I'd like to pass on some of the experience I've had with Windows Mobile 5 and getting it running on 802.1x Wi-Fi authentication standards in the enterprise, particularly using EAP-TLS.
An example situation for an enterprise is this:
-
There is an existing Wireless infrastructure with several hundred access points.
-
A Windows PKI infrastructure is already in place.
-
The certificate Authority does not use standard templates.
-
XP Notebooks are already running on WPA, EAP-TLS for authentication to the Wireless network.
-
They enrol the certificates through Windows group policy.
-
Microsoft's IAS is used for the Radius authentication, and is connected to the AD with the user accounts.
The challenge is this:
-
Deploy several thousand Windows Mobile 5 devices
-
Get them using WPA, EAP-TLS authentication with personal certificates to meet security policy.
-
Make the whole process easy to use for a non-technical end user.
So, I do some digging around to see what other companies have done for large scale Windows Mobile device Wi-Fi authentication, and all I can find is WEP keys and WPA - PSK. This avenue wasn't giving me much guidance, so I concentrated on testing the limits of what Windows Mobile 5 could do.
The main issues I came across:
1. Getting a personal certificate onto the device.
Firstly, let be clear about two things, Firstly, WM5 devices do not support Machine certificates. I know they have a hidden cert store that looks like it might be able to, or it looks like we may be able to attach a machine ID to the personal cert and use this in auth....but don't bother, it won't work. Secondly, using the WM 5 devices' web browser to enrol a personal certificate on the CA will also not work. The browser just can't support the ActiveX controls required.
A lot of WM5 devices come with enrollers for personal certificates, but most don't seem to cope with custom certificate templates. (DELL wrote one that did thou) So, the only way around this is to go back to the manufacture and ask, or write your own. I opted for writing my own, as the code is available on Microsoft's website. As the enroller also requires a network connection to the CA to get the cert, we had a choice. We could A) Connect it to a pc that can get to the CA through Activesync C) Authenticate the device using WEP or WPA-PSK to a "provisioning" Wi-Fi VLAN that has access to a CA. B) Forget the enroller, copy the cert over manually from a PC or smart card and use a third party utility to install the cert. Your choice should depend on how you're going to deploy the devices. Some management software can also put the cert on the device for you, but once again requires network connectivity.
2. Getting a userid / domain request when EAP-TLS authenticates to IAS.
When I use EAP-TLS on an XP laptop, the wireless access point passes the request back to the IAS radius server, and uses the username and issuer fields on the certificate to authenticate the connection. The laptop uses doesn't have to do anything.
On the windows mobile 5 device, the wireless access point passes the request back to the IAS radius server, and then I get a request on the device to enter the username and domain. I enter in these credentials, and away I go. I still don't understand why I have to enter these details when an XP certificate authenticates without interaction using EAP-TLS. This might have been OK, until I roamed to another AP. I get asked for authentication again!!?!! I cannot understand or explain this behaviour, and couldn't fix it. It may be related to the brand of AP, some IAS tweak, but it's not something I could find in the time I had. PEAP-MSCHAPv2 also behaved identically.
What does all this mean? From my perspective, EAP-TLS is very hard work, with very little information out there for support on WM5 devices. You could always try PEAP-MSCHAPv2, but I still got the authentication box pop up when I roamed.
If you've managed to deploy EAP-TLS successfully, please let me know by contacting me through this blog.
Neil