|
Posted by S. Pidgorny on May 1, 2006, 6:02 am
Please log in for more thread options
Don't make assumption that IAS is something similar to ISA Server - it is
not. In the 802.1x wired (and wireless) scenario, IAS actually does all
authentication - the switch simply forwards 802.1x traffic (incl. EAP
communication) to the IAS box, which in turn:
1. Checks the certificate trust and validity
2. Performs directory search by matching the certificate property (UPN)
3. Determones group memberships of the found object
4. Grants or denies access based on that
5. Logs the events in the system event log on the IAS server - which is
extremenly useful for troubleshoouting, as IAS log entries are very
informative
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
> Hi,
> I'm working on a project whereby it is proposed to use 802.1x for
> auth'n of wired devices (I know that IPSec is generally considered a
> better option in this space but 802.1x is a given).
>
> A Windows CA will be deployed to issue appropriate certs. for IAS and
> the XP clients, and obviously the switches will need to be of the
> required "standard". It is only proposed to use machine auth'n
> certificates - no user auth'n. In this circumstance I'm not sure what
> role IAS performs apart from hosting the server auth'n cert.
>
> I know that I should be using RAS policies which could incorporate
> criteria such a computer group membership, etc. but I know that on an
> ISA project that I recently worked on the client (computer) certificate
> was only validated in terms of it's cert. "properties" such as trust,
> purpose, date, revocation, etc. The user certificate was the one which
> was used to apply sophisticated RAS policies.
>
> Can anyone confirm that I will be using RAS policies for the computer
> certificate that is presented.
>
> Thanks.
>
| 
XML Sitemap