I'm having some issues with setting up stand-alone Windows XP systems
for use in a wireless environment with a vendor that utilizes
role-based access. Here are the two scenarios that we have:
1. Domain user on a domain member
2. Domain user on a stand-alone system
In both cases, WinXP SP2 is involved, though Linux would ideally be
involved in the second scenario. In each case, we're looking to
authenticate both the user and the system prior to allowing access to
provide a reasonable level of assurance that only those devices which
we wish are getting access to the wireless network. We are using IAS
and Windows Certificate Services on Windows 2003 Server, and have both
a domain member and a stand-alone server available for testing.
The former scenario covers normal, everyday wireless users. The
latter includes a select few users who do not attach to the domain,
and will encompass some trusted vendors with fairly general internal
access whose notebooks are members of their own domains and so cannot
be set up as members of ours, but which have also been vetted by our
staff as conforming to minimum patch and anti-malware standards.
For now, we're content to use PEAP for both the user and machine
accounts for the normal users. This works perfectly fine, though it
will (hopefully) be expanded to PEAP/EAP-TLS in the near future once
some PKI issues are out of the way for even greater security.
However, the stand-alone machines are causing us some headaches in
that we can generate user certificates all day long, but not machine
certificates. I get the following error trying to generate the CSR:
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the
available CAs
- The available CAs issue certificates for which you do not have permissions
What I've been able to find is sketchy, but it suggests that there is
no (easy?) way of doing this using Windows Certificate Services. I'm
wondering if the solution is to set up a Linux box running OpenSSL for
this side of the certificate requirements. I'm happy to do this if
that's what is required. I'll be testing this at home over the long
weekend, but I would greatly appreciate any input in the meantime.
for use in a wireless environment with a vendor that utilizes
role-based access. Here are the two scenarios that we have:
1. Domain user on a domain member
2. Domain user on a stand-alone system
In both cases, WinXP SP2 is involved, though Linux would ideally be
involved in the second scenario. In each case, we're looking to
authenticate both the user and the system prior to allowing access to
provide a reasonable level of assurance that only those devices which
we wish are getting access to the wireless network. We are using IAS
and Windows Certificate Services on Windows 2003 Server, and have both
a domain member and a stand-alone server available for testing.
The former scenario covers normal, everyday wireless users. The
latter includes a select few users who do not attach to the domain,
and will encompass some trusted vendors with fairly general internal
access whose notebooks are members of their own domains and so cannot
be set up as members of ours, but which have also been vetted by our
staff as conforming to minimum patch and anti-malware standards.
For now, we're content to use PEAP for both the user and machine
accounts for the normal users. This works perfectly fine, though it
will (hopefully) be expanded to PEAP/EAP-TLS in the near future once
some PKI issues are out of the way for even greater security.
However, the stand-alone machines are causing us some headaches in
that we can generate user certificates all day long, but not machine
certificates. I get the following error trying to generate the CSR:
The wizard cannot be started because of one or more of the following conditions:
- There are no trusted certification authorities (CAs) available.
- You do not have the permissions to request certificates from the
available CAs
- The available CAs issue certificates for which you do not have permissions
What I've been able to find is sketchy, but it suggests that there is
no (easy?) way of doing this using Windows Certificate Services. I'm
wondering if the solution is to set up a Linux box running OpenSSL for
this side of the certificate requirements. I'm happy to do this if
that's what is required. I'll be testing this at home over the long
weekend, but I would greatly appreciate any input in the meantime.
--
Jarrod Frates, GAWN
[ reply ]