Microsoft Enterprise Networking Team - All Comments

re: Creating a secure 802.1x wireless infrastructure using Microsoft Windows

Richard Pasztor — Fri, 10 May 2013 14:08:41 GMT

Next issue: Step 5: Configuring Wireless Network (IEEE 802.11) Policies Group Policy Settings --> "10. Click the IEEE 802.1x tab. Change 802.1X settings as needed, including specifying and configuring the correct EAP type. Click OK twice to save changes."

The screenshot actually shows a scrolled-down list of Authentication modes, and does not give indication which option I should choose (User-or-Computer Authentication / Comp. auth only/ User auth only/ Guest auth)?

Step 6: Configuring Wireless Clients Authentication

"If you are using EAP-TLS or PEAP-TLS, you need to install computer and user certificates on wireless clients. "

No, I dont need! I can, but I dont need! There was no explanation at the beginning of this article, if computer OR user OR computer+user authentication is the desired result, so just plainly stating that you NEED both, in pure unprofessionalism.

I'm finishing my review here, the article basically is not that bad, but we are talking here about PKI, certificates, NPS, all kind of stuff that does not allow any kind of chance for misunderstanding. I would recommend to pull this article back, and fix it properly!

re: Creating a secure 802.1x wireless infrastructure using Microsoft Windows

Richard Pasztor — Fri, 10 May 2013 14:08:02 GMT

Nex issue: Step 2: Configuring Active Directory for Accounts and Groups

"Create a USER account for all users who would make wireless connections", "Create a COMPUTER account for all computers that would use wireless connections"

"Set the remote access permission on user and computer accounts to the appropriate setting (either Allow access or Control access through Remote Access Policy) as shown below"

Why do I need to create a computer account and A user account? The whole article does not say a word, about what I need this particular computer and user account for.

Why do I need to set the Dial-in parameter? The whole article does not say a word, why do I need to configure this attribute for the computer and user account. The default NPS 802.1x wired/wireless connection wizard sets

the rule to "Grant" and enables the option "Ignore user dial-in properties". So it seems to me the account dial-in config will be ignored in anyway, why to configure then?

At a later stage, there is again a bunch of technet articles thrown into my face, how to configure and install NPS. However in those technet URLs, they set up network policies based on GROUPS and not accounts. Yet another

sign, that if you refer to the work of others, at least read them before using them in your own article.

Next issue: Step 4: Configuring the NPS Server -> The NPS server requires a certificate. You can use the RAS and IAS certificate template to create a new template to use for NPS servers. The link below discusses configuring this template and enabling it for auto-enrollment: PS Server Certificate: Configure the Template and Autoenrollment

This URL goes to the certificate template duplication solution, and not the Windows 2003 CA solution, so again: there is no cohesion between the instructions for computer/user certificate autoenrollment, and NPS server certificate autoenrollment. If you "borrow" similar topics from others, borrow from the same guy, so similar topics borrowed will all look the same.

re: Creating a secure 802.1x wireless infrastructure using Microsoft Windows

Richard Pasztor — Fri, 10 May 2013 14:07:34 GMT

Next issue: guidelines provided for installing PKI: "Install a Certificate Infrastructure", "Install Computer Certificates", "Install User Certificates".

All these links point to obsolete Windows Server 2003 Certificate Services guides.

This article was published on the 30th May 2012, so what is the reason of recommending guidelines based on 9 year old technology, if Windows Server 2008 and Windows Server 2008 R2-based

Certification Authority is also available, and the NPS itself is also a Windows Server 2008+ based technology. It does not make sense to use the most recent version of the Radius-role of Microsoft (the

NPS server), while referring to the CA, based on Windows Server 2003.

The recommendation in installing computer and user certificates are also misleading! The Windows Server 2008/2008 R2 guides (I even specify the document title, you can look for it: Windows Server

2008 R2 Core Network Companion Guide: Deploying Computer and User Certificates)

recommends duplicating templates (the result is a Version2 or v3 certificate template), that needs different GPO solution to activate auto-enrollment.

(just as a reference for the benefit of the readers: V1 template needs "Automatic Certificate Request Settings" GPO setting, V2 template needs "Certificate Services Client - Auto-Enrollment" GPO setting)

re: Creating a secure 802.1x wireless infrastructure using Microsoft Windows

Richard Pasztor — Fri, 10 May 2013 14:06:17 GMT

Just wanted to say, this isn't really a well written article.

I read a lot of the articles on this blog, and most of them are a) professionally written, b) accurate, and c) also provide end-to-end solution. In end-to-end I mean it guides me through all the step from the beginning till the desired result is achieved, and they are made in clear descriptive way. But they are definitely not written in the form of just throwing you a list outdated technet articles, so you should "..go on and read them, I am not gonna waste my time here to explain all these things to you!"

However, this particular post is like stealing (or "borrowing" if you say I am too harsh here) from unrelated technet articles, without proper explanations why each step or technet link is needed in the process of achieving secure 802.1x wireless infrastructure.

In order to justify my statement, let me highlight the issues in this article:

Step 1: Configuring the Certificate Infrastructure -> EAP-TLS -> "Certificates on wireless client": it says "computer certificates, user certificates, Root CA".

I know how PKI works, so its clear to me that the Root CA is a must here, out of question. But what is the relation between the computer and user certificate in this list? "AND" or "OR"? The bottom part of the article talks about autoenrollment of domain-based computer certificates and certificates issued to the user. However, the PEAP-Tls CAN work with either user or computer certificate, it does not enforce both. This is not indicated in this article properly. The referenced NPS configuration Technet article in "Step 4: Configuring the NPS Server" does not specify the explicit use of user or computer certificate, so why should we say at the beginning that we must have both?

Also, "Root CA certificates for issuers of NPS server computer certificates" is an incomplete statement, as the "Root CA certificates for issuers of wireless client computer and user certificates" must also be present on the wireless client, otherwise the client wont trust the user/computer certificate.

Next issue (still in the same table): Certificates on NPS Server --> Computer certificates: this is incorrect terminology! On the NPS server actually a "Server"-type certificate must be present. Sounds like a minor difference, right? Its not! A server certificate in the Microsoft terminology is a certificate, that has the "Server Authentication" Enhanced Key Usage EKU, opposed to what the Microsoft terminology calls as "computer" certificate, which is a certificate with the "Client Authentication" EKU. Significant difference!

Next issue: PEAP-MS-CHAP v2 -> Certificates on the NPS server -> only the computer certificate is listed here (which is the incorrect terminology, as explained above). But what about the Root CA cert that issued the "server" certificate for NPS? It must be listed in the table as well, thats out of question.

re: NLB 101: How NLB balances network traffic

Mrudul KD — Fri, 03 May 2013 17:04:14 GMT

Thank you..! This definitely can save a call to Support..!

re: Balancing Act: Dual-NIC Configuration with Windows Server 2008 NLB Clusters

AngeloBartzis — Sat, 20 Apr 2013 08:40:28 GMT

Excellent article! Solved the problem on our Win2008 R2 NLB Cluster.

re: Tracking DNS Record Deletion

i.biswajith — Thu, 21 Mar 2013 10:10:52 GMT

Nice

re: Understanding IPv6, 3rd Edition has been published!

Jose Barba — Thu, 21 Feb 2013 17:33:51 GMT

nice bro good post

re: The Network Connection Status Icon

Jose Barba — Thu, 21 Feb 2013 16:38:10 GMT

Thanks

re: Deployment: Windows Firewall and Group Policy

Waqas M — Fri, 15 Feb 2013 07:09:13 GMT

Nice post