Need sanity check: steps to setting up certificate enrollment for dot1x/PEAP/Active Directory

[john]

Hi all,

I need help thinking my deployment plans through. I hope folks on the
list will help me clarify my thinking.

I intend to setup .1X access control on our LAN via freeradius. Here's
what this would look like.

Windows 2003 Standard Ed/Active Directory <=>Winbind/Samba
<=>Freeradius <=> NAS <=> <PEAP/MSCHAPV2> <=>Windows XP/sp2 work
stations.

I'd like to enforce network access by making freeradius check for host
certificates (by using 'EAP-TLS-Require-Client-Cert = Yes' under the
PEAP section in eap.conf). So that only computers with valid host
certs AND domain credentials will be allowed port access via the NAS
to the LAN.

My understanding is that best practice says that each computer cert
should be unique. I think I could use two approaches to creating
certs, and getting them to the client. Here's the two alternatives I
think would work:

Scenerio # 1

For 300 host machines on LAN

1. from the /certs directory use the MAKE scripts to generate a unique
client.pem using the FQDN of each host.
2. copy and install host cert (fqdn.pem) and ca.der to each windows
xp/sp2 client

This would all be done by hand e.g. we would need to sit down at every
host and install the cert. If this general outline is correct
which file on freeradius would we remove if we wished to revoke a
hosts certificate?

If I am way off base here, I'd love to get corrected.

Is there anyway to automate this procedure in our LAN environment
other than scenario #2 below?


Scenario #2


In order to auto-magically distribute unique computer certs to Windows
2003 domain members I understand that
Windows 2003 Enterprise Edition has the ability to create a template
certs and roll a unique cert for each host joined to the domain. And
also to push the customized cert to each  domain members via GPO.

However, we don't currently run Win2k3 Enterprise edition but we would
consider buying it if we thought that it would save us a lot of time
for installation and future management of certs. Using this approach I
think we would need to do the following.

1. from the /certs directory use  'make server.csr' to create a
Certificate Signing request which we would then import to our Active
Directory CA.
2. We would need to follow the steps outlined here
http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-October/msg00515.html
to get our server cert which we generated on Freeradius signed by the
Active Directory CA.
3. We could then import that signed cert into AD for automatic
distribution and enrollment per
http://www.wicked-styles.com/bitsandpieces/articles/enterprise_wi-fi_security/index.html


I hope folks can help fill in the missing pieces here and also let me
know which approach makes sense given  the number of clients we have
and the environment I've outline above. Has anyone had any experience
with either scenario? Is there a better way than the ones I've
outlined?

Thanks very much!

John