To connect to a wireless network, a user must acquire a certificate based on the cus tom version 2 certificate template discussed earlier in this chapter. To minimize the risks involved with deploying certificates, it is recommended to use autoenrollment for Windows XP computers and scripted enrollment for Windows 2000 computers.
To enable certificate autoenrollment for the user certificate template for Win dows XP and Windows Server 2003 computers, you must do the following:
1. Modify the permissions of the custom certificate template to assign Read, Enroll, and Autoenroll permissions to a global or universal group containing all wireless users.
2. Modify the custom certificate template to not require user input during the enrollment process. By not requiring user input, certificates are issued to the user invisibly.
3. Ensure that the custom version 2 certificate template is available at one or more enterprise CAs for enrollment.
4. Enable the Autoenrollment Settings Group Policy setting at the OU or domain containing all wireless user accounts.
To enable scripted enrollment, you can use the enroll.vbs script discussed in Chapter 12. The enroll.vbs script can be used in a logon script to allow automated certificate enrollment for users with Windows 2000 computers.
Assuming that you have implemented an Organization wireless User applica tion policy OID in the Wireless User certificate template, and that the OID assigned is 18.104.22.168.4.1.311.509.4.2.1, you can use the following code in your logon script to enroll the Wireless User certificate:
cscript enroll.vbs /certtype wirelessuser /keyl 1024 /csp enhanced / app_policy 22.214.171.124.126.96.36.199.2 /app_policy 188.8.131.52.4.1.311.509.4.2.1 /fn "Wireless User"
This command enrolls the certificate template named wirelessuser with a key length of 1,024 bits using the Microsoft Enhanced Cryptographic Service Provider v1.0. In addition, the certificate is only requested if the user does not have an exist ing certificate with the Client Authentication (184.108.40.206.220.127.116.11.2) and Organization Wireless User (18.104.22.168.4.1.311.509.4.2.1) application policy OIDs. Finally, the certifi cate is assigned the friendly name of Wireless User when placed in the user's certif icate store.
Was this article helpful?