One of the most common challenges I hear about when deploying secure 802.1x (for both wireless and wired scenarios) and remote access is deploying certificates to your IAS servers.

 

With Windows 2003 environments that have Active Directory deployed you can use certificate auto-enrollment and certificate templates makes this process a breeze.

 

Now I know there is alot of dogma associated with deploying certificates and certificate authorities but it doesn’t have to be hard, in just a few minutes you can install a Enterprise CA in your environment, enable auto-enrollment and get all the servers that may require a certificate to perform TLS/SSL protected communication.

 

To get started its useful to understand how the certificate auto-enrollment system works:

first let’s start with the certificate templates, these define what fields go into a certificate, who are allowed to get certificates with that definition, and defines how those certificates will be acquired (manually or via auto-enrollment) these templates are stored in Active Directory so that your CAs and the hosts they serve can find them.

 

Next there is the certificate authority, this is the “stamper” of the certificates (like the DMV) you will be issuing;  you associate certificate templates with a CA, this way the CA knows what rules to apply when validating a request it receives and knows what to put into the certificate when it is ultimately issued.

 

And finally there is the certificate auto-enrollment client, this component when enabled (via Group Policy) looks into active directory to find what certificate authorities are available to it, what templates are available for those certificate authorities and generates/submits requests based on the templates it finds. The auto-enrollment client is also responsible for making sure that a new certificate is acquired before the old certificate expires (certificates expire like your driver’s licenses do).

In Windows 2003, we introduced two certificate templates specific for 802.1x and remote access deployments, these are the:

“RAS and IAS Server Authentication”

“Wireless Authentication”

 

Both of these templates are for machine certificates, these certificates are used by the Routing and Remote Access Server and IAS to authenticate themselves to clients, what’s nice about these templates is that they are already set up to contain all the right information to enable a successful server authentication, they are also already set up to auto-enroll to go to the servers in the IAS Server Group (“RAS and IAS servers”), that is once they are associated with a enterprise CA.

 

Give it a shot, my best time in configuring this scenario in a installed environment is about 15 minutes; as your getting familiar with the concepts I would plan to spend a hour or two though.

 

Sam.Salhi@online.microsoft.com

IAS/EAP/NPS team