+ Post New Thread
Results 1 to 9 of 9
Windows Server 2000/2003 Thread, Wireless GPO Radius Auth + Home access in Technical; I'm sure this question has been answered before but darned if I can find it, so I'm throwing myself open ...
  1. #1
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118

    Wireless GPO Radius Auth + Home access

    I'm sure this question has been answered before but darned if I can find it, so I'm throwing myself open to vilification, jibes and hopefully... an answer or two..

    The problem is staff laptops at a primary school..

    I'm currently using a Radius server system for authentication and access to the network and while this is working great for ensuring we don't suffer from anyone accessing the system with Passwords, etc... it does mean that I've hit a couple of issues:

    1. Any laptops that refuse to pre-auth, fail to authenticate and end up in a loop (Netbooks in particular)

    2. Staff laptops will access the school wlan fine but then find that they can't do any work on their home wireless net because the system refuses to accept any other wireless settings.


    The solution to both so far has been to relax the authentication somewhat to set the EAP-MSCHAP so it doesn't automatically use the Windows Logon if available.

    Unfortunately this means 2 things.

    1. The laptops using this policy can't connect to the domain until they've logged in and of course this means:

    2. They can't use their domain account to login because it can't authenticate.



    Now, writing this out I'm acutely aware that my knowledge on this is showing holes and probably because I'm dialling down my schools work I honestly can't remember how or why I opted for this approach..




    If it helps at all we have a Netgear WFS709T WLAN controller on a Win2k3 domain (with a win2k8 server) and Radius on a Win2k3 server.


    Anyone offer any suggestions on a complete rethink (on settings - not hardware) or some solutions to the issue... ?

    Cheers,

    Martin

  2. #2
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,208
    Thank Post
    137
    Thanked 345 Times in 291 Posts
    Rep Power
    87
    What OS are the laptops because if its XP with just SP2 consider an upgrade to SP3 as there were a number of Wi-Fi improvements in it.
    Also have you looked at machine (instead of user) authentication? Basically it takes the machines AD username and password instead of the users and authenticates that against AD - its what we use and it works very robustly.

  3. Thanks to jamesfed from:

    contink (1st July 2011)

  4. #3
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Quote Originally Posted by jamesfed View Post
    What OS are the laptops because if its XP with just SP2 consider an upgrade to SP3 as there were a number of Wi-Fi improvements in it.
    I "think" they have SP3 on there already but it's definitely one to check...

    Also have you looked at machine (instead of user) authentication? Basically it takes the machines AD username and password instead of the users and authenticates that against AD - its what we use and it works very robustly.
    Admittedly I hadn't but it's almost as if the computer isn't supplying that information when it attempts to connect to the network... Not sure why but I have this sneaky feeling it's an issue I've had to deal with before and forgotten the relevant solution.

  5. #4

    Join Date
    Aug 2007
    Location
    Deal, Kent
    Posts
    343
    Thank Post
    12
    Thanked 73 Times in 51 Posts
    Rep Power
    27
    Quote Originally Posted by jamesfed View Post
    What OS are the laptops because if its XP with just SP2 consider an upgrade to SP3 as there were a number of Wi-Fi improvements in it.
    Also have you looked at machine (instead of user) authentication? Basically it takes the machines AD username and password instead of the users and authenticates that against AD - its what we use and it works very robustly.
    I would like to second this. We use machine auth for staff laptops, user auth for student personal machines (onto a restricted VLAN).
    Simon

  6. Thanks to Psymon from:

    contink (1st July 2011)

  7. #5
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    One thing to touch on... Does the Wireless policy result in the laptop being incapable of being setup to use an alternative WLAN, like one at the staff members home?

    As I said earlier, probably a daft question but my brain is seriously addled and sleep deprived at the mo'..

  8. #6

    Join Date
    Aug 2007
    Location
    Deal, Kent
    Posts
    343
    Thank Post
    12
    Thanked 73 Times in 51 Posts
    Rep Power
    27
    Contink,

    It will simply add it as a network in the list of preferred networks.

    We have it set up the same way, and users can add there home wireless networks, the only thing they cannot do is set it to Home or Work (it must remain "public" in order to keep the file sharing, printer sharing etc... disabled).

    Simon

  9. Thanks to Psymon from:

    contink (4th July 2011)

  10. #7
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Ok... Time to fess up...

    I made such a complete flipping stoopid error that I'm wondering if brick walls are suitably hard enough for the smack I require...

    It turns out that in the process of setting up all the authentication, etc... I completely forgot that the Radius server was set to authenticate computers that were part of a specific number of security groups. These security groups were created such a long time ago that I'd forgotten they existed and in my debugging I somehow neglected to look at the Radius settings until now.

    The sounds uttered were somewhat despairing when I realised my mistake...

    The moral of this particular story, is assume nothing and be prepared to look like a complete idiot... but more importantly, check Radius, as well as the GPO for the security settings.

    I now have all the errant laptops added to the relevant security groups and presto, they all authenticate now... Go figure!



    *Doh!*

  11. #8

    Join Date
    Aug 2007
    Location
    Deal, Kent
    Posts
    343
    Thank Post
    12
    Thanked 73 Times in 51 Posts
    Rep Power
    27
    I did something similar in setting up a new RADIUS server. I had not added the server to the autoenroll group for the authentication certificate, took me 2 days to realise!

    S

  12. #9
    rad
    rad is offline
    rad's Avatar
    Join Date
    Jan 2009
    Location
    Middlesex
    Posts
    2,507
    Thank Post
    337
    Thanked 310 Times in 238 Posts
    Rep Power
    110
    Its FRIDAY.....Pub?

SHARE:
+ Post New Thread

Similar Threads

  1. Wireless - radius server issues
    By cheredenine in forum Wireless Networks
    Replies: 1
    Last Post: 17th June 2011, 01:12 AM
  2. Wifi clients, Radius auth, and Ipods
    By amfony in forum Wireless Networks
    Replies: 7
    Last Post: 9th February 2011, 01:34 PM
  3. Replies: 9
    Last Post: 1st December 2009, 05:03 PM
  4. Aruba Machine Auth (RADIUS)
    By ScottStevinson in forum Wireless Networks
    Replies: 4
    Last Post: 28th August 2008, 07:34 PM
  5. Wireless and RADIUS
    By jamin100 in forum Wireless Networks
    Replies: 8
    Last Post: 22nd July 2008, 10:50 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •