Solved

Windows XP/Vista 802.1x wireless prelogon supplicant

Posted on 2008-10-06
8
3,767 Views
Last Modified: 2013-11-12
I am a Cisco wireless engineer and deal with enterprise roll outs of Cisco wireless networks.  Lately, I have been working with schools that allow students to login to a laptop (not their own, just a community machine).  This laptop does not have a wired network connection but still needs to authenticate the user to the Active Directory domain.  I have used Intel Proset and the Dell Wireless Utility for wireless domain pre logon authentication using Cisco ACS, MS IAS, and Free Radius with success.  I am trying now to use the Broadcom Wireless Utility and heard that Proxim also supports such requirements.  

I have also heard that this is built into Vista when you have a Windows 2008 Active Directory.  I have tried to get this working but haven't been successful in a lab environment.

To date, what are the experts doing in this space for Windows domain wireless pre logon?  I do not need any configuration assistance, my intent was more of any open conversation about industry best practices.  

Thanks!
0
Comment
Question by:bjohnson_MN
  • 4
  • 2
8 Comments
 
LVL 4

Expert Comment

by:placebo69a
ID: 22654143
Oh I think you're lightyears ahead of the industry there... :)
As far as best practice, until the issue is properly addressed by the biggies (microsoft, cisco and all the rest), I'd stick to what I can make work and cross my fingers on both hands.
0
 
LVL 1

Author Comment

by:bjohnson_MN
ID: 22654212
Thanks!  I'm trying to envision a mixed wireless client environment with all the same wireless supplicant for wireless domain pre-logon authentication.  They only way I know how to do that is using a WPA/WPA2 preshared key.  Since 802.1x (PEAP, etc) is the most secure solution I would like to use it.

So far all I've been able to implement is wireless card specific supplicants.  In a school for example, they add 100+ laptops every year and it would be very nice to give them a native (to the OS)  pre-logon enabled wireless supplicant for their new wireless network.  
0
 
LVL 2

Accepted Solution

by:
mrnetbios earned 504 total points
ID: 22747281
Vista pre-logon wireless is indeed a feature that requires a Server 2008 AD.
The feature is enabled by creating an 802.11 Group Policy which specifies the SSID & authentication settings.   The GPO must be propagated to the Vista client before it can be activated.

I have just set one up, but have yet figured out how it will actually operate from the user's view.  I already have pre-logon VPN connections configured, and it doesn't show up with them.
I'm still tilting at it.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Author Comment

by:bjohnson_MN
ID: 22754308
Thank you for the response!  In the 2008 GPO does it allow 802.1x wireless clients?  Possilbly WPA2 Enterprise with PEAP?

Thanks again!
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
ID: 22755061
There are separate GPOs for 802.11 and 802.1x wired.
The GPOs allows you to configure any authentication method you want.
(Well the ones that you have installed on the server that you are editing the policy on - this was a problem for me, but I fake installed the protocol I'm developing, and got past that.)

See this article for a discussion and screen shots of the dialogs:
http://technet.microsoft.com/en-us/magazine/cc162468.aspx 
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
ID: 23540630
I'd forgotten about this question.
I've just got our EAP method working Pre-Logon last week and we have found these requirements:
(using a GPO is _not_ necessary)

- The system must have been joined to a domain
- the profile must be usable by all users (default)
- the protocol profile must, in the <Onex> schema,  have
  - <authMode> set to "user" or "machineOrUser"
  - at least, the attributes <singleSignon> <type>preLogon</type></singleSignon>
- The protocol profile must be set to automatic  (e.g.  Connection tab: Connect automatically when network is in range")

If your authentication method is not emitting the correct profile, you can edit it by doing the following:
Command as Admin: netsh wlan export profile
Open the corresponding XML that it will write,  Edit the parameters, save
Delete the current definition in the Wireless Connections manager
then as Admin: netsh wlan add profile filename=updated.xml

Unlike pre-logon dial or VPN connections, you will not see a separate tile in the logon dialogs.
You will see an extra text line under the password prompt saying "This logon will use the profile-name connection"   If the network connection fails, it will do a desktop logon anyways.

I may have left out a few details, but that should get you on the right track.
Wireless profiles and the XML schema are documented, poorly, online.
0
 
LVL 2

Expert Comment

by:mrnetbios
ID: 24442296
Wireless SSO parameters are availbile on the Connection Properties dialog under Advanced settings in Windows 7.  You will not have to edit the profile XML.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now