Step 1A: Installing A Certificate Infrastructure - Extreme Networks Summit WM Technical Reference Manual

Creating the Windows Security Infrastructure
the installed root CA certificates in the Trusted Root Certification Authorities\Certificates folder and
you can view the intermediate CA certificates in the Intermediate Certification
Authorities\Certificates folder.
In a typical enterprise deployment, the certificate infrastructure is configured using single root CA in
●
a three-level hierarchy consisting of root CA/intermediate CAs/issuing CAs. Issuing CAs are
configured to issue computer certificates or user certificates. When the computer or user certificate is
installed on the wireless client, the issuing CA certificate, intermediate CA certificates, and the root
CA certificate is also installed. When the computer certificate is installed on the IAS server computer,
the issuing CA certificate, intermediate CA certificates, and the root CA certificate is also installed.
The issuing CA for the IAS server certificate can be different than the issuing CA for the wireless
client certificates. In this case, both the wireless client and the IAS server computer have all the
required certificates to perform certificate validation for EAP-TLS authentication.
Best Practices
If you are using EAP-TLS authentication, use both user and computer certificates for both user and
●
computer authentication.
If you are using EAP-TLS authentication, do not also use PEAP-TLS. Allowing both protected and
●
unprotected authentication traffic for the same type of network connection renders the protected
authentication traffic susceptible to spoofing attacks.
If you already have a certificate infrastructure for EAP-TLS authentication and are using RADIUS for
●
dial-up or virtual private network (VPN) remote access connections, you can skip some of the
certificate infrastructure steps. You can use the same certificate infrastructure for wireless
connections. However, you must ensure that computer certificates are installed for computer
authentication.
For computers running Windows XP with no service packs installed, you must have user certificates
●
stored on the computer for user authentication (rather than using smart cards).
For computers running Windows Server 2003, Windows XP with Service Pack (SP1), Windows XP
●
with Service Pack 2 (SP2), or Windows 2000, you can use either user certificates stored on the
computer or a smart card for user authentication.

Step 1a: Installing a Certificate Infrastructure

When installing a certificate infrastructure, use the following best practices:
Plan your public key infrastructure (PKI) before deploying CAs.
●
The root CA should be offline and its signing key should be secured by a Hardware Security Module
●
(HSM) and kept in a vault to minimize potential for key compromise.
Enterprise organizations should not issue certificates to users or computers directly from the root
●
CA, but rather should deploy the following:
An offline root CA
●
Offline intermediate CAs
●
Online issuing CAs (using Windows Server 2003 or Windows 2000 Certificate Services as an
●
enterprise CA)
This CA hierarchy provides flexibility and insulates the root CA from attempts to compromise its
●
private key by malicious users. The offline root and intermediate CAs do not have to be Windows
Server 2003 or Windows 2000 CAs. Issuing CAs can be subordinates of a third party intermediate
CA.
34
Summit WM Technical Reference Guide, Software Version 5.1