Question

802.1x Authentication for Wireless Network - User Auth after Computer Auth?

Asked by: WideAreaMedia

Hello Everyone,

   I am in the process of converting our office's wireless network to use 802.1x access control. I have everything set up and we are successfully connecting and using the network on our test machines. The wireless network settings are provided by Group Policy and the access points are connecting to Microsoft IAS using RADIUS. The domain computers that have wireless capabilities have been added to a group called Wireless - Allowed. This allows them to use computer authentication for a wireless connection while the machine is not logged in, so users that haven't logged into the machine before / have changed their password can log in.

   After a user logs in, the wireless connection is maintained even if that user does not have the appropriate permissions to connect to the wireless network. What I'd like to have happen is that the machine uses computer authentication to connect to the wireless network when it's not logged in. After a user logs in, I'd like it to use their credentials to connect. This way, if a user without wireless permission logs in, the machine is disconnected from the wireless network until the user logs off. Is this possible? Thanks in advance for any help you can provide.

Best Regards,
Martin Schultz

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-03-12 at 09:57:16ID24224657
Tags

802.1x

,

computer authentication

,

user authentication

,

wireless security

Topics

Wireless Technologies

,

802.11 Wireless Access Points

,

Network Security

,

Miscellaneous Networking

,

Windows Networking

Participating Experts
1
Points
500
Comments
12

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IAS - CA - RADIUS - Wireless
    Please help. I have set up an IAS server running on windows 2003. I did not have a certificate server so I also created a root enterprise server on the same box. I set up and Radius client but I am unable to use EAP. Event indicates: "Please go to the user's Remote Ac...
  2. Wireless with Radius Authentication
    I have a 3com access point setup with Radius 802.1x authentication. The access point log files show as Authentication succesful and also at the clients "laptop" Wireless Network Connection. At the IAS Server Log files it also seems Like Authentication is succesfull ...
  3. RADIUS/IAS question
    I am currently running IAS/RADIUS on 1 of my Win2K DC's for Cisco VPN authentication. I am considering changing my wireless security to WPA. Can I run more than one IAS client from the same server? The last thing I want to do is hose my VPN. Thanks
  4. Assistance in trying to configure IAS RADIUS authentication…
    Hi Everyone, I am encountering some problems while trying to configure basic IAS RADIUS authentication for my wireless network and I was wondering if anyone could help me. I believe that I have set up the wireless profile correctly on my wireless controller and on my wireles...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ShineOnPosted on 2009-03-22 at 20:25:33ID: 23954646

What is your physical wireless infrastructure - WAP mfgr/configuration, authentication protocol (eap-tls, peap, ms-chap/pap etc), what supplicant are you using (native WZC, Cisco/meetinghouse, Funk)

How is your IAS policy configured?  Can you post the policies and the order of hierarchy?
Do you have your user objects getting their dial access permissions from policy?

Have you tried simply allowing authentication at login rather than pre-authentication of the workstation?  What is it in your environment that prevents dynamic load of the domain profile at login if you don't pre-authenticate the workstation?

 

by: WideAreaMediaPosted on 2009-03-23 at 07:55:21ID: 23958275

Ok, I'll do my best to answer each of these questions. We have one Wireless AP, it is a Linksys WRT54G. It is configured to use RADIUS authentication with WEP encryption. It calls a RADIUS server in the form of Microsoft IAS for authentication. The supplicants at this time are all WZC native with their settings provided for in Group Policy.

There is only one IAS policy that applies to the wireless, and it is the first policy in this IAS server. It filters by NAS Port and Windows Group membership. The group is called "Wireless - Allow". If the user is a member of this group, he or she is allowed access to the wireless network. The problem is that the wireless domain computers cannot authenticate users before they log in, since they don't have a wireless connection. As a result, I've had to enable Computer Authentication and add the wireless computers to the Wireless - Allow group to let them establish connection before a user logs in.

I want the computers to be able to wirelessly authenticate users, ie a user that hasn't logged on to that workstation before or has since changed his password, but I also don't want users that aren't allowed on the wireless network to have a wireless connection. I want them to be able to log into the machine, but if their user credentials don't give them access I want the wireless connection to be terminated / restricted at that time.

I hope that makes some sense. I'm not sure what you mean by allowing authentication at login rather than pre-authentication of the workstation, but that sounds like it's in the right vein. Any suggestions you can provide would be greatly appreciated!

Best Regards,
Martin

 

by: ShineOnPosted on 2009-03-23 at 15:53:36ID: 23963088

OK.  WEP is not all that good.  I would change that to WPA-TKIP, personally.  WEP involves pre-shared keys.  802.1x WPA-TKIP will dynamically generate the keys.

You may want to consider adding another access policy, called "wireless no access" or something to that effect.  Create a group that would have all the people you want to deny access to and put them in that group, and use that group membership as criteria, in addition to the NAS port type.  You can set that policy to "deny."  That may be the crux of your issue, but I still like the idea of getting you off WEP and onto a true 802.1x scheme.

I don't know how good the WRT54G is at doing 802.1x authentication.  We use Cisco Aeroport WAPs.  I'll try to determine how that is different, if necessary, but for now I'll pretend that since Linksys is a Cisco company they will do at least WPA1-level 802.1x authentication.  The WAP should be set up to do WPA-TKIP with RADIUS 802.1x authentication - not WEP.  I'm pretty sure the WRT54G can do that.  Also set it not to broadcast your SSID.

In your wireless zero config setup you should have the option to authenticate the user at the login dialog.  Each wireless NIC manufacturer has a different supplicant built into its driver set, more often than not Atheros, unless it's an Intel card which uses its own.  Regardless, if the Wireless Zero Config has been updated to current, it should have full support for WPA 802.1x authentication.

Try these settings:  (of course, the WAP will have to be set accordingly, so be sure to write down or save your current settings in case this fails.)

On the Association tab, set your SSID (which you shouldn't be broadcasting.) and check "Connect even if this network is not broadcasting."
In the wireless network key, set the Network Authentication to WPA and the Data Encryption to TKIP
On the Authentication tab, set the EAP type to Protected EAP (PEAP).  Do not check Authenticate as Computer or Authenticate as Guest. Click Properties.
On the PEAP screen, make sure the Authentication Method is set for Secured password (EAP-MSCHAP v2).  Leave the server certificate unchecked., OK.
On the Connection tab, check the checkbox to connect when the network is in range.

When the user logs in, their credentials should be passed to IAS by the WAP for authentication via a secure link already established between WZC and the access point. When authentication is confirmed, the access point should establish the network connection and then continue the Windows authentication process.  In theory.

Hope that helps.

 

by: ShineOnPosted on 2009-03-23 at 15:58:14ID: 23963123

Oh, one more thing,

WZC has an "advanced" button on the authentication tab, with a setting that has it authenticate with your local user ID.  I think that should be un-checked in order to have it use the user ID and password you enter into the dialog.

 

by: ShineOnPosted on 2009-03-23 at 16:00:16ID: 23963133

One more thing - this won't let you log in to the local machine with a profile that doesn't already exist on the local machine if the wireless auth fails and you tell it not to keep trying..  The user profile would have to be there already.

 

by: WideAreaMediaPosted on 2009-03-25 at 14:29:34ID: 23984937

ShineOn,

   Thanks for the tips. I've tried the steps you've provided, but I'm still having trouble. I think your last comment describes exactly what I want to accomplish. I would like to be able to allow users to log in to computers that are wireless network clients. Ideally, the user authentication can be passed to the RADIUS server, and then the user is allowed to log in. However, when I attempt to authenticate with computer authentication disabled, I get an error that the windows domain is unavailable.

   In short, I'm trying to let users authenticate on wireless computers they haven't logged into before. Thanks for the help so far!

Best Regards,
Martin

 

by: WideAreaMediaPosted on 2009-03-25 at 15:30:42ID: 23985477

I did, however, raise the encryption standard to WPA - TKIP as you recommended, so that's good at least.

 

by: ShineOnPosted on 2009-03-25 at 20:21:10ID: 23987054

If I get a chance I will check something at work to see if I can give you more info.  

Do you get anything in your IAS logs when you try the setup I outlined?

When you enter the user ID do you use the domain\user notation or the user@domain.tld notation?  Assuming you're using one or the other and not just the user ID, of course...

 

by: WideAreaMediaPosted on 2009-03-26 at 10:14:41ID: 23992803

Ok, I've got it working for the most part. Here's a followup question if you'd like to take a swing at it: http://www.experts-exchange.com/Networking/Wireless/Q_24265573.html

For future users' reference, here are the settings distilled from ShineOn's post that ended up (mostly) working for me, with the only outstanding unresolved issue being the one linked to above.

Wireless Access Point: WRT54G v8.0 using DD-WRT v24 w/sp1 Firmware
Wireless Security: WPA Enterprise using RADIUS from Microsoft IAS

Settings for Wireless Zero Config in Windows were in my case deployed by Group Policy, but could also be set manually. Added a WPA / TKIP network using GPO. Computer Auth is turned on with User Re-Authentication. Guest Auth is off. EAP is using Protected EAP (PEAP). Trusted Root Certification Authorities include our Active Directory Certificate Authority, which is added to the clients using Group Policy as well. Fast Reconnect is disabled. Authentication method is EAP-MSCHAP v2 and Automatically Use Domain User / Password is enabled. Do Not Prompt User to authorize New Servers or Trusted Certification Authorities is enabled. IEEE 802.1x Certificate Authority for Machine Authentication is defined with the hash of the AD CA.

There are a lot of settings to be tweaked in these setups, and I don't claim to be an expert at all. This configuration may or may not suit your needs, and may not follow security or other best practices - I have no idea. Thanks for the help ShineOn, and any help on that other question is as always greatly appreciated.

Best Regards,
Martin

 

by: WideAreaMediaPosted on 2009-03-26 at 10:15:52ID: 31557379

Thanks for your help. I left a comment below describing the combination the ended up working.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...