Solved

Windows XP/Vista 802.1x wireless prelogon supplicant

Posted on 2008-10-06
8
3,794 Views
Last Modified: 2013-11-12
I am a Cisco wireless engineer and deal with enterprise roll outs of Cisco wireless networks.  Lately, I have been working with schools that allow students to login to a laptop (not their own, just a community machine).  This laptop does not have a wired network connection but still needs to authenticate the user to the Active Directory domain.  I have used Intel Proset and the Dell Wireless Utility for wireless domain pre logon authentication using Cisco ACS, MS IAS, and Free Radius with success.  I am trying now to use the Broadcom Wireless Utility and heard that Proxim also supports such requirements.  

I have also heard that this is built into Vista when you have a Windows 2008 Active Directory.  I have tried to get this working but haven't been successful in a lab environment.

To date, what are the experts doing in this space for Windows domain wireless pre logon?  I do not need any configuration assistance, my intent was more of any open conversation about industry best practices.  

Thanks!
0
Comment
Question by:bjohnson_MN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 4

Expert Comment

by:placebo69a
ID: 22654143
Oh I think you're lightyears ahead of the industry there... :)
As far as best practice, until the issue is properly addressed by the biggies (microsoft, cisco and all the rest), I'd stick to what I can make work and cross my fingers on both hands.
0
 
LVL 1

Author Comment

by:bjohnson_MN
ID: 22654212
Thanks!  I'm trying to envision a mixed wireless client environment with all the same wireless supplicant for wireless domain pre-logon authentication.  They only way I know how to do that is using a WPA/WPA2 preshared key.  Since 802.1x (PEAP, etc) is the most secure solution I would like to use it.

So far all I've been able to implement is wireless card specific supplicants.  In a school for example, they add 100+ laptops every year and it would be very nice to give them a native (to the OS)  pre-logon enabled wireless supplicant for their new wireless network.  
0
 
LVL 2

Accepted Solution

by:
mrnetbios earned 504 total points
ID: 22747281
Vista pre-logon wireless is indeed a feature that requires a Server 2008 AD.
The feature is enabled by creating an 802.11 Group Policy which specifies the SSID & authentication settings.   The GPO must be propagated to the Vista client before it can be activated.

I have just set one up, but have yet figured out how it will actually operate from the user's view.  I already have pre-logon VPN connections configured, and it doesn't show up with them.
I'm still tilting at it.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:bjohnson_MN
ID: 22754308
Thank you for the response!  In the 2008 GPO does it allow 802.1x wireless clients?  Possilbly WPA2 Enterprise with PEAP?

Thanks again!
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
ID: 22755061
There are separate GPOs for 802.11 and 802.1x wired.
The GPOs allows you to configure any authentication method you want.
(Well the ones that you have installed on the server that you are editing the policy on - this was a problem for me, but I fake installed the protocol I'm developing, and got past that.)

See this article for a discussion and screen shots of the dialogs:
http://technet.microsoft.com/en-us/magazine/cc162468.aspx 
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
ID: 23540630
I'd forgotten about this question.
I've just got our EAP method working Pre-Logon last week and we have found these requirements:
(using a GPO is _not_ necessary)

- The system must have been joined to a domain
- the profile must be usable by all users (default)
- the protocol profile must, in the <Onex> schema,  have
  - <authMode> set to "user" or "machineOrUser"
  - at least, the attributes <singleSignon> <type>preLogon</type></singleSignon>
- The protocol profile must be set to automatic  (e.g.  Connection tab: Connect automatically when network is in range")

If your authentication method is not emitting the correct profile, you can edit it by doing the following:
Command as Admin: netsh wlan export profile
Open the corresponding XML that it will write,  Edit the parameters, save
Delete the current definition in the Wireless Connections manager
then as Admin: netsh wlan add profile filename=updated.xml

Unlike pre-logon dial or VPN connections, you will not see a separate tile in the logon dialogs.
You will see an extra text line under the password prompt saying "This logon will use the profile-name connection"   If the network connection fails, it will do a desktop logon anyways.

I may have left out a few details, but that should get you on the right track.
Wireless profiles and the XML schema are documented, poorly, online.
0
 
LVL 2

Expert Comment

by:mrnetbios
ID: 24442296
Wireless SSO parameters are availbile on the Connection Properties dialog under Advanced settings in Windows 7.  You will not have to edit the profile XML.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question