Options
Wireless CAC Authentication Question
higherho
Member Posts: 882
Hi all,
now I am not an expert on wireless but for CAC (Common Access Card / smart card) Authentication I understand that in 802.1x you can define wireless authentication through group policy. However on the hardware side what all would I need? I figured I would need an authentication server and at least server 2003 but I was curious if their was any other way? Hardware / software wise.
Any help would be greatly appreciated and if this is not the correct section to ask them question then I am sorry the reason why I posted this is that it regards to Cisco equipment.
now I am not an expert on wireless but for CAC (Common Access Card / smart card) Authentication I understand that in 802.1x you can define wireless authentication through group policy. However on the hardware side what all would I need? I figured I would need an authentication server and at least server 2003 but I was curious if their was any other way? Hardware / software wise.
Any help would be greatly appreciated and if this is not the correct section to ask them question then I am sorry the reason why I posted this is that it regards to Cisco equipment.
Comments
-
Optionsinstant000
Member Posts: 1,745
Hi all,
now I am not an expert on wireless but for CAC (Common Access Card / smart card) Authentication I understand that in 802.1x you can define wireless authentication through group policy. However on the hardware side what all would I need? I figured I would need an authentication server and at least server 2003 but I was curious if their was any other way? Hardware / software wise.
Any help would be greatly appreciated and if this is not the correct section to ask them question then I am sorry the reason why I posted this is that it regards to Cisco equipment.
I believe that you're asking how we could set up a wireless connection, to be accessed via smart card?
server side:
1. set up PKI (you'll need to setup a CA, and all that)
2. issue certificates for users
3. set it so your wireless users authenticate against your active directory
4. mark your user accounts to require smartcard logon
5. set up the authentication proxy server (all it does is send the authentication requests to AD)
wireless network:
1. set up wireless
2. require authentication in your 802.1X setup
3. send authentication requests to an authentication proxy server
client side:
1. smart card app/reader/driver
2. smart card
3. workstation added to the domain
4. define wireless setup, set up the PEAP to authenticate via smart card
===================
If you already have smart card logons configured, the extension you need is modifying your wireless setup to send authentication requests to a RADIUS server that connects to your domain database for checking user requests
In a site in the past, we made a group for the wireless users, and permitted that group to be permitted the 802.1x authentication. If you needed to add another wireless user, they just get added to that "Wireless Users" group.
It would probably be easiest to just get smart card logon working, then just extend that to your wireless network, or, just get domain authentication working against your wireless network, then modify it to smart card authentication. This way, you can transition from a known working state when testing, versus trying to configure all of it at once.
There's probably an easier way to do this, but this is how I would do it, based upon environments I've worked in from the past.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
Optionshigherho
Member Posts: 882
instant000 wrote: »I believe that you're asking how we could set up a wireless connection, to be accessed via smart card?
server side:
1. set up PKI (you'll need to setup a CA, and all that)
2. issue certificates for users
3. set it so your wireless users authenticate against your active directory
4. mark your user accounts to require smartcard logon
5. set up the authentication proxy server (all it does is send the authentication requests to AD)
wireless network:
1. set up wireless
2. require authentication in your 802.1X setup
3. send authentication requests to an authentication proxy server
client side:
1. smart card app/reader/driver
2. smart card
3. workstation added to the domain
4. define wireless setup, set up the PEAP to authenticate via smart card
===================
If you already have smart card logons configured, the extension you need is modifying your wireless setup to send authentication requests to a RADIUS server that connects to your domain database for checking user requests
In a site in the past, we made a group for the wireless users, and permitted that group to be permitted the 802.1x authentication. If you needed to add another wireless user, they just get added to that "Wireless Users" group.
It would probably be easiest to just get smart card logon working, then just extend that to your wireless network, or, just get domain authentication working against your wireless network, then modify it to smart card authentication. This way, you can transition from a known working state when testing, versus trying to configure all of it at once.
There's probably an easier way to do this, but this is how I would do it, based upon environments I've worked in from the past.
Thank you for the detailed post. Our current environment has CAC authentication (Smart card) with the laptops / network. Does not sound to complicated and not that much extra work to get it completed.
Again, thanks! -
Optionsinstant000
Member Posts: 1,745
Thank you for the detailed post. Our current environment has CAC authentication (Smart card) with the laptops / network. Does not sound to complicated and not that much extra work to get it completed.
Again, thanks!
Cool.
You want to look for documentation referencing "EAP"
Hope this helps.Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)