[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 968
  • Last Modified:

Setting up 802.1x authentication for wireless clients

Hello Everyone,

   I am trying to set our small office up to use 802.1x authentication for wireless clients. I have successfully secured a test wireless AP, which is using RADIUS authentication against a Microsoft IAS server. What I'm trying to set up and discover is how to allow for clients that are members of the domain but not logged in to be able to access the network enough to permit logon and credential verification.
   As I understand it, no wireless connection is possible until the user has logged in, which presents issues if a user wants to log into a machine he / she hasn't previously used. What would you recommend I do? I have several wireless APs available to me, so if I need to set up an additional AP to handle this sort of thing it's not a problem.
   Thanks in advance!

Best Regards,
Martin Schultz
0
WideAreaMedia
Asked:
WideAreaMedia
1 Solution
 
nappy_dCommented:
Please take a look at this webcast for allowing 802.1x wireless authentication http://support.microsoft.com/kb/837911
0
 
WideAreaMediaAuthor Commented:
Nappy,

   Thank you for your quick response. I've actually looked at that particular video as well as a few others from Microsoft. I've gotten enough of an idea of how the process works to be able to get the initial setup done as described above, but unfortunately I'm new enough to this as to require a fairly specific answer. I want domain member computers to be able to allow logins of domain users over the wireless network, which as I understand it requires some additional work when using 802.1x?

Thanks,
Martin
0
 
nappy_dCommented:
I take it you have an AD infrastructure.  If so, there is a GPO setting for 802.1x authentication.  It is located as shown in my screenshot

Picture-47.png
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
WideAreaMediaAuthor Commented:
Ok, got it. I tried to search out how to get the "hash" for my CA, but didn't have any luck. Any idea on how to go about it?
0
 
nappy_dCommented:
  1. open the cert thru IE/Tools/Internet options
  2. Go to the content tab
  3. Click on Certificates
  4. Look for your cert
  5. click on it one
  6. click on view
  7. click on the details tab
  8. scroll to the bottom and look for fingerprint
  9. This is your hash
Picture-49.png
0
 
WideAreaMediaAuthor Commented:
Ok, I've done that, applied the policy, and forced an update on my test client. When I attempt to log in using a new domain user account, I get an error that the domain TEST is unavailable. I assume this is because it cannot connect to the network to validate the provided credentials. Are there other gotchas I need to be aware of? Thanks for your help so far - I'm enjoying getting deeper into this.

Best Regards,
Martin
0
 
nappy_dCommented:
Are you logged on to the client using domain credentials?
0
 
WideAreaMediaAuthor Commented:
That's how I'm trying to log in. The idea is that the wireless client is joined to the domain, and I'd like it to be able to log on wirelessly. However, the 802.1x authentication I've enabled doesn't allow the clients to connect until after they're logged in. This poses a problem if a user has changed his / her password, or if a new user wants to log on to a wireless location.

Thanks,
Martin
0
 
nappy_dCommented:
How did you configure their Wireless network card?

Also, did you put the hash(fingerprint) from the certificate into AD?
0
 
cleisethCommented:
Found out that there is a registry edit on your XP clients that will force the computer to authenticate with the computer account only.  

HKey Local Machine
Software
Microsoft
EAPOL
Parameters
General
Global

Add the DWord AuthMode with a value of 2 in the Global directory.  If the entry exists just change the data to 2

In the policy on your IAS make sure that you have the security group that has that computer in it (default is domain computers) within the policy conditions window.  

hope that helps.

0
 
thewaxsurgeonCommented:
You need to setup whatis called machine authentication.
This is available in the Juniper ODYssey access client.
Machine authentication basically connects to the wireless network with either machine or static credentials prior to windows login, thus providing network connectivity for the user to auth to the domain.
If you would like and eval of Juniper OAC please go to our website www.netutils.com and download the client for a 30 day eval and 30 days free support. If contact is made please mention experts exchange as the source...
0
 
nappy_dCommented:
Oh here is the link I forgot to give you so that users can authenticate AFTER machine authentication is done.  

WiFi-GPO.pdf
0
 
WideAreaMediaAuthor Commented:
This works for Windows XP. Details for an equivalent procedure under Windows Vista / 2008 are available in Microsoft KB Article 929847. Thanks for the help!
0
 
nappy_dCommented:
The settings I provided you in the PDF make it so you do not have to set anything on the local workstations.
0
 
WideAreaMediaAuthor Commented:
You're right, nappy, that is probably a better solution. I've posted a corresponding question at http://www.experts-exchange.com/Hardware/Networking_Hardware/Wireless/Q_24169321.html. If you post your PDF there as well, I can close that question out to you. It would be good to have your guide available via an EE search.

Best Regards,
Martin
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now