Peap and domain login

Discussion in 'Wireless Networking' started by Tech, Jan 31, 2005.

  1. Tech

    Tech Guest

    We just setup wireless in my company and it is working great. Question
    i have is we have setup a room with laptops that are using wireless. We
    have this setup for Peap and authenticate against a radius server. Is
    there a way to log onto the domain via wireless if you never logged onto
    the machine before. Keep in mind that the machine is joined to the
    domain but it is not using a cached profile at first. We always had to
    connect to the wire first.

    Any help?
     
    Tech, Jan 31, 2005
    #1
    1. Advertising

  2. Tech

    Mark Gamache Guest

    Are you using MS-CHAP v2 or a TLS certificate inside of the PEAP connection?
    If you are using MS-CHAP v2, there should be no need for the user to logon
    via the wire first. If you are using certs, then you need to provision the
    cert before they can authenticate, so you would need to have another method
    to acquire the cert.

    Cheers,

    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Tech" <> wrote in message
    news:OdpHhg%...
    > We just setup wireless in my company and it is working great. Question i
    > have is we have setup a room with laptops that are using wireless. We
    > have this setup for Peap and authenticate against a radius server. Is
    > there a way to log onto the domain via wireless if you never logged onto
    > the machine before. Keep in mind that the machine is joined to the domain
    > but it is not using a cached profile at first. We always had to connect
    > to the wire first.
    >
    > Any help?
     
    Mark Gamache, Feb 1, 2005
    #2
    1. Advertising

  3. Tech

    Tech Guest

    I am using EAP MS-CHAP v2 and a wireless certificate. Does this make
    sense? But what i am noticing is that i need to log on the machine
    first, configure the wireless with the SSID and PEAP and than except the
    certificate. I would like to do all this via group policies but i was
    told that i need to have 2003 DC and we are still at 2000.


    Mark Gamache wrote:
    > Are you using MS-CHAP v2 or a TLS certificate inside of the PEAP connection?
    > If you are using MS-CHAP v2, there should be no need for the user to logon
    > via the wire first. If you are using certs, then you need to provision the
    > cert before they can authenticate, so you would need to have another method
    > to acquire the cert.
    >
    > Cheers,
    >
     
    Tech, Feb 1, 2005
    #3
  4. Tech

    Mark Gamache Guest

    The certificate that protects the EAP exchange is the IAS server's
    certificate, this is also the certificate that your client uses to
    authenticate the IAS server (if you use mutual auth). So the MS-CHAP v2 is
    being used inside the TLS tunnel. This means that you don't need a client
    cert. You are correct though, in order to configure the client, you do need
    to have access to the domain to process the login without cached
    credentials.

    To achieve this , add the Domain Computers Group (or the Computer accounts
    separately) to whatever group you use for wireless authentication. The
    computers are then able to authenticate to using their machine accounts.
    This access should allow you to process the login while still in the context
    of the machine assuming that it retains the previous user's wireless
    settings. Some vendors hardware may not support this. The only way to know
    for sure is give it a try.

    To automatically configure each user's account, you would need a win2003 DC
    and actually if you are using WPA, that is currently not supported for auto
    config via GPO. That's coming ins 2003 server sp1.

    Cheers,

    --
    Mark Gamache
    Certified Security Solutions
    http://www.css-security.com



    "Tech" <> wrote in message
    news:eu79Ce$...
    >I am using EAP MS-CHAP v2 and a wireless certificate. Does this make
    >sense? But what i am noticing is that i need to log on the machine first,
    >configure the wireless with the SSID and PEAP and than except the
    >certificate. I would like to do all this via group policies but i was told
    >that i need to have 2003 DC and we are still at 2000.
    >
    >
    > Mark Gamache wrote:
    >> Are you using MS-CHAP v2 or a TLS certificate inside of the PEAP
    >> connection? If you are using MS-CHAP v2, there should be no need for the
    >> user to logon via the wire first. If you are using certs, then you need
    >> to provision the cert before they can authenticate, so you would need to
    >> have another method to acquire the cert.
    >>
    >> Cheers,
    >>
     
    Mark Gamache, Feb 1, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    3,162
  2. jester
    Replies:
    1
    Views:
    1,822
    Vivek
    Dec 20, 2005
  3. BG
    Replies:
    2
    Views:
    3,319
  4. =?Utf-8?B?RGVsb24=?=

    How to uninstall Cisco PEAP supplicant to use XP default PEAP

    =?Utf-8?B?RGVsb24=?=, May 25, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    984
    =?Utf-8?B?RGVsb24=?=
    May 25, 2007
  5. Limited Wisdom
    Replies:
    7
    Views:
    817
    Jonathan Roberts
    Sep 13, 2006
Loading...

Share This Page