WideAreaMedia
asked on
Setting up 802.1x authentication for wireless clients
Hello Everyone,
I am trying to set our small office up to use 802.1x authentication for wireless clients. I have successfully secured a test wireless AP, which is using RADIUS authentication against a Microsoft IAS server. What I'm trying to set up and discover is how to allow for clients that are members of the domain but not logged in to be able to access the network enough to permit logon and credential verification.
As I understand it, no wireless connection is possible until the user has logged in, which presents issues if a user wants to log into a machine he / she hasn't previously used. What would you recommend I do? I have several wireless APs available to me, so if I need to set up an additional AP to handle this sort of thing it's not a problem.
Thanks in advance!
Best Regards,
Martin Schultz
I am trying to set our small office up to use 802.1x authentication for wireless clients. I have successfully secured a test wireless AP, which is using RADIUS authentication against a Microsoft IAS server. What I'm trying to set up and discover is how to allow for clients that are members of the domain but not logged in to be able to access the network enough to permit logon and credential verification.
As I understand it, no wireless connection is possible until the user has logged in, which presents issues if a user wants to log into a machine he / she hasn't previously used. What would you recommend I do? I have several wireless APs available to me, so if I need to set up an additional AP to handle this sort of thing it's not a problem.
Thanks in advance!
Best Regards,
Martin Schultz
Please take a look at this webcast for allowing 802.1x wireless authentication http://support.microsoft.com/kb/837911
ASKER
Nappy,
Thank you for your quick response. I've actually looked at that particular video as well as a few others from Microsoft. I've gotten enough of an idea of how the process works to be able to get the initial setup done as described above, but unfortunately I'm new enough to this as to require a fairly specific answer. I want domain member computers to be able to allow logins of domain users over the wireless network, which as I understand it requires some additional work when using 802.1x?
Thanks,
Martin
Thank you for your quick response. I've actually looked at that particular video as well as a few others from Microsoft. I've gotten enough of an idea of how the process works to be able to get the initial setup done as described above, but unfortunately I'm new enough to this as to require a fairly specific answer. I want domain member computers to be able to allow logins of domain users over the wireless network, which as I understand it requires some additional work when using 802.1x?
Thanks,
Martin
I take it you have an AD infrastructure. If so, there is a GPO setting for 802.1x authentication. It is located as shown in my screenshot
Picture-47.png
Picture-47.png
ASKER
Ok, got it. I tried to search out how to get the "hash" for my CA, but didn't have any luck. Any idea on how to go about it?
- open the cert thru IE/Tools/Internet options
- Go to the content tab
- Click on Certificates
- Look for your cert
- click on it one
- click on view
- click on the details tab
- scroll to the bottom and look for fingerprint
- This is your hash
ASKER
Ok, I've done that, applied the policy, and forced an update on my test client. When I attempt to log in using a new domain user account, I get an error that the domain TEST is unavailable. I assume this is because it cannot connect to the network to validate the provided credentials. Are there other gotchas I need to be aware of? Thanks for your help so far - I'm enjoying getting deeper into this.
Best Regards,
Martin
Best Regards,
Martin
Are you logged on to the client using domain credentials?
ASKER
That's how I'm trying to log in. The idea is that the wireless client is joined to the domain, and I'd like it to be able to log on wirelessly. However, the 802.1x authentication I've enabled doesn't allow the clients to connect until after they're logged in. This poses a problem if a user has changed his / her password, or if a new user wants to log on to a wireless location.
Thanks,
Martin
Thanks,
Martin
How did you configure their Wireless network card?
Also, did you put the hash(fingerprint) from the certificate into AD?
Also, did you put the hash(fingerprint) from the certificate into AD?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to setup whatis called machine authentication.
This is available in the Juniper ODYssey access client.
Machine authentication basically connects to the wireless network with either machine or static credentials prior to windows login, thus providing network connectivity for the user to auth to the domain.
If you would like and eval of Juniper OAC please go to our website www.netutils.com and download the client for a 30 day eval and 30 days free support. If contact is made please mention experts exchange as the source...
This is available in the Juniper ODYssey access client.
Machine authentication basically connects to the wireless network with either machine or static credentials prior to windows login, thus providing network connectivity for the user to auth to the domain.
If you would like and eval of Juniper OAC please go to our website www.netutils.com and download the client for a 30 day eval and 30 days free support. If contact is made please mention experts exchange as the source...
Oh here is the link I forgot to give you so that users can authenticate AFTER machine authentication is done.
WiFi-GPO.pdf
WiFi-GPO.pdf
ASKER
This works for Windows XP. Details for an equivalent procedure under Windows Vista / 2008 are available in Microsoft KB Article 929847. Thanks for the help!
The settings I provided you in the PDF make it so you do not have to set anything on the local workstations.
ASKER
You're right, nappy, that is probably a better solution. I've posted a corresponding question at https://www.experts-exchange.com/questions/24169321/Using-Group-Policy-to-configure-802-1x-Computer-Authentication.html. If you post your PDF there as well, I can close that question out to you. It would be good to have your guide available via an EE search.
Best Regards,
Martin
Best Regards,
Martin