Solved

Windows XP/Vista 802.1x wireless prelogon supplicant

Posted on 2008-10-06
8
3,784 Views
Last Modified: 2013-11-12
I am a Cisco wireless engineer and deal with enterprise roll outs of Cisco wireless networks.  Lately, I have been working with schools that allow students to login to a laptop (not their own, just a community machine).  This laptop does not have a wired network connection but still needs to authenticate the user to the Active Directory domain.  I have used Intel Proset and the Dell Wireless Utility for wireless domain pre logon authentication using Cisco ACS, MS IAS, and Free Radius with success.  I am trying now to use the Broadcom Wireless Utility and heard that Proxim also supports such requirements.  

I have also heard that this is built into Vista when you have a Windows 2008 Active Directory.  I have tried to get this working but haven't been successful in a lab environment.

To date, what are the experts doing in this space for Windows domain wireless pre logon?  I do not need any configuration assistance, my intent was more of any open conversation about industry best practices.  

Thanks!
0
Comment
Question by:bjohnson_MN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 4

Expert Comment

by:placebo69a
ID: 22654143
Oh I think you're lightyears ahead of the industry there... :)
As far as best practice, until the issue is properly addressed by the biggies (microsoft, cisco and all the rest), I'd stick to what I can make work and cross my fingers on both hands.
0
 
LVL 1

Author Comment

by:bjohnson_MN
ID: 22654212
Thanks!  I'm trying to envision a mixed wireless client environment with all the same wireless supplicant for wireless domain pre-logon authentication.  They only way I know how to do that is using a WPA/WPA2 preshared key.  Since 802.1x (PEAP, etc) is the most secure solution I would like to use it.

So far all I've been able to implement is wireless card specific supplicants.  In a school for example, they add 100+ laptops every year and it would be very nice to give them a native (to the OS)  pre-logon enabled wireless supplicant for their new wireless network.  
0
 
LVL 2

Accepted Solution

by:
mrnetbios earned 504 total points
ID: 22747281
Vista pre-logon wireless is indeed a feature that requires a Server 2008 AD.
The feature is enabled by creating an 802.11 Group Policy which specifies the SSID & authentication settings.   The GPO must be propagated to the Vista client before it can be activated.

I have just set one up, but have yet figured out how it will actually operate from the user's view.  I already have pre-logon VPN connections configured, and it doesn't show up with them.
I'm still tilting at it.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 1

Author Comment

by:bjohnson_MN
ID: 22754308
Thank you for the response!  In the 2008 GPO does it allow 802.1x wireless clients?  Possilbly WPA2 Enterprise with PEAP?

Thanks again!
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
ID: 22755061
There are separate GPOs for 802.11 and 802.1x wired.
The GPOs allows you to configure any authentication method you want.
(Well the ones that you have installed on the server that you are editing the policy on - this was a problem for me, but I fake installed the protocol I'm developing, and got past that.)

See this article for a discussion and screen shots of the dialogs:
http://technet.microsoft.com/en-us/magazine/cc162468.aspx 
0
 
LVL 2

Assisted Solution

by:mrnetbios
mrnetbios earned 504 total points
ID: 23540630
I'd forgotten about this question.
I've just got our EAP method working Pre-Logon last week and we have found these requirements:
(using a GPO is _not_ necessary)

- The system must have been joined to a domain
- the profile must be usable by all users (default)
- the protocol profile must, in the <Onex> schema,  have
  - <authMode> set to "user" or "machineOrUser"
  - at least, the attributes <singleSignon> <type>preLogon</type></singleSignon>
- The protocol profile must be set to automatic  (e.g.  Connection tab: Connect automatically when network is in range")

If your authentication method is not emitting the correct profile, you can edit it by doing the following:
Command as Admin: netsh wlan export profile
Open the corresponding XML that it will write,  Edit the parameters, save
Delete the current definition in the Wireless Connections manager
then as Admin: netsh wlan add profile filename=updated.xml

Unlike pre-logon dial or VPN connections, you will not see a separate tile in the logon dialogs.
You will see an extra text line under the password prompt saying "This logon will use the profile-name connection"   If the network connection fails, it will do a desktop logon anyways.

I may have left out a few details, but that should get you on the right track.
Wireless profiles and the XML schema are documented, poorly, online.
0
 
LVL 2

Expert Comment

by:mrnetbios
ID: 24442296
Wireless SSO parameters are availbile on the Connection Properties dialog under Advanced settings in Windows 7.  You will not have to edit the profile XML.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question