«

I am having an issue when a new user attempts to logon to a laptop for the
first time using the wireless network. Here are some specifics:

Laptop OS: Windows XP SP2
Server: Server 2000 SP 4 IAS/RADIUS for authentication
Windows Wireless Settings:
Network Auth: WPA
Data Encry: AES
EAP Type: PEAP
Properties:
Check next to Validate server certificate
no other checks
Select auth method:
Secured Password (EAP-MSCHAP v2)
Configure:
check next to Automatically use my
Windows
logon name and password
no check next to Auth as computer when comp info is available
no check nex to auth as guest when user or computer info is unavailable


Problem details:

Running a sniff on the traffic to the auth server showed that Windows is
sending the computer\login information for the person who previously logged
into that device and successfully authenticated to the domain. The following
is an example:

local admin logs onto laptop changes wireless settings to match above and
logs off
new user attempts to connect ot the wireless
sniff shows the laptop sending the local admins infromation to the RADIUS,
not the user trying to login. login attempt fails

If I connect the laptop to the wired network and have the new user login to
that device, then they attempt to connect to the wireless everthing works as
it should.

These are training laptops and can potentially have a different user loggin
into AD everyday, how do I resolve this?

You cannot use the "utility" that came with the wireless Nic to manage its
activity. You need to have the Wireless Zewro Configuration Utility manage
the Nic.

The reason for this is that the thrid party Tool will not active and have
the Nic connect properly until the currently logged on user is at their
Desktop,...which requires a "cached account",...which doesn't exist because
the user has never logged into that machine before.

However the WZC Utility runs as a Service and will activate the Nic before
the user attempts to log in,...therefore the machine is already actively "on
the network" before the user actually logs in (just like a wired
nic),...therefore the Domain controller is avaialable to authenticate the
user and allow the cached account to be created.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


"msteinhoff" <> wrote in message
news:8D5AA542-C6C2-4D24-B475-...
>I am having an issue when a new user attempts to logon to a laptop for the
> first time using the wireless network. Here are some specifics:
>
> Laptop OS: Windows XP SP2
> Server: Server 2000 SP 4 IAS/RADIUS for authentication
> Windows Wireless Settings:
> Network Auth: WPA
> Data Encry: AES
> EAP Type: PEAP
> Properties:
> Check next to Validate server certificate
> no other checks
> Select auth method:
> Secured Password (EAP-MSCHAP v2)
> Configure:
> check next to Automatically use
> my
> Windows
> logon name and password
> no check next to Auth as computer when comp info is available
> no check nex to auth as guest when user or computer info is unavailable
>
>
> Problem details:
>
> Running a sniff on the traffic to the auth server showed that Windows is
> sending the computer\login information for the person who previously
> logged
> into that device and successfully authenticated to the domain. The
> following
> is an example:
>
> local admin logs onto laptop changes wireless settings to match above and
> logs off
> new user attempts to connect ot the wireless
> sniff shows the laptop sending the local admins infromation to the RADIUS,
> not the user trying to login. login attempt fails
>
> If I connect the laptop to the wired network and have the new user login
> to
> that device, then they attempt to connect to the wireless everthing works
> as
> it should.
>
> These are training laptops and can potentially have a different user
> loggin
> into AD everyday, how do I resolve this?
>

"msteinhoff" <> wrote in message
news:8D5AA542-C6C2-4D24-B475-...
> Windows Wireless Settings:
> Network Auth: WPA
> Data Encry: AES
> EAP Type: PEAP
> Properties:
> Check next to Validate server certificate
> no other checks
> Select auth method:
> Secured Password (EAP-MSCHAP v2)
> Configure:
> check next to Automatically use
> my
> Windows logon name and password
> no check next to Auth as computer when comp info is available
> no check nex to auth as guest when user or computer info is unavailable



Mine looks like this if I use only WPA with AES
(normally I use WPA-PSK)
Network Auth: WPA
Data Encry: AES
EAP Type: SmartCard or other Certificate
Properties:
Use Certificate on this computer
Use simple certificate selection
(*nothing else* selected)
*Enabled* check next to Auth as computer when comp info is available
*Disabled* check nex to auth as guest when user or computer info is
unavailable



--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"msteinhoff" <> wrote in message
news:8D5AA542-C6C2-4D24-B475-...
>I am having an issue when a new user attempts to logon to a laptop for the
> first time using the wireless network. Here are some specifics:
>
> Laptop OS: Windows XP SP2
> Server: Server 2000 SP 4 IAS/RADIUS for authentication

You don't need a RADIUS Server for what I described. That is needless extra
work, complexity, and overhead.

These are *training laptops* as you said,...keep it simple.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

I don't see any issues with your configuration except "Network Auth: WPA".
If you use IAS/RADIUS, it should be WPA-ENT. As I posted previously,
"Whenever I have a problem with our WPA-Ent TKIP, I would check the IAS
event log first".

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
"msteinhoff" <> wrote in message
news:8D5AA542-C6C2-4D24-B475-...
>I am having an issue when a new user attempts to logon to a laptop for the
> first time using the wireless network. Here are some specifics:
>
> Laptop OS: Windows XP SP2
> Server: Server 2000 SP 4 IAS/RADIUS for authentication
> Windows Wireless Settings:
> Network Auth: WPA
> Data Encry: AES
> EAP Type: PEAP
> Properties:
> Check next to Validate server certificate
> no other checks
> Select auth method:
> Secured Password (EAP-MSCHAP v2)
> Configure:
> check next to Automatically use
> my
> Windows
> logon name and password
> no check next to Auth as computer when comp info is available
> no check nex to auth as guest when user or computer info is unavailable
>
>
> Problem details:
>
> Running a sniff on the traffic to the auth server showed that Windows is
> sending the computer\login information for the person who previously
> logged
> into that device and successfully authenticated to the domain. The
> following
> is an example:
>
> local admin logs onto laptop changes wireless settings to match above and
> logs off
> new user attempts to connect ot the wireless
> sniff shows the laptop sending the local admins infromation to the RADIUS,
> not the user trying to login. login attempt fails
>
> If I connect the laptop to the wired network and have the new user login
> to
> that device, then they attempt to connect to the wireless everthing works
> as
> it should.
>
> These are training laptops and can potentially have a different user
> loggin
> into AD everyday, how do I resolve this?
>

We are using WZC, not third party software to manage the wireless NIC.

"Phillip Windell" wrote:

> You cannot use the "utility" that came with the wireless Nic to manage its
> activity. You need to have the Wireless Zewro Configuration Utility manage
> the Nic.
>
> The reason for this is that the thrid party Tool will not active and have
> the Nic connect properly until the currently logged on user is at their
> Desktop,...which requires a "cached account",...which doesn't exist because
> the user has never logged into that machine before.
>
> However the WZC Utility runs as a Service and will activate the Nic before
> the user attempts to log in,...therefore the machine is already actively "on
> the network" before the user actually logs in (just like a wired
> nic),...therefore the Domain controller is avaialable to authenticate the
> user and allow the cached account to be created.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>
> "msteinhoff" <> wrote in message
> news:8D5AA542-C6C2-4D24-B475-...
> >I am having an issue when a new user attempts to logon to a laptop for the
> > first time using the wireless network. Here are some specifics:
> >
> > Laptop OS: Windows XP SP2
> > Server: Server 2000 SP 4 IAS/RADIUS for authentication
> > Windows Wireless Settings:
> > Network Auth: WPA
> > Data Encry: AES
> > EAP Type: PEAP
> > Properties:
> > Check next to Validate server certificate
> > no other checks
> > Select auth method:
> > Secured Password (EAP-MSCHAP v2)
> > Configure:
> > check next to Automatically use
> > my
> > Windows
> > logon name and password
> > no check next to Auth as computer when comp info is available
> > no check nex to auth as guest when user or computer info is unavailable
> >
> >
> > Problem details:
> >
> > Running a sniff on the traffic to the auth server showed that Windows is
> > sending the computer\login information for the person who previously
> > logged
> > into that device and successfully authenticated to the domain. The
> > following
> > is an example:
> >
> > local admin logs onto laptop changes wireless settings to match above and
> > logs off
> > new user attempts to connect ot the wireless
> > sniff shows the laptop sending the local admins infromation to the RADIUS,
> > not the user trying to login. login attempt fails
> >
> > If I connect the laptop to the wired network and have the new user login
> > to
> > that device, then they attempt to connect to the wireless everthing works
> > as
> > it should.
> >
> > These are training laptops and can potentially have a different user
> > loggin
> > into AD everyday, how do I resolve this?
> >
>
>
>

I agree the configuration looks good. The problem that I have is that a user
who has not connected to the wireless before on that specific laptop cannot
connect. If I run an auth trace on the wireless controller and I see
credentials of the local administrator attempting to auth to the RADIUS
server, not the user that is attempting to login. I'll post that tomorrow.

"Robert L. (MS-MVP)" wrote:

> I don't see any issues with your configuration except "Network Auth: WPA".
> If you use IAS/RADIUS, it should be WPA-ENT. As I posted previously,
> "Whenever I have a problem with our WPA-Ent TKIP, I would check the IAS
> event log first".
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> "msteinhoff" <> wrote in message
> news:8D5AA542-C6C2-4D24-B475-...
> >I am having an issue when a new user attempts to logon to a laptop for the
> > first time using the wireless network. Here are some specifics:
> >
> > Laptop OS: Windows XP SP2
> > Server: Server 2000 SP 4 IAS/RADIUS for authentication
> > Windows Wireless Settings:
> > Network Auth: WPA
> > Data Encry: AES
> > EAP Type: PEAP
> > Properties:
> > Check next to Validate server certificate
> > no other checks
> > Select auth method:
> > Secured Password (EAP-MSCHAP v2)
> > Configure:
> > check next to Automatically use
> > my
> > Windows
> > logon name and password
> > no check next to Auth as computer when comp info is available
> > no check nex to auth as guest when user or computer info is unavailable
> >
> >
> > Problem details:
> >
> > Running a sniff on the traffic to the auth server showed that Windows is
> > sending the computer\login information for the person who previously
> > logged
> > into that device and successfully authenticated to the domain. The
> > following
> > is an example:
> >
> > local admin logs onto laptop changes wireless settings to match above and
> > logs off
> > new user attempts to connect ot the wireless
> > sniff shows the laptop sending the local admins infromation to the RADIUS,
> > not the user trying to login. login attempt fails
> >
> > If I connect the laptop to the wired network and have the new user login
> > to
> > that device, then they attempt to connect to the wireless everthing works
> > as
> > it should.
> >
> > These are training laptops and can potentially have a different user
> > loggin
> > into AD everyday, how do I resolve this?
> >
>
>