[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows 7 802.11 SSO Feature

Posted on 2011-10-17
7
Medium Priority
?
294 Views
Last Modified: 2012-05-12
Hi Guys, quick question. Currently running Windows Server 2008R2 ADDS environment and Funk RADIUS server. Clients are Windows 7 Enterprise Edition SP1. Have setup a 802.11 profile and looking to use the SSO feature to allow for login scripts and GPO to process on logon. Question is to use the 802.11 SSO feature "perform immediatley before user logon" or after do PKI certificates for Computer or User need to used and reside on the Windows 7 clients?.

Peter
0
Comment
Question by:madyoungblood7
  • 4
  • 3
7 Comments
 
LVL 22

Accepted Solution

by:
Jakob Digranes earned 1000 total points
ID: 36985872
You need to authenticate client prior to login to run scripts?
In Radius - what policy have you created?
If you've set this to authenticate user only, and not computer - you need to perform immediately prior to login to be connected to wireless when user logs in. That way users that do not have the user credentials cached can still log in and authenticate with AD, and any logon scripts should be run.

But if you set the Radius policy to authenticate computer, that way the computer is authenticated and connected when user logs in, and authentication without cached credentials and scripts will run. In that way the computer is authenticated prior to login, and then switches to user authentication when user logs in. You do not need PKI for this, even tough you should at least have certificate on your Radius controller to avoid someone creating a fake radius server to gather user name and passwords

Are computers and user joined to Active Directory? If so - the SSO feature is not needed, the users will connect to wireless with logged in credentials - but if only user is authenticated, and you need connection prior to login - as mentioned earlier in email
0
 

Author Comment

by:madyoungblood7
ID: 36986260
Thx Jakob di. I'm awaiting confirmation regarding the RADIUS server config but it's safe to assume that authenticate user only is being used with Authentication mode: User authentication and Microsoft PEAP used within the 802.11 policy.

All computers are ADDS joined with Cisco AP's and Funk RADIUS server used. Only login scripts don't work for wireless users with wired having no problem. Group policy processing is synchronous. From the Group policy logs the LDAP enumeration of the computer and user object is not occurring for the wireless folks which I believe is causing the problem.

Question though if we don't need PKI and no User or Computer certs are required, how is the computer authenticated without any certificates if Computer Authentication were to be used?

Peter
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 36996036
The computer also has a computer account in AD and can use that with PEAP-MsChapV2 to authenticate
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Assisted Solution

by:madyoungblood7
madyoungblood7 earned 0 total points
ID: 37000391
Thx Jakob di, so I'm still not clear regarding the certificates and SSO requirements. Are User or Computer certificates required for SSO integration with 802.11policies? Or does the authentication mode used influence this?

Peter
0
 

Author Closing Comment

by:madyoungblood7
ID: 37023102
Response was not entirely clear
0
 

Author Comment

by:madyoungblood7
ID: 37002635
Response was not entirely clear
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 37003096
the answer is clear enough.
You do not need certificates to perform SSO or 802.1X authentication. You should however have a PKI deployed with a root certificate installed in all computers, and a IAS/NPS certificate on NPS server.

But if your NPS policy supports computer AND user login, then computer will be authenticated when user logs in. As long as your policy in windows 7 PC is set up correct.

if you can give a detailed info on NPS policies, then it would be possible to tell what is correct.

BTW - look at security event logs to see if computer is authenticated before user. Woul look like this.
HOST/PC-Name.domain.local - granted access
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question