IAS + user smartcard + workstation certificate

[dom...@gmail.com]

Hi !

I want wireless clients use PKI and IAS to get to network.

My idea is workstation is verified via workstation-certificate before
user use his smartcard (authentication via user certificate on his
card).

I know I can use workstation-certificate OR user-smartcard option.

Is this possible to set it together as a access-sequence ?

Thanks in advance

Dominik

[Brian Komar]

This is a very commonly deployed model. The workstation authenticates
(allowing processing of GPO/scripts) and then the user is authenticated at
logon time, to allow continued connectivity.
Brian

[S. Pidgorny <MVP>]

Just wanted to add quickly: even when dual authentication is enabled, it is
virtually impossible to _require_ both computer and user authentication,
because server infrastructure considers computer and used authentication
request separate and independent.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Brian Komar" <bko...@identit.nospam.ca> wrote in message
news:zglnzwoc4j91.154v6mhxgsjrn$.dlg@40tude.net...

[dom...@gmail.com]

Hi !

But I can't find how to set it.
In network connection properties (in wireless card) - there is option
to use smart-card OR certificate.
I can't set both at the same time.

When I choose SmartCard - workstation certificate is not required (I
can remove it from my CertStore on workstation).
But when I use option certificate stored on Computer then I must have
workstation certificate in local Store and I don't need smartcard.

I want to force that workstations must have their cetificates on local
stores and users must have their smartcards with PIN to get to network

--
Dominik Weglarz

[S. Pidgorny <MVP>]

Please elaborate - what exactly is not working if you require certificate
authentication, have both workstation and user certificate along with
private keys in appropriate store, and try to connect?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

<dom...@gmail.com> wrote in message
news:1183984337.9...@d55g2000hsg.googlegroups.com...

[dom...@gmail.com]

Everything works fine - workstation cert, and smartcard cert - but
separately.
I wanted this :
1. Notebook is trying to get to netwrok (via AccessPoint,IAS,AD)
2. System is chcking Notebook (via workstation certificate) - is
this station valid (is this my notebook ?)
3. IF this is vaild notebook (workstation cert is ok) THEN check
user SmartCard
4. IF user's cert stored on SmartCard is ok THEN allow
Notebook acces to network and user to log in.

I hope this elaborate is proper ;-)

Anyway - great thanks Svyatoslav for your help.

PS.
Where you come from ? So slavonic name... :-)

[S. Pidgorny <MVP>]

You're welcome. I'm Ukrainian.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

<dom...@gmail.com> wrote in message
news:1186048913....@b79g2000hse.googlegroups.com...

[dom...@gmail.com]

> You're welcome. I'm Ukrainian.

;-) I'm from Poland

And what about my elaborate ? Is that situation possible in XP-2003
enviroment ?

Dominik

[S. Pidgorny <MVP>]

Yes, everything should work as you have described. Machine will connect to
the network automatically, and Windows wireless client supports prompting
for PIN connecting to the WLAN. Automatically connecting while the user logs
on may be tricky - not sure if WLAN will connect automatically if the user
is using smart card logon. The best way to find out is to experiment. I've
done that some three years back, so don't remember all details. I've settled
for PEAP - it also works for the smart card logon users.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

<dom...@gmail.com> wrote in message
news:1186482224....@g4g2000hsf.googlegroups.com...