3

When using 802.1x certificate-based authentication on Windows machines, should I use different certificate for each machine?

There is RADIUS server running in the network, the machines use EAP-TLS to talk to the network switch.

If I should, how do I distribute these certificates for hundreds of computers? Does this always require manual intervention? I am thinking, the PC without the certificate cannot connect to the network, so such a task cannot be scripted easily using GPO. I can imagine this is a problem when adding new computers or issuing new certificates.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
David
  • 387
  • 1
  • 7
  • 16
  • Gave an answer without asking this first, but what does the linux tag have to do with this question? Anything at all? – HopelessN00b May 01 '14 at 13:59
  • We are running FreeRADIUS on Debian GNU/Linux. I added it as a last tag, the auto-sorting rendered it somewhat more important than it is. – David May 01 '14 at 14:27
  • Ah, alright. Well, I replaced it with the PKI tag, which I felt was more relevant. The OS that's running RADIUS doesn't matter a whole lot, at least for how you manage your Windows clients, just so long as they can communicate with each other, which should be the case with that setup. – HopelessN00b May 01 '14 at 14:30

1 Answers1

4

When using 802.1x certificate-based authentication on Windows machines, should I use different certificate for each machine?

Yes, otherwise you may as well be using a shared passkey. Having a different certificate for each machine (or user) is how you prevent clients from being able to decrypt each others' traffic.

If I should, how do I distribute these certificates for hundreds of computers? Does this always require manual intervention?

Actually, the typical method is a GPO that assigns the machine a certificate signed by the internal certificate authority.

What you're looking for are the Computer Configuration -> Windows Settings -> Security Settings -> Public Key Policies section under Group Policy Management.

There is a fair bit of setup involved on your part, but once you get it running, it is relatively maintenance-free, and very automagical. I've attached a screenshot below of our certificate-related Group Policy settings to give you an idea of what's involved.

enter image description here

Notice the unexpanded Wireless Network (802.11) Policies Group Policy settings; this is where I define the wireless network and set our wireless clients to auto-join it. I have a couple ADDS Certificate Authorities set up, and then made trusted by all machines in the Public Key Policies/Trusted Root Certification Authorities. The certificate request is generated automatically, and clients are enrolled automatically, according the machine certificate template I've created (on our Certificate Authorities).

This setup does mean that computers have to connect to the domain and get their certificate before they can use the RADIUS-authenticated wireless network, but that's handled when the machine is initially imaged, and why there typically isn't a problem pushing certs out via Group Policy - to join the domain, you have to be able to connect to it, so a certificate can be created and assigned at that time.

Just as quick word of warning, be careful with those auto-enrollment settings (and test first), or you might end up like my dumb ass did, with hundreds of thousands of certificates you can't revoke, because you're issuing a new one on every logon and startup. (Oops!)

Community
  • 1
HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
  • First of all, thank you very much for your answer! I may have understood something incorrectly, but I assume that you are talking *only* about wireless network security. We also need to enforce LAN security, but I assume the procedure is very much the same. Except that after installation, a default certificate has to be installed to connect to the domain, then downloading the certificate that will be used onwards (GPOs). Correct? – David May 01 '14 at 14:30
  • 1
    @David Correct, we use this for wireless only, but the procedure for enforcing wired security is very much the same, with the difference being that you'll need to find a different way to generate and transfer the certificate originally. Not sure exactly what would work best for you, but I would handle the certificate at the same time or in the same step at which you join the new machine to the domain - it could be a manual thing, or scripted thing, or if you can create a small, unauthenticated network (or exclusions) for the purposes of imaging and joining, it can be an automagical thing too. – HopelessN00b May 01 '14 at 14:38
  • One last question, hope you don't mind. I have been doing research on RADIUS (incl. RFCs) and I could not find a piece of information I consider elementary. If RADIUS authenticated me through NAS, it provided the NAS with the list of services I may use on the network. This communication with the RADIUS server is encrypted, but how about the rest of it? I mean, does RADIUS only encrypt the information it exchanges in order to authorize me, or does all the communication pass through a secure TLS channel? – David May 01 '14 at 14:48
  • 1
    @David RADIUS is strictly AAA. So you can encrypt your communications with the RADIUS server, and then use a cleartext protocol like telnet or http to connect elsewhere once you're authenticated, and your data will go over the wire completely unencrypted. – HopelessN00b May 01 '14 at 14:52