Wireless GPO Radius Auth + Home access

[contink]

I'm sure this question has been answered before but darned if I can find it, so I'm throwing myself open to vilification, jibes and hopefully... an answer or two..

The problem is staff laptops at a primary school..

I'm currently using a Radius server system for authentication and access to the network and while this is working great for ensuring we don't suffer from anyone accessing the system with Passwords, etc... it does mean that I've hit a couple of issues:

1. Any laptops that refuse to pre-auth, fail to authenticate and end up in a loop (Netbooks in particular)

2. Staff laptops will access the school wlan fine but then find that they can't do any work on their home wireless net because the system refuses to accept any other wireless settings.


The solution to both so far has been to relax the authentication somewhat to set the EAP-MSCHAP so it doesn't automatically use the Windows Logon if available.

Unfortunately this means 2 things.

1. The laptops using this policy can't connect to the domain until they've logged in and of course this means:

2. They can't use their domain account to login because it can't authenticate.



Now, writing this out I'm acutely aware that my knowledge on this is showing holes and probably because I'm dialling down my schools work I honestly can't remember how or why I opted for this approach..




If it helps at all we have a Netgear WFS709T WLAN controller on a Win2k3 domain (with a win2k8 server) and Radius on a Win2k3 server.


Anyone offer any suggestions on a complete rethink (on settings - not hardware) or some solutions to the issue... ?

Cheers,

Martin

[jamesfed]

What OS are the laptops because if its XP with just SP2 consider an upgrade to SP3 as there were a number of Wi-Fi improvements in it.
Also have you looked at machine (instead of user) authentication? Basically it takes the machines AD username and password instead of the users and authenticates that against AD - its what we use and it works very robustly.

[contink]

What OS are the laptops because if its XP with just SP2 consider an upgrade to SP3 as there were a number of Wi-Fi improvements in it.

I "think" they have SP3 on there already but it's definitely one to check...

Also have you looked at machine (instead of user) authentication? Basically it takes the machines AD username and password instead of the users and authenticates that against AD - its what we use and it works very robustly.

Admittedly I hadn't but it's almost as if the computer isn't supplying that information when it attempts to connect to the network... Not sure why but I have this sneaky feeling it's an issue I've had to deal with before and forgotten the relevant solution.

[Psymon]

What OS are the laptops because if its XP with just SP2 consider an upgrade to SP3 as there were a number of Wi-Fi improvements in it.
Also have you looked at machine (instead of user) authentication? Basically it takes the machines AD username and password instead of the users and authenticates that against AD - its what we use and it works very robustly.

I would like to second this. We use machine auth for staff laptops, user auth for student personal machines (onto a restricted VLAN).
Simon

[contink]

One thing to touch on... Does the Wireless policy result in the laptop being incapable of being setup to use an alternative WLAN, like one at the staff members home?

As I said earlier, probably a daft question but my brain is seriously addled and sleep deprived at the mo'..

[Psymon]

Contink,

It will simply add it as a network in the list of preferred networks.

We have it set up the same way, and users can add there home wireless networks, the only thing they cannot do is set it to Home or Work (it must remain "public" in order to keep the file sharing, printer sharing etc... disabled).

Simon

[contink]

Ok... Time to fess up...

I made such a complete flipping stoopid error that I'm wondering if brick walls are suitably hard enough for the smack I require...

It turns out that in the process of setting up all the authentication, etc... I completely forgot that the Radius server was set to authenticate computers that were part of a specific number of security groups. These security groups were created such a long time ago that I'd forgotten they existed and in my debugging I somehow neglected to look at the Radius settings until now.

The sounds uttered were somewhat despairing when I realised my mistake...

The moral of this particular story, is assume nothing and be prepared to look like a complete idiot... but more importantly, check Radius, as well as the GPO for the security settings.

I now have all the errant laptops added to the relevant security groups and presto, they all authenticate now... Go figure!



*Doh!*

[Psymon]

I did something similar in setting up a new RADIUS server. I had not added the server to the autoenroll group for the authentication certificate, took me 2 days to realise!

S

[rad]

Its FRIDAY.....Pub?