Solved

Windows XP/Vista 802.1x wireless prelogon supplicant

Posted on 2008-10-06
8
3,759 Views
Last Modified: 2013-11-12
I am a Cisco wireless engineer and deal with enterprise roll outs of Cisco wireless networks.  Lately, I have been working with schools that allow students to login to a laptop (not their own, just a community machine).  This laptop does not have a wired network connection but still needs to authenticate the user to the Active Directory domain.  I have used Intel Proset and the Dell Wireless Utility for wireless domain pre logon authentication using Cisco ACS, MS IAS, and Free Radius with success.  I am trying now to use the Broadcom Wireless Utility and heard that Proxim also supports such requirements.  

I have also heard that this is built into Vista when you have a Windows 2008 Active Directory.  I have tried to get this working but haven't been successful in a lab environment.

To date, what are the experts doing in this space for Windows domain wireless pre logon?  I do not need any configuration assistance, my intent was more of any open conversation about industry best practices.  

Thanks!
0
Comment
Question by:bjohnson_MN
  • 4
  • 2
8 Comments
 
LVL 4

Expert Comment

by:placebo69a
Comment Utility
Oh I think you're lightyears ahead of the industry there... :)
As far as best practice, until the issue is properly addressed by the biggies (microsoft, cisco and all the rest), I'd stick to what I can make work and cross my fingers on both hands.
0
 
LVL 1

Author Comment

by:bjohnson_MN
Comment Utility
Thanks!  I'm trying to envision a mixed wireless client environment with all the same wireless supplicant for wireless domain pre-logon authentication.  They only way I know how to do that is using a WPA/WPA2 preshared key.  Since 802.1x (PEAP, etc) is the most secure solution I would like to use it.

So far all I've been able to implement is wireless card specific supplicants.  In a school for example, they add 100+ laptops every year and it would be very nice to give them a native (to the OS)  pre-logon enabled wireless supplicant for their new wireless network.  
0
 
LVL 2

Accepted Solution

by:
mrnetbios earned 504 total points
Comment Utility
Vista pre-logon wireless is indeed a feature that requires a Server 2008 AD.
The feature is enabled by creating an 802.11 Group Policy which specifies the SSID & authentication settings.   The GPO must be propagated to the Vista client before it can be activated.

I have just set one up, but have yet figured out how it will actually operate from the user's view.  I already have pre-logon VPN connections configured, and it doesn't show up with them.
I'm still tilting at it.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:bjohnson_MN
Comment Utility
Thank you for the response!  In the 2008 GPO does it allow 802.1x wireless clients?  Possilbly WPA2 Enterprise with PEAP?

Thanks again!
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
Comment Utility
There are separate GPOs for 802.11 and 802.1x wired.
The GPOs allows you to configure any authentication method you want.
(Well the ones that you have installed on the server that you are editing the policy on - this was a problem for me, but I fake installed the protocol I'm developing, and got past that.)

See this article for a discussion and screen shots of the dialogs:
http://technet.microsoft.com/en-us/magazine/cc162468.aspx
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
Comment Utility
I'd forgotten about this question.
I've just got our EAP method working Pre-Logon last week and we have found these requirements:
(using a GPO is _not_ necessary)

- The system must have been joined to a domain
- the profile must be usable by all users (default)
- the protocol profile must, in the <Onex> schema,  have
  - <authMode> set to "user" or "machineOrUser"
  - at least, the attributes <singleSignon> <type>preLogon</type></singleSignon>
- The protocol profile must be set to automatic  (e.g.  Connection tab: Connect automatically when network is in range")

If your authentication method is not emitting the correct profile, you can edit it by doing the following:
Command as Admin: netsh wlan export profile
Open the corresponding XML that it will write,  Edit the parameters, save
Delete the current definition in the Wireless Connections manager
then as Admin: netsh wlan add profile filename=updated.xml

Unlike pre-logon dial or VPN connections, you will not see a separate tile in the logon dialogs.
You will see an extra text line under the password prompt saying "This logon will use the profile-name connection"   If the network connection fails, it will do a desktop logon anyways.

I may have left out a few details, but that should get you on the right track.
Wireless profiles and the XML schema are documented, poorly, online.
0
 
LVL 2

Expert Comment

by:mrnetbios
Comment Utility
Wireless SSO parameters are availbile on the Connection Properties dialog under Advanced settings in Windows 7.  You will not have to edit the profile XML.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now