|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
New user authentication over wirelessfirst time using the wireless network. Here are some specifics: Laptop OS: Windows XP SP2 Server: Server 2000 SP 4 IAS/RADIUS for authentication Windows Wireless Settings: Network Auth: WPA Data Encry: AES EAP Type: PEAP Properties: Check next to Validate server certificate no other checks Select auth method: Secured Password (EAP-MSCHAP v2) Configure: check next to Automatically use my Windows logon name and password no check next to Auth as computer when comp info is available no check nex to auth as guest when user or computer info is unavailable Problem details: Running a sniff on the traffic to the auth server showed that Windows is sending the computer\login information for the person who previously logged into that device and successfully authenticated to the domain. The following is an example: local admin logs onto laptop changes wireless settings to match above and logs off new user attempts to connect ot the wireless sniff shows the laptop sending the local admins infromation to the RADIUS, not the user trying to login. login attempt fails If I connect the laptop to the wired network and have the new user login to that device, then they attempt to connect to the wireless everthing works as it should. These are training laptops and can potentially have a different user loggin into AD everyday, how do I resolve this? You cannot use the "utility" that came with the wireless Nic to manage its
activity. You need to have the Wireless Zewro Configuration Utility manage the Nic. The reason for this is that the thrid party Tool will not active and have the Nic connect properly until the currently logged on user is at their Desktop,...which requires a "cached account",...which doesn't exist because the user has never logged into that machine before. However the WZC Utility runs as a Service and will activate the Nic before the user attempts to log in,...therefore the machine is already actively "on the network" before the user actually logs in (just like a wired nic),...therefore the Domain controller is avaialable to authenticate the user and allow the cached account to be created. -- Show quoteHide quotePhillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "msteinhoff" <msteinh***@discussions.microsoft.com> wrote in message news:8D5AA542-C6C2-4D24-B475-DD8023E55F50@microsoft.com... >I am having an issue when a new user attempts to logon to a laptop for the > first time using the wireless network. Here are some specifics: > > Laptop OS: Windows XP SP2 > Server: Server 2000 SP 4 IAS/RADIUS for authentication > Windows Wireless Settings: > Network Auth: WPA > Data Encry: AES > EAP Type: PEAP > Properties: > Check next to Validate server certificate > no other checks > Select auth method: > Secured Password (EAP-MSCHAP v2) > Configure: > check next to Automatically use > my > Windows > logon name and password > no check next to Auth as computer when comp info is available > no check nex to auth as guest when user or computer info is unavailable > > > Problem details: > > Running a sniff on the traffic to the auth server showed that Windows is > sending the computer\login information for the person who previously > logged > into that device and successfully authenticated to the domain. The > following > is an example: > > local admin logs onto laptop changes wireless settings to match above and > logs off > new user attempts to connect ot the wireless > sniff shows the laptop sending the local admins infromation to the RADIUS, > not the user trying to login. login attempt fails > > If I connect the laptop to the wired network and have the new user login > to > that device, then they attempt to connect to the wireless everthing works > as > it should. > > These are training laptops and can potentially have a different user > loggin > into AD everyday, how do I resolve this? > We are using WZC, not third party software to manage the wireless NIC.
Show quoteHide quote "Phillip Windell" wrote: > You cannot use the "utility" that came with the wireless Nic to manage its > activity. You need to have the Wireless Zewro Configuration Utility manage > the Nic. > > The reason for this is that the thrid party Tool will not active and have > the Nic connect properly until the currently logged on user is at their > Desktop,...which requires a "cached account",...which doesn't exist because > the user has never logged into that machine before. > > However the WZC Utility runs as a Service and will activate the Nic before > the user attempts to log in,...therefore the machine is already actively "on > the network" before the user actually logs in (just like a wired > nic),...therefore the Domain controller is avaialable to authenticate the > user and allow the cached account to be created. > > -- > Phillip Windell > www.wandtv.com > > The views expressed, are my own and not those of my employer, or Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > > > "msteinhoff" <msteinh***@discussions.microsoft.com> wrote in message > news:8D5AA542-C6C2-4D24-B475-DD8023E55F50@microsoft.com... > >I am having an issue when a new user attempts to logon to a laptop for the > > first time using the wireless network. Here are some specifics: > > > > Laptop OS: Windows XP SP2 > > Server: Server 2000 SP 4 IAS/RADIUS for authentication > > Windows Wireless Settings: > > Network Auth: WPA > > Data Encry: AES > > EAP Type: PEAP > > Properties: > > Check next to Validate server certificate > > no other checks > > Select auth method: > > Secured Password (EAP-MSCHAP v2) > > Configure: > > check next to Automatically use > > my > > Windows > > logon name and password > > no check next to Auth as computer when comp info is available > > no check nex to auth as guest when user or computer info is unavailable > > > > > > Problem details: > > > > Running a sniff on the traffic to the auth server showed that Windows is > > sending the computer\login information for the person who previously > > logged > > into that device and successfully authenticated to the domain. The > > following > > is an example: > > > > local admin logs onto laptop changes wireless settings to match above and > > logs off > > new user attempts to connect ot the wireless > > sniff shows the laptop sending the local admins infromation to the RADIUS, > > not the user trying to login. login attempt fails > > > > If I connect the laptop to the wired network and have the new user login > > to > > that device, then they attempt to connect to the wireless everthing works > > as > > it should. > > > > These are training laptops and can potentially have a different user > > loggin > > into AD everyday, how do I resolve this? > > > > >
Show quote
Hide quote
"msteinhoff" <msteinh***@discussions.microsoft.com> wrote in message Mine looks like this if I use only WPA with AESnews:8D5AA542-C6C2-4D24-B475-DD8023E55F50@microsoft.com... > Windows Wireless Settings: > Network Auth: WPA > Data Encry: AES > EAP Type: PEAP > Properties: > Check next to Validate server certificate > no other checks > Select auth method: > Secured Password (EAP-MSCHAP v2) > Configure: > check next to Automatically use > my > Windows logon name and password > no check next to Auth as computer when comp info is available > no check nex to auth as guest when user or computer info is unavailable (normally I use WPA-PSK) Network Auth: WPA Data Encry: AES EAP Type: SmartCard or other Certificate Properties: Use Certificate on this computer Use simple certificate selection (*nothing else* selected) *Enabled* check next to Auth as computer when comp info is available *Disabled* check nex to auth as guest when user or computer info is unavailable -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- "msteinhoff" <msteinh***@discussions.microsoft.com> wrote in message You don't need a RADIUS Server for what I described. That is needless extra news:8D5AA542-C6C2-4D24-B475-DD8023E55F50@microsoft.com... >I am having an issue when a new user attempts to logon to a laptop for the > first time using the wireless network. Here are some specifics: > > Laptop OS: Windows XP SP2 > Server: Server 2000 SP 4 IAS/RADIUS for authentication work, complexity, and overhead. These are *training laptops* as you said,...keep it simple. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- I don't see any issues with your configuration except "Network Auth: WPA".
If you use IAS/RADIUS, it should be WPA-ENT. As I posted previously, "Whenever I have a problem with our WPA-Ent TKIP, I would check the IAS event log first". -- Show quoteHide quoteBob Lin, MS-MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com "msteinhoff" <msteinh***@discussions.microsoft.com> wrote in message news:8D5AA542-C6C2-4D24-B475-DD8023E55F50@microsoft.com... >I am having an issue when a new user attempts to logon to a laptop for the > first time using the wireless network. Here are some specifics: > > Laptop OS: Windows XP SP2 > Server: Server 2000 SP 4 IAS/RADIUS for authentication > Windows Wireless Settings: > Network Auth: WPA > Data Encry: AES > EAP Type: PEAP > Properties: > Check next to Validate server certificate > no other checks > Select auth method: > Secured Password (EAP-MSCHAP v2) > Configure: > check next to Automatically use > my > Windows > logon name and password > no check next to Auth as computer when comp info is available > no check nex to auth as guest when user or computer info is unavailable > > > Problem details: > > Running a sniff on the traffic to the auth server showed that Windows is > sending the computer\login information for the person who previously > logged > into that device and successfully authenticated to the domain. The > following > is an example: > > local admin logs onto laptop changes wireless settings to match above and > logs off > new user attempts to connect ot the wireless > sniff shows the laptop sending the local admins infromation to the RADIUS, > not the user trying to login. login attempt fails > > If I connect the laptop to the wired network and have the new user login > to > that device, then they attempt to connect to the wireless everthing works > as > it should. > > These are training laptops and can potentially have a different user > loggin > into AD everyday, how do I resolve this? > I agree the configuration looks good. The problem that I have is that a user
who has not connected to the wireless before on that specific laptop cannot connect. If I run an auth trace on the wireless controller and I see credentials of the local administrator attempting to auth to the RADIUS server, not the user that is attempting to login. I'll post that tomorrow. Show quoteHide quote "Robert L. (MS-MVP)" wrote: > I don't see any issues with your configuration except "Network Auth: WPA". > If you use IAS/RADIUS, it should be WPA-ENT. As I posted previously, > "Whenever I have a problem with our WPA-Ent TKIP, I would check the IAS > event log first". > > -- > Bob Lin, MS-MVP, MCSE & CNE > Networking, Internet, Routing, VPN Troubleshooting on > http://www.ChicagoTech.net > How to Setup Windows, Network, VPN & Remote Access on > http://www.HowToNetworking.com > "msteinhoff" <msteinh***@discussions.microsoft.com> wrote in message > news:8D5AA542-C6C2-4D24-B475-DD8023E55F50@microsoft.com... > >I am having an issue when a new user attempts to logon to a laptop for the > > first time using the wireless network. Here are some specifics: > > > > Laptop OS: Windows XP SP2 > > Server: Server 2000 SP 4 IAS/RADIUS for authentication > > Windows Wireless Settings: > > Network Auth: WPA > > Data Encry: AES > > EAP Type: PEAP > > Properties: > > Check next to Validate server certificate > > no other checks > > Select auth method: > > Secured Password (EAP-MSCHAP v2) > > Configure: > > check next to Automatically use > > my > > Windows > > logon name and password > > no check next to Auth as computer when comp info is available > > no check nex to auth as guest when user or computer info is unavailable > > > > > > Problem details: > > > > Running a sniff on the traffic to the auth server showed that Windows is > > sending the computer\login information for the person who previously > > logged > > into that device and successfully authenticated to the domain. The > > following > > is an example: > > > > local admin logs onto laptop changes wireless settings to match above and > > logs off > > new user attempts to connect ot the wireless > > sniff shows the laptop sending the local admins infromation to the RADIUS, > > not the user trying to login. login attempt fails > > > > If I connect the laptop to the wired network and have the new user login > > to > > that device, then they attempt to connect to the wireless everthing works > > as > > it should. > > > > These are training laptops and can potentially have a different user > > loggin > > into AD everyday, how do I resolve this? > > > >  
Other interesting topics
Wireless security and XP
Adding wireless capability to simplest wired configuration How to share a wireless network with 2 routers or switches WZC Locks Domain Account While Authenticating N Wireless routers with G Nics Wired and wireless network Wireless connection shared network folders Available Network refresh leaves old networks Networking speeds |
|||||||||||||||||||||||
