PM

OK, so I was exaggerating. It *is* weaker than EAP-TLS, and I really consider EAP-TLS to be the only security worth doing on a wireless network that you want to keep secure.

wintermute000 · October 06, 2015, 09:09:24 PM

I agree, there's no other method that can revoke a client, or authenticate the client

SimonV · October 07, 2015, 02:21:59 AM

Quote from: wintermute000 on October 06, 2015, 09:09:24 PM
I agree, there's no other method that can revoke a client, or authenticate the client

If you're using PEAP with AD-based policies on the NPS/ACS you can just disable the user or computer account, no?

wintermute000 · October 07, 2015, 05:23:27 AM

Poor phrasing, I meant a client device.

protip: EAP-TLS documentation is.... horrific, at least for my levels of google-fu. Compared to reading about routing protocols, the info is all over the place, often ambiguously referencing MS screenshots. Took me half an hour to come to the conclusion that yes, you CAN auth BOTH machine and user certs. However, I can't find the answer to this - can you combine user/pass with a machine cert? Or is that PEAP (user/passs) with EAP-TLS (machine cert) chaining? Or just f--k it and join the queue of people asking our overworked resident wireless guru stupid questions?

deanwebb · October 07, 2015, 09:09:52 AM

Both user and machine can be used, but the 802.1X policy must be written to specify each choice. The certs can be ones that one must first sign into - which involves a local machine logon - but no connection to the wireless will be permitted until that user has signed on to his/her certificate. This wouldn't be cert chaining, but instead requiring that a cert not be offered up until the cert store is active and logged into.

Our firm wants to have wireless come up as the device boots, so we reference a non-interactive cert in our 802.1X wireless logon. However, our VPN requires a cert that involves a logon to the local cert store to activate.

wintermute000 · October 07, 2015, 03:29:58 PM

Thanks. I know the difference between user and machine but do you have any links re which certs you need to sign into and which don't . Is it machine doesn't require sign in?

deanwebb · October 07, 2015, 09:11:45 PM

Both kinds can be ones that don't have a sign in. If a cert is used for signing documents or secure emails, they are set to require a user sign-in to activate the cert store, and then possibly a second (redundant) sign-in to activate a cert at the time of usage.

Signing cert description: http://www.entrust.com/pdf-signing-certificates/

Wireless 802.1X Fun Times

deanwebb

wintermute000

SimonV

wintermute000

deanwebb

wintermute000

deanwebb