+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, WPA/certificate before Windows Logon in Technical; Greeting everyone. I succesfully implement a test EPA/TLS wifi connexion with a winxpsp2 computer and certificates generated with openCA. However, ...
  1. #1

    Join Date
    Jul 2008
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    WPA/certificate before Windows Logon

    Greeting everyone.

    I succesfully implement a test EPA/TLS wifi connexion with a winxpsp2 computer and certificates generated with openCA.

    However, the connexion will not occurs before the Domain Logon since the certificat reside only in the user profile. I tried to move the certificate in the computer container, but Windows refuse to see/use it.

    I tried the change the Authmode registry key without success. I beleive that Windows refuse to use the certificate because it does not originates from it's AD (I don't do AD).

    I want to know if it is possible to force Windows to use a certificate for WPA connexion before the Domain logon?

    Dany Chouinard
    C.S. Or-et-des-Bois
    Val-d'Or,Qc,Canada

  2. #2

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    Quote Originally Posted by danychouinard View Post
    Greeting everyone.

    I succesfully implement a test EPA/TLS wifi connexion with a winxpsp2 computer and certificates generated with openCA.

    However, the connexion will not occurs before the Domain Logon since the certificat reside only in the user profile. I tried to move the certificate in the computer container, but Windows refuse to see/use it.

    I tried the change the Authmode registry key without success. I beleive that Windows refuse to use the certificate because it does not originates from it's AD (I don't do AD).

    I want to know if it is possible to force Windows to use a certificate for WPA connexion before the Domain logon?

    Dany Chouinard
    C.S. Or-et-des-Bois
    Val-d'Or,Qc,Canada
    Hi,

    Yes this is possible however you need to make sure that the computer has a certificate allocated or that computer is a domain member of your AD domain.

    I recommend using the windows wifi utility to configure and not bother with third-party software.

    You need to make sure that the Root Certificate of the CA is in the computer's Trusted Certificate authority so your computer can trust the certificate that you created with the CA.

    You also need to tick the box where is says "authenticate as a computer when computer information is avauilable" this will automatically use the computer's password to authenticate with the computer account and you should be able to get an IP prior to the user logging on. There are many ways to distribute the Root Certificate of your CA, the popular way is doing it with a GPO for the whole domain so all your domain member pc and servers will trust the CA. The other is manually installing it in the "Trusted Root Certification Authorities" store using the mmc snap in.

    HTH,

    Ash.

  3. #3

    Join Date
    Jul 2008
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    I don't use AD and GPO

    The problem is that I am not using Active Directory and even less GPO. Samba gives my all the flexibility I need for my Windows Domains. However once a bounce I need features that has been "vendor locked". As far as my reading goes, setups that works uses AD, GPO and IAS.

    I do not understand why Windows XP refuses to use the machine certificates for my WPA connexion prior to logon. I suspects esoterics validation of certificats details, but I have no idea why.

    Any ideas

    Dany Chouinard

  4. #4

    Join Date
    Jun 2005
    Posts
    223
    Thank Post
    6
    Thanked 8 Times in 8 Posts
    Rep Power
    30
    You also need to ensure that the client's wireless drivers actually start before login otherwise this will not work. Some older driver utilities start after login which leaves you with a bit of a catch 22.


  5. #5

    Join Date
    Jul 2008
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I try to stick to the Windows Zero Conf utility for now. Do you think a third-party utility could be helpful for that situation?

  6. #6

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    Quote Originally Posted by danychouinard View Post
    I try to stick to the Windows Zero Conf utility for now. Do you think a third-party utility could be helpful for that situation?
    Some drivers are not well written and don't work as expected we found this out on some Linksys PCI wireless cards, the drivers were at fault. One thing you could try is applying this patch if its not already done.

    KB885453

    I'm not sure if this will sort the problem out as it to do with PEAP by the looks of it.

    Have you tried to imort the CA's root certificate to the "Trusted Root Certification Authorities" store on the windows xp pc?


    Ash.

  7. #7

    Join Date
    Jul 2008
    Posts
    4
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    That patch was already applied. The certificates were in the right place since I could connect once logged in. I'm trying to create a connexion before the domain logon.

    If I use WPA PSK it works fine, but I beleive that PSK is too weak for an organisation. I will have to manage over hundred laptop on two sites so I don't want to manually put a password into each computer.

    Today I've put in place a server in place based on zeroshell - a linux distribution specialised into basic network service. It contains CA and a Radius server and I was quickly able to implement a PEAP based WPA connexion. But the problem came back - still not able to establish the connexion before the domain logon.

    If i set the "Automatically use my logon name and password" option and creates a user in zeroshell with the same name and password that I use in SAMBA, I get this error message in radius :

    Code:
    15:49:45     Login incorrect: [gnagna] (from client hor-ap-001 port 0 cli 00-18-6E-1E-9F-46)
    15:50:45    rlm_eap: Identity does not match User-Name, setting from EAP Identity.
    I feel that I'm getting so close. What am I missing?

  8. #8

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37
    Quote Originally Posted by danychouinard View Post
    That patch was already applied. The certificates were in the right place since I could connect once logged in. I'm trying to create a connexion before the domain logon.

    If I use WPA PSK it works fine, but I beleive that PSK is too weak for an organisation. I will have to manage over hundred laptop on two sites so I don't want to manually put a password into each computer.

    Today I've put in place a server in place based on zeroshell - a linux distribution specialised into basic network service. It contains CA and a Radius server and I was quickly able to implement a PEAP based WPA connexion. But the problem came back - still not able to establish the connexion before the domain logon.

    If i set the "Automatically use my logon name and password" option and creates a user in zeroshell with the same name and password that I use in SAMBA, I get this error message in radius :

    Code:
    15:49:45     Login incorrect: [gnagna] (from client hor-ap-001 port 0 cli 00-18-6E-1E-9F-46)
    15:50:45    rlm_eap: Identity does not match User-Name, setting from EAP Identity.
    I feel that I'm getting so close. What am I missing?
    Hi,

    I get the feeling that this may not work because the computer is not part of a an AD domain so the computer account can't authenticate. The user authentication is righly done at the time when the user logs on so that is working correctly as per 802.1x. What you are after is the pre-logon connection which can only happen when the computer is part of an AD domain so in the back ground the computer can sent its computer password to the AD domain and authenticate. You are right with this regards to IAS, AD and Windows XP, this combination works really well. Without this its not possible to do computer authentication because puely where atre the computer accounts held? in an AD domain.

    Just thinking about how a look at the following info on this site:

    http://www.rmschneider.com/writing/x...l#_Toc73070424

    Particular the bit about joining samba domain and also having a machine trust account created for the client on the samba server.



    HTH,

    Ash.
    Last edited by spc-rocket; 4th July 2008 at 09:55 AM.

  9. #9
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    113
    You may be able to get further with XP SP3 using the xml profiles for the NAP client as this has some pre logon 802.1x settings.

SHARE:
+ Post New Thread

Similar Threads

  1. SSL Certificate
    By PRicho in forum How do you do....it?
    Replies: 39
    Last Post: 22nd January 2009, 12:46 PM
  2. Web certificate
    By edie209 in forum Web Development
    Replies: 15
    Last Post: 16th May 2008, 10:17 AM
  3. Replies: 16
    Last Post: 2nd December 2007, 01:09 AM
  4. Delay befor logon screen in windows xp
    By farmerste in forum How do you do....it?
    Replies: 3
    Last Post: 19th November 2007, 02:55 PM
  5. changing windows logon image
    By adamyoung in forum Windows
    Replies: 8
    Last Post: 19th December 2005, 01:17 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •