WiFi EAP-TLS & Machine & User Authentication?

[ADB100]

I have a working WiFi setup that uses Cisco AP's configured for WPA2 Authentication & AES Encryption. The Authentication is backed off to MS IAS where a Remote Access policy is configured that checks for Group Membership (WiFi-Group) and NAS-Port-Type=IEEE 802.11. In this policy the only Authentication method is EAP-TLS (Smart Card or other certificate). Group Policy is configured with Machine & User AutoEnrollment for certificates. All this is (and has been for a while) working OK.

A potential situation has arisen that I don't know the anser to:
Laptops are being built and made Domain members which gets a Machine Certificate installed OK (plus whever built the laptop will get a local profile along with a local user certificate). Now if a user takes one of these laptops but hasn't previously logged onto it before what happens?

I know the machine will boot up and as long as the WiFi is enabled it will authenticate as a machine via EAP-TLS and get an IP addres then perform any GP processing etc. Now when the user logs on what happens since no local account will exist? Does a new certificate enrollment happen or does the authentication fail?

Cheers

Andy

 

[Davetoo]

What happens when you have a user logon to a new system that they haven't logged onto before? Does it work? If not, what errors are logged?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[ADB100]

I don't know is the answer, hence the question. Apologies but this is partially theory at the moment. What I described as working is a previous Lab environment I sucessfully tested for EAP-TLS & PEAP. Currently I don't have access to this lab (or at least I don't have a Laptop I can make a Domain Member of the test environment). What we didn't test at the time was the scenario I described with a valid Domain Member laptop connected via Wireless but a user that has never logged onto the laptop before.

I was hoping someone would have filled in the gaps I missed in the lab...

Andy

 

[Davetoo]

Try it out, resolve any issues that arise.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[ADB100]

Yes, it looks like that is the only option... I was hoping someone else would have hit this dilema and done some more research and come up with some answers...

I need to get a laptop to test with now...

Andy

 

[ADB100]

OK I have managed to get a spare hard drive for the Laptop and have built a vanilla XP Pro SP3 workstation and patched it so everything is up to date.
I have made it a Domain Member and verified that the when on the Wired LAN the machine sucessfully enrolls for a Machine certificate. I also verified that when on the Wired LAN a User also sucessfully enrolls for a User Certificate. GPO is also sucessfully pushing the Wireless profile to the machine. GPO was edited with a Vista SP1 Workstation setting WPA2 with EAP-TLS Authentication and AES Encryption).
The machine is then shutdown and disconnected from the Wired LAN. It is then booted with the Wireless enabled but left at the <CTRL><ALT><Delete> screen. I can see in the IAS Server logs the Machine Authenticates OK and I can ping it. If the same user that logged on whilst it was connected to the Wired LAN logs on it works fine and I can see the sucessful Authentication on the IAS Server. If the user then logs off (or the machine is rebooted) the PC is then pingable (sat at the <CTRL><ALT><Delete> screen). At this point a new user that has never logged on to the workstation before logs on and it begins to work but then stops. AD sees & authenticates the user, however the WiFi icon in the System Tray shows that it is attemping to authenticate and eventually fails and a balloon popup says

Intel Pro 200BG Wireless
Windows was unable to find a certificate to log you on to the network xxxxx

The default XP 802.1x Supplicant behaviour is enabled - i.e. Machine Authentication and User Re-Authentication AuthMode=1

This seems like a chicken-and-egg situation but this is what is required. Laptops are built and only the builders Domain Account profile will by default be on the PC. The idea is any user can pick the laptop up and use it on the wireless with their own Domain account as long as they are allowed (i.e. User is a Member of the Wireless Users Group).

Any takers?

Andy

 

[pagy]

Without being plugged into the lan via a cable a user, logging into the laptop for the first time, cannot pull down the GPO that says auto enroll a user cert, therefore they can't enroll the user certificate.

Have you considered using machine only certs?? then you would not have this problem.

Paul
MCSE 2003
MCTS:Active Directory
MCTS:Network Infrastructure
MCTS:Applications Infrastructure

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams

 

[ADB100]

I think this is just a timing issue with GPO processing & Automatic Certificate Enrollment as it has worked once (out of about 15 times...).
When the workstation is logged off the machine has authenticated sucessfully and is 'on' the network (i.e. pingable). When a user logs on AD Authenticates the user and GPO processing begins, however the Automatic Certificate Enrollment doesn't quite happen before it attempts Wireless Authentication. In about 15 attempts so far it has worked once and I can see the Issued User Certificate on the CA.
Is there anyway to force GPO processing & Automatic Certificate Enrollment to happen before the User fully logs on as I think this will solve the issue?

Andy

 

[ADB100]

OK after a bit more testing I am getting somewhere....

I am not 100% sure about this so if anyone has any more information or a better explanation then enlighten me...

There is a registry key that can be added to the User Hive:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEExpress

When this is present it looks like the 60-second delay before Enrollment happens is removed which allows the User to enroll for a certificate before the wireless drops off. If you search for 'AEExpress' it says this shouldn't be used in a production environment, however it does seem to solve my issue.

What I can't do is get this registry setting there by default. I have created a .reg file as follows

Windows Registry Editor Version 5.00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\AutoEnrollment]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Cryptography\AutoEnrollment\AEExpress]

and I was hoping this would then appear in the Users Hive of the registry by default, unfortunately it doesn't. Does anyone know how I can do this?

Cheers

Andy