We're designing a wireless LAN (WLAN) based on 802.1x-compliant wireless Access Points (APs) that use a Remote Authentication Dial-In User Service (RADIUS) server to authenticate against our Windows 2000 Active Directory (AD) domain. We're using Windows XP and Win2K clients, and we want to use computer certificates issued by our Win2K Certification Authority (CA) to authenticate clients to the WLAN. Because we're basing the client authentication on the computer's certificate instead of the user's certificate, we're concerned that an attacker who managed to steal one of our company laptops could then employ a well-known technique to log on to the laptop through a local SAM account. At that point, the intruder would have access to the LAN as well as the WLAN. Is our concern warranted, and is there a way to mitigate this threat?
The threat you've identified is the downside to using computer-only authentication to your WLAN. Anyone who logs on to the computer—even through a local SAM account—is connected to your network with a valid IP address. However, Windows provides a mitigating control called user re-authentication.
You can configure a computer to initially use its own certificate to authenticate to the WLAN and, after a user logs on interactively, require the user to authenticate to the WLAN. If the user doesn't authenticate, the computer will disconnect. This solution requires you to issue a certificate to each user as well as to each computer, but you can automate both certificate enrollments by using the Microsoft Management Console (MMC) Group Policy snap-in's Automatic Certificate Request Settings folder, which you'll find under the Computer Configuration\Windows Settings\Security Settings\Public Key Policies node.
To configure user reauthentication, open the Group Policy Object (GPO) in which you've configured your wireless network policy, then navigate to Computer Configuration\WindowsSettings\Security Settings\Wireless Network (IEEE 802.11) Policies. Open the wireless network policy's Properties dialog box, select the IEEE 802.1x tab, and change the Computer authentication field from Computer only to With user re-authentication, as Figure 1 shows.
Thus configured, the computer initially authenticates to the WLAN using its own certificate, which lets the computer download Group Policy and system updates. When a user logs on, the computer tries to reauthenticate to the WLAN with a certificate that belongs to the user. If the user doesn't have a valid certificate, which he or she wouldn't after logging on through a local SAM account, the computer blocks access to the WLAN.
The remaining computer authentication option that Figure 1 shows, With user authentication, is a strange option that causes Windows to use computer authentication until the computer moves out of range of one AP and into the range of another AP. At that point, the computer uses the user's credentials to authenticate to the new AP.