Dave,
The certs can be used in fifferent ways. If you are using EAP-TLS which uses the Certs to authenticate the user and the server, you will need a CA to issue this. This would require a PKI solution to be in place. While not hard or impossible in 2003, just something you want to be cautious about.
using EAP-PEAP method, the Cert is only used to identify the server to the client, and open a secure tunnel so the password credentials can be sent over. Once the user is authenticated, then the connection is secured through the 2 choices of wireless encryption. You do not need a CA For this, and can request an IAS certificate from Verisign I believe still.
Yes, XP SP2 would be great, especially being able to configure GPOs in the domains.
With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as "If useri s member of domain grant access, else deny" kind of stuff, to more granular rules.
Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logon WLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively.
Jef
Subject: RE: [ActiveDir] Setting Wireless Config via GPO
Date: Thu, 20 Apr 2006 10:36:06 +0100
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Thanks for the input so far, and sorry I left the "read receipt" on on the e-mail. I guess I will be getting those for years to come. (I did that on an internal list two years ago and still get receipts from that one...)I don't want people on my Wireless who are not on the domain. I assume I stop that happening with certificates? I was also going to make sure all the laptops were on XP SP2 so I didn't need any third party utilities...
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer
Sent: 19 April 2006 17:07
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Setting Wireless Config via GPOWe are using IAS, with PEAP authentication to AD. This allows them to use their logged on user credentials to the workstations to authenticate to the WLAN. The whole authentication is behind the scenes if they are in the Domain. I still have some network folks who fear being a domain, so they get prompted to relogon periodically but too bad for them :)
So far from what I hear, the response has been excellent since all the people have to do is walk into a conference room and they get access to the WLAN if their radio is on.
Jef
Subject: RE: [ActiveDir] Setting Wireless Config via GPO
Date: Wed, 19 Apr 2006 11:32:32 -0400
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
You really got that to work well?I've had great success setting it up as well, however, I have a problem when users roam from one access point to the next. they get dropped for a few seconds for reauthentication which is not acceptable to most users. Are you using EAP? I would love to get more specifics if you do not have the problem I did.Using Cisco 1220 x (27) with cisco 350 client cards x (80)Thanks.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kennedy, Jim
Sent: Wednesday, April 19, 2006 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Setting Wireless Config via GPOOnly way to fly, imho.Push it all via GPO, Certs for the users and IAS Radius Auth from our Cisco 1100 AP's.User needs wireless, I just add them to the user group that allows them to install/request the Cert and I dont have to do anything else.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Wednesday, April 19, 2006 4:29 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Setting Wireless Config via GPOFolks,Is any one setting wireless configurations using the features in AD 2003? We currently use the 3-COM tool and their proprietary security. As they have stopped supporting this we need to move on. Thanks for any input on this.Dave Wade
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************Confidentiality Notice: The information contained in this message may be legally privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any release, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error please notify the author immediately by replying to this message and deleting the original message. Thank you.
Crush! Zap! Destroy! Junk e-mail trembles before the might of Windows Live(tm) Mail beta. Windows Live(tm) Mail beta
