New user authentication over wireless

Discussion in 'Wireless Networking' started by msteinhoff, Feb 18, 2009.

  1. msteinhoff

    msteinhoff Guest

    I am having an issue when a new user attempts to logon to a laptop for the
    first time using the wireless network. Here are some specifics:

    Laptop OS: Windows XP SP2
    Server: Server 2000 SP 4 IAS/RADIUS for authentication
    Windows Wireless Settings:
    Network Auth: WPA
    Data Encry: AES
    EAP Type: PEAP
    Properties:
    Check next to Validate server certificate
    no other checks
    Select auth method:
    Secured Password (EAP-MSCHAP v2)
    Configure:
    check next to Automatically use my
    Windows
    logon name and password
    no check next to Auth as computer when comp info is available
    no check nex to auth as guest when user or computer info is unavailable


    Problem details:

    Running a sniff on the traffic to the auth server showed that Windows is
    sending the computer\login information for the person who previously logged
    into that device and successfully authenticated to the domain. The following
    is an example:

    local admin logs onto laptop changes wireless settings to match above and
    logs off
    new user attempts to connect ot the wireless
    sniff shows the laptop sending the local admins infromation to the RADIUS,
    not the user trying to login. login attempt fails

    If I connect the laptop to the wired network and have the new user login to
    that device, then they attempt to connect to the wireless everthing works as
    it should.

    These are training laptops and can potentially have a different user loggin
    into AD everyday, how do I resolve this?
    msteinhoff, Feb 18, 2009
    #1
    1. Advertising

  2. You cannot use the "utility" that came with the wireless Nic to manage its
    activity. You need to have the Wireless Zewro Configuration Utility manage
    the Nic.

    The reason for this is that the thrid party Tool will not active and have
    the Nic connect properly until the currently logged on user is at their
    Desktop,...which requires a "cached account",...which doesn't exist because
    the user has never logged into that machine before.

    However the WZC Utility runs as a Service and will activate the Nic before
    the user attempts to log in,...therefore the machine is already actively "on
    the network" before the user actually logs in (just like a wired
    nic),...therefore the Domain controller is avaialable to authenticate the
    user and allow the cached account to be created.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------


    "msteinhoff" <> wrote in message
    news:...
    >I am having an issue when a new user attempts to logon to a laptop for the
    > first time using the wireless network. Here are some specifics:
    >
    > Laptop OS: Windows XP SP2
    > Server: Server 2000 SP 4 IAS/RADIUS for authentication
    > Windows Wireless Settings:
    > Network Auth: WPA
    > Data Encry: AES
    > EAP Type: PEAP
    > Properties:
    > Check next to Validate server certificate
    > no other checks
    > Select auth method:
    > Secured Password (EAP-MSCHAP v2)
    > Configure:
    > check next to Automatically use
    > my
    > Windows
    > logon name and password
    > no check next to Auth as computer when comp info is available
    > no check nex to auth as guest when user or computer info is unavailable
    >
    >
    > Problem details:
    >
    > Running a sniff on the traffic to the auth server showed that Windows is
    > sending the computer\login information for the person who previously
    > logged
    > into that device and successfully authenticated to the domain. The
    > following
    > is an example:
    >
    > local admin logs onto laptop changes wireless settings to match above and
    > logs off
    > new user attempts to connect ot the wireless
    > sniff shows the laptop sending the local admins infromation to the RADIUS,
    > not the user trying to login. login attempt fails
    >
    > If I connect the laptop to the wired network and have the new user login
    > to
    > that device, then they attempt to connect to the wireless everthing works
    > as
    > it should.
    >
    > These are training laptops and can potentially have a different user
    > loggin
    > into AD everyday, how do I resolve this?
    >
    Phillip Windell, Feb 18, 2009
    #2
    1. Advertising

  3. "msteinhoff" <> wrote in message
    news:...
    > Windows Wireless Settings:
    > Network Auth: WPA
    > Data Encry: AES
    > EAP Type: PEAP
    > Properties:
    > Check next to Validate server certificate
    > no other checks
    > Select auth method:
    > Secured Password (EAP-MSCHAP v2)
    > Configure:
    > check next to Automatically use
    > my
    > Windows logon name and password
    > no check next to Auth as computer when comp info is available
    > no check nex to auth as guest when user or computer info is unavailable




    Mine looks like this if I use only WPA with AES
    (normally I use WPA-PSK)
    Network Auth: WPA
    Data Encry: AES
    EAP Type: SmartCard or other Certificate
    Properties:
    Use Certificate on this computer
    Use simple certificate selection
    (*nothing else* selected)
    *Enabled* check next to Auth as computer when comp info is available
    *Disabled* check nex to auth as guest when user or computer info is
    unavailable



    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Phillip Windell, Feb 18, 2009
    #3
  4. "msteinhoff" <> wrote in message
    news:...
    >I am having an issue when a new user attempts to logon to a laptop for the
    > first time using the wireless network. Here are some specifics:
    >
    > Laptop OS: Windows XP SP2
    > Server: Server 2000 SP 4 IAS/RADIUS for authentication


    You don't need a RADIUS Server for what I described. That is needless extra
    work, complexity, and overhead.

    These are *training laptops* as you said,...keep it simple.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Phillip Windell, Feb 18, 2009
    #4
  5. I don't see any issues with your configuration except "Network Auth: WPA".
    If you use IAS/RADIUS, it should be WPA-ENT. As I posted previously,
    "Whenever I have a problem with our WPA-Ent TKIP, I would check the IAS
    event log first".

    --
    Bob Lin, MS-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
    "msteinhoff" <> wrote in message
    news:...
    >I am having an issue when a new user attempts to logon to a laptop for the
    > first time using the wireless network. Here are some specifics:
    >
    > Laptop OS: Windows XP SP2
    > Server: Server 2000 SP 4 IAS/RADIUS for authentication
    > Windows Wireless Settings:
    > Network Auth: WPA
    > Data Encry: AES
    > EAP Type: PEAP
    > Properties:
    > Check next to Validate server certificate
    > no other checks
    > Select auth method:
    > Secured Password (EAP-MSCHAP v2)
    > Configure:
    > check next to Automatically use
    > my
    > Windows
    > logon name and password
    > no check next to Auth as computer when comp info is available
    > no check nex to auth as guest when user or computer info is unavailable
    >
    >
    > Problem details:
    >
    > Running a sniff on the traffic to the auth server showed that Windows is
    > sending the computer\login information for the person who previously
    > logged
    > into that device and successfully authenticated to the domain. The
    > following
    > is an example:
    >
    > local admin logs onto laptop changes wireless settings to match above and
    > logs off
    > new user attempts to connect ot the wireless
    > sniff shows the laptop sending the local admins infromation to the RADIUS,
    > not the user trying to login. login attempt fails
    >
    > If I connect the laptop to the wired network and have the new user login
    > to
    > that device, then they attempt to connect to the wireless everthing works
    > as
    > it should.
    >
    > These are training laptops and can potentially have a different user
    > loggin
    > into AD everyday, how do I resolve this?
    >
    Robert L. \(MS-MVP\), Feb 18, 2009
    #5
  6. msteinhoff

    msteinhoff Guest

    We are using WZC, not third party software to manage the wireless NIC.

    "Phillip Windell" wrote:

    > You cannot use the "utility" that came with the wireless Nic to manage its
    > activity. You need to have the Wireless Zewro Configuration Utility manage
    > the Nic.
    >
    > The reason for this is that the thrid party Tool will not active and have
    > the Nic connect properly until the currently logged on user is at their
    > Desktop,...which requires a "cached account",...which doesn't exist because
    > the user has never logged into that machine before.
    >
    > However the WZC Utility runs as a Service and will activate the Nic before
    > the user attempts to log in,...therefore the machine is already actively "on
    > the network" before the user actually logs in (just like a wired
    > nic),...therefore the Domain controller is avaialable to authenticate the
    > user and allow the cached account to be created.
    >
    > --
    > Phillip Windell
    > www.wandtv.com
    >
    > The views expressed, are my own and not those of my employer, or Microsoft,
    > or anyone else associated with me, including my cats.
    > -----------------------------------------------------
    >
    >
    > "msteinhoff" <> wrote in message
    > news:...
    > >I am having an issue when a new user attempts to logon to a laptop for the
    > > first time using the wireless network. Here are some specifics:
    > >
    > > Laptop OS: Windows XP SP2
    > > Server: Server 2000 SP 4 IAS/RADIUS for authentication
    > > Windows Wireless Settings:
    > > Network Auth: WPA
    > > Data Encry: AES
    > > EAP Type: PEAP
    > > Properties:
    > > Check next to Validate server certificate
    > > no other checks
    > > Select auth method:
    > > Secured Password (EAP-MSCHAP v2)
    > > Configure:
    > > check next to Automatically use
    > > my
    > > Windows
    > > logon name and password
    > > no check next to Auth as computer when comp info is available
    > > no check nex to auth as guest when user or computer info is unavailable
    > >
    > >
    > > Problem details:
    > >
    > > Running a sniff on the traffic to the auth server showed that Windows is
    > > sending the computer\login information for the person who previously
    > > logged
    > > into that device and successfully authenticated to the domain. The
    > > following
    > > is an example:
    > >
    > > local admin logs onto laptop changes wireless settings to match above and
    > > logs off
    > > new user attempts to connect ot the wireless
    > > sniff shows the laptop sending the local admins infromation to the RADIUS,
    > > not the user trying to login. login attempt fails
    > >
    > > If I connect the laptop to the wired network and have the new user login
    > > to
    > > that device, then they attempt to connect to the wireless everthing works
    > > as
    > > it should.
    > >
    > > These are training laptops and can potentially have a different user
    > > loggin
    > > into AD everyday, how do I resolve this?
    > >

    >
    >
    >
    msteinhoff, Feb 19, 2009
    #6
  7. msteinhoff

    msteinhoff Guest

    I agree the configuration looks good. The problem that I have is that a user
    who has not connected to the wireless before on that specific laptop cannot
    connect. If I run an auth trace on the wireless controller and I see
    credentials of the local administrator attempting to auth to the RADIUS
    server, not the user that is attempting to login. I'll post that tomorrow.

    "Robert L. (MS-MVP)" wrote:

    > I don't see any issues with your configuration except "Network Auth: WPA".
    > If you use IAS/RADIUS, it should be WPA-ENT. As I posted previously,
    > "Whenever I have a problem with our WPA-Ent TKIP, I would check the IAS
    > event log first".
    >
    > --
    > Bob Lin, MS-MVP, MCSE & CNE
    > Networking, Internet, Routing, VPN Troubleshooting on
    > http://www.ChicagoTech.net
    > How to Setup Windows, Network, VPN & Remote Access on
    > http://www.HowToNetworking.com
    > "msteinhoff" <> wrote in message
    > news:...
    > >I am having an issue when a new user attempts to logon to a laptop for the
    > > first time using the wireless network. Here are some specifics:
    > >
    > > Laptop OS: Windows XP SP2
    > > Server: Server 2000 SP 4 IAS/RADIUS for authentication
    > > Windows Wireless Settings:
    > > Network Auth: WPA
    > > Data Encry: AES
    > > EAP Type: PEAP
    > > Properties:
    > > Check next to Validate server certificate
    > > no other checks
    > > Select auth method:
    > > Secured Password (EAP-MSCHAP v2)
    > > Configure:
    > > check next to Automatically use
    > > my
    > > Windows
    > > logon name and password
    > > no check next to Auth as computer when comp info is available
    > > no check nex to auth as guest when user or computer info is unavailable
    > >
    > >
    > > Problem details:
    > >
    > > Running a sniff on the traffic to the auth server showed that Windows is
    > > sending the computer\login information for the person who previously
    > > logged
    > > into that device and successfully authenticated to the domain. The
    > > following
    > > is an example:
    > >
    > > local admin logs onto laptop changes wireless settings to match above and
    > > logs off
    > > new user attempts to connect ot the wireless
    > > sniff shows the laptop sending the local admins infromation to the RADIUS,
    > > not the user trying to login. login attempt fails
    > >
    > > If I connect the laptop to the wired network and have the new user login
    > > to
    > > that device, then they attempt to connect to the wireless everthing works
    > > as
    > > it should.
    > >
    > > These are training laptops and can potentially have a different user
    > > loggin
    > > into AD everyday, how do I resolve this?
    > >

    >
    >
    msteinhoff, Feb 19, 2009
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Al Blake

    Can we do without user authentication?

    Al Blake, Oct 5, 2004, in forum: Wireless Networking
    Replies:
    5
    Views:
    862
    Chris Gual [MSFT]
    Oct 12, 2004
  2. Rafael
    Replies:
    1
    Views:
    3,184
  3. Johnny
    Replies:
    11
    Views:
    3,071
    Cerebrus
    Aug 4, 2006
  4. zillah
    Replies:
    0
    Views:
    711
    zillah
    Nov 9, 2006
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    864
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page