Windows 7 802.11 SSO Feature

Hi Guys, quick question. Currently running Windows Server 2008R2 ADDS environment and Funk RADIUS server. Clients are Windows 7 Enterprise Edition SP1. Have setup a 802.11 profile and looking to use the SSO feature to allow for login scripts and GPO to process on logon. Question is to use the 802.11 SSO feature "perform immediatley before user logon" or after do PKI certificates for Computer or User need to used and reside on the Windows 7 clients?.

Peter
madyoungblood7Asked:
Who is Participating?
 
Jakob DigranesConnect With a Mentor Senior ConsultantCommented:
You need to authenticate client prior to login to run scripts?
In Radius - what policy have you created?
If you've set this to authenticate user only, and not computer - you need to perform immediately prior to login to be connected to wireless when user logs in. That way users that do not have the user credentials cached can still log in and authenticate with AD, and any logon scripts should be run.

But if you set the Radius policy to authenticate computer, that way the computer is authenticated and connected when user logs in, and authentication without cached credentials and scripts will run. In that way the computer is authenticated prior to login, and then switches to user authentication when user logs in. You do not need PKI for this, even tough you should at least have certificate on your Radius controller to avoid someone creating a fake radius server to gather user name and passwords

Are computers and user joined to Active Directory? If so - the SSO feature is not needed, the users will connect to wireless with logged in credentials - but if only user is authenticated, and you need connection prior to login - as mentioned earlier in email
0
 
madyoungblood7Author Commented:
Thx Jakob di. I'm awaiting confirmation regarding the RADIUS server config but it's safe to assume that authenticate user only is being used with Authentication mode: User authentication and Microsoft PEAP used within the 802.11 policy.

All computers are ADDS joined with Cisco AP's and Funk RADIUS server used. Only login scripts don't work for wireless users with wired having no problem. Group policy processing is synchronous. From the Group policy logs the LDAP enumeration of the computer and user object is not occurring for the wireless folks which I believe is causing the problem.

Question though if we don't need PKI and no User or Computer certs are required, how is the computer authenticated without any certificates if Computer Authentication were to be used?

Peter
0
 
Jakob DigranesSenior ConsultantCommented:
The computer also has a computer account in AD and can use that with PEAP-MsChapV2 to authenticate
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
madyoungblood7Connect With a Mentor Author Commented:
Thx Jakob di, so I'm still not clear regarding the certificates and SSO requirements. Are User or Computer certificates required for SSO integration with 802.11policies? Or does the authentication mode used influence this?

Peter
0
 
madyoungblood7Author Commented:
Response was not entirely clear
0
 
madyoungblood7Author Commented:
Response was not entirely clear
0
 
Jakob DigranesSenior ConsultantCommented:
the answer is clear enough.
You do not need certificates to perform SSO or 802.1X authentication. You should however have a PKI deployed with a root certificate installed in all computers, and a IAS/NPS certificate on NPS server.

But if your NPS policy supports computer AND user login, then computer will be authenticated when user logs in. As long as your policy in windows 7 PC is set up correct.

if you can give a detailed info on NPS policies, then it would be possible to tell what is correct.

BTW - look at security event logs to see if computer is authenticated before user. Woul look like this.
HOST/PC-Name.domain.local - granted access
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.