|
Posted by Steven L Umbach on May 2, 2006, 4:20 pm
Please log in for more thread options
Last I heard that is correct in that there is no way to use Group Policy to
configure wired 802.1x . Microsoft itself uses ipsec to protect access to
domain resources that in addition to computer authentication can also
protect traffic with encryption and integrity with ESP/AH that 802.1x can
not do and I have read that Vista/Longhorn may have the capability to use
ipsec and "user" authentication also.
See the link below for a registry setting that may be able to do what you
want for CRL checking though I have not tried them myself. --- Steve
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx
The following registry settings in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP on
the IAS server can modify the behavior of the EAP-TLS when performing
certificate revocation:
. IgnoreNoRevocationCheck
When set to 1, IAS allows EAP-TLS clients to connect even when it does
not perform or cannot complete a revocation check of the client's
certificate chain (excluding the root certificate). Typically, revocation
checks fail because the certificate doesn't include CRL information.
IgnoreNoRevocationCheck is set to 0 (disabled) by default. An EAP-TLS
client cannot connect unless the server completes a revocation check of the
client's certificate chain (including the root certificate) and verifies
that none of the certificates have been revoked.
You can use this entry to authenticate clients when the certificate
does not include CRL distribution points, such as those from third parties.
. IgnoreRevocationOffline
When set to 1, IAS allows EAP-TLS clients to connect even when a
server that stores a CRL is not available on the network.
IgnoreRevocationOffline is set to 0 by default. IAS does not allow clients
to connect unless it can complete a revocation check of their certificate
chain and verify that none of the certificates has been revoked. When it
cannot connect to a server that stores a revocation list, EAP-TLS considers
the certificate to have failed the revocation check.
Setting IgnoreRevocationOffline to 1 prevents certificate validation
failure because poor network conditions prevented their revocation check
from completing successfully.
. NoRevocationCheck
When set to 1, IAS prevents EAP-TLS from performing a revocation check
of the wireless client's certificate. The revocation check verifies that the
wireless client's certificate and the certificates in its certificate chain
have not been revoked. NoRevocationCheck is set to 0 by default.
. NoRootRevocationCheck
When set to 1, IAS prevents EAP-TLS from performing a revocation check
of the wireless client's root CA certificate. NoRootRevocationCheck is set
to 0 by default. This entry only eliminates the revocation check of the
client's root CA certificate. A revocation check is still performed on the
remainder of the wireless client's certificate chain.
You can use this entry to authenticate clients when the certificate
does not include CRL distribution points, such as those from third parties.
Also, this entry can prevent certification-related delays that occur when a
certificate revocation list is offline or is expired.
All of these registry settings must be added as a DWORD type and have the
valid values of 0 or 1. The wireless client does not use these settings.
> Could anyone help with the following two questions...
> a) Is my understanding correct that there are no GPO settings that can
> be used to centrally configure wired 802.1x? If so, is manual
> configuration the only option.
>
> b) Is there any way on an IAS server to temporarily disable CRL
> checking via a registry entry (or otherwise). This is clearly not a
> desirable thing to do in production but I would like to do some testing
> with CRL checking disabled.
>
> Thanking you in anticipation
>
| 
XML Sitemap