Wireless authentication security using Certificates and 802.11x

I'm working with an engineer on deploying a wireless solution using Cisco Aironet access points and a 2504 controller.  Wireless in general is new for both of us so I'm looking for information about the best way to setup authentication for this network.  

Our goal is to have the laptops using wireless authenticate with a certificate without requiring the user to authenticate manually.  From what I have read in order to be secure we should be using the 802.11x protocol along with Protected EAP (PEAP) with EAP-TLS.

Not knowing much about either certificates with a Server 2008 domain and the Cisco access points I'm hoping someone here can help me out with the general steps we'd need to take to make this happen.  I'd also appreciate it if you could point me to any good summary documents that explain how this should all work from a high level since I am not well versed in the technical details yet.
LVL 1
First LastAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
Ok, so you need to implement Computer Authentication via Digital Certificate.  This is not easy and if you're new to Wireless/Cisco/Certificates it'll be a whole new experience!

Basically, you'll need to configure a Certification Authority (Microsoft Certificate Services) and a RADIUS Server (Microsoft NPS Service).
As well as this you'll need to create a couple of Group Policies.  One will automatically enroll computers to obtain a computer certificate from the CA, and the other will push the WLAN settings to computers.

On the Cisco Wireless controller you will need to configure a RADIUS server and set the SSID to use the RADIUS server when processing authentication requests.

Have a look at this doc for NPS setup...

http://araihan.wordpress.com/2009/11/11/windows-server-2008-how-to-configure-network-policy-server-nps-or-radius-server/



This might also help...

http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/




In all honesty it's not easy to implement if you're not familar with the concepts.  There's a lot to do, so try and get each major component installed first, then link it all together.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
First LastAuthor Commented:
Thank you very much for the reply, I should have broken this question down into smaller chunks.  I'll start reading the links you provided but your overall description sounds very much in line with what I have discovered so far.  Thanks again!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.