+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 21
Windows Thread, XP Authenticate to Wireless with AD at login in Technical; Hi all, I've done some research and found information on this all over this place, but nothing that quite illustrates ...
  1. #1

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10

    XP Authenticate to Wireless with AD at login

    Hi all,

    I've done some research and found information on this all over this place, but nothing that quite illustrates how to implement this.

    I want XP laptops to connect to the wireless network at login using the user's AD credentials. Meaning, I don't want to authenticate as the machine or use a single WPA password (which, it seems, the Wireless Zero Configuration utility lets me do); I want to first authenticate to the network, then login (so that login scripts are run, etc). As a Mac guy, this would be similar to a Login Window Profile. From what I've read, I think this is possible using a Group Policy, but I'm not sure how to implement this.

    Any thoughts?

    Thanks!

  2. #2
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    20
    I'm not sure I entirely understand what you are asking - however I don't think you can do what you are asking.

    In order for a laptop (or any device) to connect to a wireless network, it has to conform to whatever the wireless network requires - if the wifi uses WEP, then you have to setup WEP on the laptop, same for WPA etc.

    Having the laptop connect to the wireless network initially means that it can obtain it's IP information, which in turn will allow it to connect to AD and then allow the user to login.

    If I'm understanding what you want - you want the following:

    1) Laptop to connect to a wireless network.
    2) User cannot use wireless network without logging in.

    Assuming this is right - then all you need to do is set up the laptop wifi as the local administrator, join it to an AD domain and then the wifi should be available for the user - allowing them to login.

    Sound about right?

    Az

  3. #3

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    I'm sorry if I was unclear!

    I want the laptop to "see" the wireless network at the login window, connect to it upon authenticating at login with AD credentials, then log in. (The wireless network uses RADIUS for AD authentication only)

    For example, in Mac OS X with a Login Window profile, when an AD user enters his/her name and password, it first finds the wireless network and authenticates to it, then authenticates (using that wireless connection) to the DC and logs in to the machine.

    Does that make sense?
    Last edited by MarsRed; 4th November 2009 at 06:42 PM.

  4. #4
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    Quote Originally Posted by MarsRed View Post
    I'm sorry if I was unclear!

    I want the laptop to "see" the wireless network at the login window, connect to it upon authenticating at login with AD credentials, then log in. (The wireless network uses RADIUS for AD authentication only)

    For example, in Mac OS X with a Login Window profile, when an AD user enters his/her name and password, it first finds the wireless network and authenticates to it, then authenticates (using that wireless connection) to the DC and logs in to the machine.

    Does that make sense?
    You will need to switch from an unauthenticated wireless network to an authenticated one. You would need access to the domain on the unauthenticated network to login to the domain in the first place.

    XP does not have any preauthentication built in, Vista and 7 have some but I've never used it.



    You can login with a local account and use the domain users account details to connect but that's about it.

    Edit: Well, XP does have *some* ability to preauthnticate but the built in 802.1x client won't wait for the network before applying policies etc, making it mostly useless. Vista will hold the netlogon service until 802.1x has been completed.
    Last edited by DMcCoy; 4th November 2009 at 07:44 PM. Reason: Preauth info

  5. #5

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    It's already an authenticated wireless network (authenticates with RADIUS server / AD credentials). It's not unprotected.

  6. #6
    djdohboy's Avatar
    Join Date
    Aug 2008
    Location
    Watford, Hertfordshire
    Posts
    55
    Thank Post
    0
    Thanked 7 Times in 6 Posts
    Rep Power
    13
    What type of wireless controllers are you using? We are using a 3com managed system. I have mine set up so that the wireless controllers authenticate radius against IAS and then depending on AD permissions allow the computer onto the network. We also use gpo to push out the wireless config to the laptops.

    Is this the kind of set up you require?

    John

  7. #7

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by djdohboy View Post
    What type of wireless controllers are you using? We are using a 3com managed system. I have mine set up so that the wireless controllers authenticate radius against IAS and then depending on AD permissions allow the computer onto the network. We also use gpo to push out the wireless config to the laptops.

    Is this the kind of set up you require?

    John
    We're using a Cisco managed system.

    Yes, what you described is very similar to what I want. The authentication is already set up, I'm more interested in how you used GPO to push out the settings. Do your users authenticate to the wireless network AFTER login (with a cached account, and they don't receive login scripts) or BEFORE login (meaning first to the wireless, then login with scripts in which case you could log in to an account that is not already cached)? I'm looking to do the latter.

    Thanks!

  8. #8
    djdohboy's Avatar
    Join Date
    Aug 2008
    Location
    Watford, Hertfordshire
    Posts
    55
    Thank Post
    0
    Thanked 7 Times in 6 Posts
    Rep Power
    13
    It's before logon. I'll get a screenshot of the gpo for you tomorrow. Ours is set up so that it will assign vlan info as well so it needs to be able to access the network pre logon to get the right ip address and info.

  9. Thanks to djdohboy from:

    MarsRed (4th November 2009)

  10. #9

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by djdohboy View Post
    It's before logon. I'll get a screenshot of the gpo for you tomorrow. Ours is set up so that it will assign vlan info as well so it needs to be able to access the network pre logon to get the right ip address and info.
    Cool. Much appreciated. Am looking forward to the screenshot.

  11. #10
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,386
    Thank Post
    10
    Thanked 483 Times in 423 Posts
    Rep Power
    110
    If you are already connecting to the wireless, then you can just enable the computer to connect with the machine account until the user logs in. You can return a different vlan with radius after the users credentials are sent.

    If you want to use XP as a normal machine with logon scripts and profiles then it's not going to work very well. When changing vlan during logon the Netlogon service does not wait for the address change before trying to apply the policies and load profiles. Microsoft specifically do not support logon scripts and roaming profiles when switching vlan when a user logs in.

    You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller

  12. #11

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by DMcCoy View Post
    If you are already connecting to the wireless, then you can just enable the computer to connect with the machine account until the user logs in. You can return a different vlan with radius after the users credentials are sent.

    If you want to use XP as a normal machine with logon scripts and profiles then it's not going to work very well. When changing vlan during logon the Netlogon service does not wait for the address change before trying to apply the policies and load profiles. Microsoft specifically do not support logon scripts and roaming profiles when switching vlan when a user logs in.

    You experience problems when you try to obtain Group Policy objects, roaming profiles, and logon scripts from a Windows Server 2003-based domain controller
    With the way it is set up, there is a different SSID for each vlan. The SSID that these laptops should connect to is on a vlan in which the Domain Controller/logon scripts/profiles are accessible. I don't think using machine authentication first would help in this setup - true?

  13. #12
    DAZZD88's Avatar
    Join Date
    Apr 2009
    Location
    Sunderland, Tyne and Wear
    Posts
    788
    Thank Post
    163
    Thanked 77 Times in 66 Posts
    Rep Power
    47
    Well our network does what you want it to do, although very poorly. It authenticates the laptop with AD first then once the user has entered there logon details it then authenitcates those credentials against AD. All this using a wireless certificate and RADIUS server, wireless control boxes and blank access points.

    We didn't set it up and TBH it has seemed to cause nothing but hassle, I don't like it.

    Incidentally I don't like the idea of mass wireless. Gimme a cable anyday.

  14. #13

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    143
    Our wireless network is Cisco 1200 series access points going back to a Windows IAS server for authentication against Active Directory. I have pushed out the settings via Group Policy to the clients, but opted for machine authentication only so only machines that are in our active directory structure are authenticated on our wireless network.

    You can set it up so it authenticates as the machine pre-login then when the user logs in, it changes to user authentication at login and authenticates to IAS using the user credentials. The main problem with setting it up this way is it tends to change from machine to user authentication while logging on at around the same time startup scripts are run, and you sometimes lose wireless connection for a few seconds, which can cause problems for any scripts you have running. It also means any user with a valid account on your network can add devices to your wireless network like mobile phones, PSP's or any other device with built in wireless - obviously this is a bit of a security flaw.

    My recomendation - do it so only the machines can authenticate to the wireless network and not users, it keeps it simple and it works!

    Mike.

  15. #14

    broc's Avatar
    Join Date
    Jan 2006
    Location
    England
    Posts
    2,046
    Thank Post
    104
    Thanked 401 Times in 265 Posts
    Rep Power
    149
    Quote Originally Posted by DAZZD88 View Post

    Incidentally I don't like the idea of mass wireless. Gimme a cable anyday.
    While I share your lack of enthusiasm for mass wireless, we might all have to get used to this approach for new schools, apparently it saves a fortune in wiring costs

  16. #15

    Join Date
    Nov 2009
    Posts
    63
    Thank Post
    14
    Thanked 2 Times in 2 Posts
    Rep Power
    10
    Quote Originally Posted by djdohboy View Post
    It's before logon. I'll get a screenshot of the gpo for you tomorrow. Ours is set up so that it will assign vlan info as well so it needs to be able to access the network pre logon to get the right ip address and info.
    Does anyone have any thoughts on setting up this GPO?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Authenticate IIS against AD transparently
    By FN-GM in forum Web Development
    Replies: 19
    Last Post: 22nd September 2010, 10:53 PM
  2. [PHP] Using LDAP to authenticate users
    By thesk8rjesus in forum Web Development
    Replies: 13
    Last Post: 18th June 2009, 09:28 AM
  3. Authenticate when opening attachments
    By darrenu in forum Office Software
    Replies: 2
    Last Post: 27th January 2009, 12:02 PM
  4. Starting Wireless Network before login
    By rehanahmeds in forum Windows
    Replies: 18
    Last Post: 4th September 2008, 07:30 PM
  5. Replies: 1
    Last Post: 28th August 2008, 03:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •