PTCP
asked on
Certificate deployment question for 802.1x wireless radius deployment for EAP-TLS
We are planning to deploy 802.1x wireless radius to our access points and have a couple questions regarding certificate deployment. We chose to require certificates (TLS) vs passwords (MS-CHAP v2).
Currently we aren't deploying certificates to the domain, but we do have an enterprise Certificate Authority infrastructure in place for this purpose and potential purposes(2008 R2).
The purpose and needs for the certificate template I am seeking to create are just going to be used for client authentication for 802.1x. We will also need to deploy/install certificates for our mac users and potentially mobile devices.
During testing, I duplicated the default 'user' certificate template in our domain seems to be sufficient for our needs, but I fear this template may be opening some security risks in the future, which I would appreciate someones opinion on. I also noticed by default, the private key is exportable, is this a concern? If so, what?
Any opinions for such a scenario and deployment are appreciated, thank you!
Currently we aren't deploying certificates to the domain, but we do have an enterprise Certificate Authority infrastructure in place for this purpose and potential purposes(2008 R2).
The purpose and needs for the certificate template I am seeking to create are just going to be used for client authentication for 802.1x. We will also need to deploy/install certificates for our mac users and potentially mobile devices.
During testing, I duplicated the default 'user' certificate template in our domain seems to be sufficient for our needs, but I fear this template may be opening some security risks in the future, which I would appreciate someones opinion on. I also noticed by default, the private key is exportable, is this a concern? If so, what?
Any opinions for such a scenario and deployment are appreciated, thank you!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First, having certificate is definitely a stronger EAP types and fare better protection against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP, version 1). So going for TLS cert is good.
Second, enroll certificates only to the computers and users to whom you want to grant network access through RADIUS clients. You do not have to autoenroll certificates to all members of the Domain Users and Domain Computers groups. Use of smart cards for client user is preferred (and not constraint by specific machine) though there are additional cost for h/w (card/reader), the private key stays in the card (not exportable).
Third, exposure of client cert private key being exportable should be best avoided if you are using EAP-TLS or PEAP-TLS without smart cards. Do have autoenroll client or computer certificates to domain member client computers. In a way, I see this is to avoid manually via cert web req (not avail in Win2012 R2) by login into other domain machine and as having to go for "Mark keys as exportable: Selected". This can increase exposure since you still need to "transport" the pfx to install in the machine.
802.1X Authenticated Wireless Deployment Guide
https://technet.microsoft.com/en-us/library/dd283093(v=ws.10).aspx
Deploying Computer and User Certificates
https://technet.microsoft.com/en-us/library/5c245df0-5939-48d1-9a25-d318d6814de4