XP Authenticate to Wireless with AD at login

[MarsRed]

Hi all,

I've done some research and found information on this all over this place, but nothing that quite illustrates how to implement this.

I want XP laptops to connect to the wireless network at login using the user's AD credentials. Meaning, I don't want to authenticate as the machine or use a single WPA password (which, it seems, the Wireless Zero Configuration utility lets me do); I want to first authenticate to the network, then login (so that login scripts are run, etc). As a Mac guy, this would be similar to a Login Window Profile. From what I've read, I think this is possible using a Group Policy, but I'm not sure how to implement this.

Any thoughts?

Thanks!

[azrael78]

I'm not sure I entirely understand what you are asking - however I don't think you can do what you are asking.

In order for a laptop (or any device) to connect to a wireless network, it has to conform to whatever the wireless network requires - if the wifi uses WEP, then you have to setup WEP on the laptop, same for WPA etc.

Having the laptop connect to the wireless network initially means that it can obtain it's IP information, which in turn will allow it to connect to AD and then allow the user to login.

If I'm understanding what you want - you want the following:

1) Laptop to connect to a wireless network.
2) User cannot use wireless network without logging in.

Assuming this is right - then all you need to do is set up the laptop wifi as the local administrator, join it to an AD domain and then the wifi should be available for the user - allowing them to login.

Sound about right?

Az

[MarsRed]

I'm sorry if I was unclear!

I want the laptop to "see" the wireless network at the login window, connect to it upon authenticating at login with AD credentials, then log in. (The wireless network uses RADIUS for AD authentication only)

For example, in Mac OS X with a Login Window profile, when an AD user enters his/her name and password, it first finds the wireless network and authenticates to it, then authenticates (using that wireless connection) to the DC and logs in to the machine.

Does that make sense?

[DMcCoy]

I'm sorry if I was unclear!

I want the laptop to "see" the wireless network at the login window, connect to it upon authenticating at login with AD credentials, then log in. (The wireless network uses RADIUS for AD authentication only)

For example, in Mac OS X with a Login Window profile, when an AD user enters his/her name and password, it first finds the wireless network and authenticates to it, then authenticates (using that wireless connection) to the DC and logs in to the machine.

Does that make sense?

You will need to switch from an unauthenticated wireless network to an authenticated one. You would need access to the domain on the unauthenticated network to login to the domain in the first place.

XP does not have any preauthentication built in, Vista and 7 have some but I've never used it.



You can login with a local account and use the domain users account details to connect but that's about it.

Edit: Well, XP does have *some* ability to preauthnticate but the built in 802.1x client won't wait for the network before applying policies etc, making it mostly useless. Vista will hold the netlogon service until 802.1x has been completed.

[MarsRed]

It's already an authenticated wireless network (authenticates with RADIUS server / AD credentials). It's not unprotected.

[djdohboy]

What type of wireless controllers are you using? We are using a 3com managed system. I have mine set up so that the wireless controllers authenticate radius against IAS and then depending on AD permissions allow the computer onto the network. We also use gpo to push out the wireless config to the laptops.

Is this the kind of set up you require?

John

[MarsRed]

What type of wireless controllers are you using? We are using a 3com managed system. I have mine set up so that the wireless controllers authenticate radius against IAS and then depending on AD permissions allow the computer onto the network. We also use gpo to push out the wireless config to the laptops.

Is this the kind of set up you require?

John

We're using a Cisco managed system.

Yes, what you described is very similar to what I want. The authentication is already set up, I'm more interested in how you used GPO to push out the settings. Do your users authenticate to the wireless network AFTER login (with a cached account, and they don't receive login scripts) or BEFORE login (meaning first to the wireless, then login with scripts – in which case you could log in to an account that is not already cached)? I'm looking to do the latter.

Thanks!

[djdohboy]

It's before logon. I'll get a screenshot of the gpo for you tomorrow. Ours is set up so that it will assign vlan info as well so it needs to be able to access the network pre logon to get the right ip address and info.

[MarsRed]

It's before logon. I'll get a screenshot of the gpo for you tomorrow. Ours is set up so that it will assign vlan info as well so it needs to be able to access the network pre logon to get the right ip address and info.

Cool. Much appreciated. Am looking forward to the screenshot.

[DMcCoy]

If you are already connecting to the wireless, then you can just enable the computer to connect with the machine account until the user logs in. You can return a different vlan with radius after the users credentials are sent.

If you want to use XP as a normal machine with logon scripts and profiles then it's not going to work very well. When changing vlan during logon the Netlogon service does not wait for the address change before trying to apply the policies and load profiles. Microsoft specifically do not support logon scripts and roaming profiles when switching vlan when a user logs in.

You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller

[MarsRed]

If you are already connecting to the wireless, then you can just enable the computer to connect with the machine account until the user logs in. You can return a different vlan with radius after the users credentials are sent.

If you want to use XP as a normal machine with logon scripts and profiles then it's not going to work very well. When changing vlan during logon the Netlogon service does not wait for the address change before trying to apply the policies and load profiles. Microsoft specifically do not support logon scripts and roaming profiles when switching vlan when a user logs in.

You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller

With the way it is set up, there is a different SSID for each vlan. The SSID that these laptops should connect to is on a vlan in which the Domain Controller/logon scripts/profiles are accessible. I don't think using machine authentication first would help in this setup - true?

[DAZZD88]

Well our network does what you want it to do, although very poorly. It authenticates the laptop with AD first then once the user has entered there logon details it then authenitcates those credentials against AD. All this using a wireless certificate and RADIUS server, wireless control boxes and blank access points.

We didn't set it up and TBH it has seemed to cause nothing but hassle, I don't like it.

Incidentally I don't like the idea of mass wireless. Gimme a cable anyday.

[maniac]

Our wireless network is Cisco 1200 series access points going back to a Windows IAS server for authentication against Active Directory. I have pushed out the settings via Group Policy to the clients, but opted for machine authentication only so only machines that are in our active directory structure are authenticated on our wireless network.

You can set it up so it authenticates as the machine pre-login then when the user logs in, it changes to user authentication at login and authenticates to IAS using the user credentials. The main problem with setting it up this way is it tends to change from machine to user authentication while logging on at around the same time startup scripts are run, and you sometimes lose wireless connection for a few seconds, which can cause problems for any scripts you have running. It also means any user with a valid account on your network can add devices to your wireless network like mobile phones, PSP's or any other device with built in wireless - obviously this is a bit of a security flaw.

My recomendation - do it so only the machines can authenticate to the wireless network and not users, it keeps it simple and it works!

Mike.

[broc]

Incidentally I don't like the idea of mass wireless. Gimme a cable anyday.

While I share your lack of enthusiasm for mass wireless, we might all have to get used to this approach for new schools, apparently it saves a fortune in wiring costs

[MarsRed]

It's before logon. I'll get a screenshot of the gpo for you tomorrow. Ours is set up so that it will assign vlan info as well so it needs to be able to access the network pre logon to get the right ip address and info.

Does anyone have any thoughts on setting up this GPO?