ArubaOS and Controllers

Reply
Occasional Contributor I
Posts: 7
Registered: ‎03-27-2008

Windows XP wireless Domain Login issue

Hello,
I'm looking for a little assistance in getting wireless handheld tablet PC's to login to an AD Domain.
The handhelds run Windows XP and are configured with Windows Wireless Zero Config.

Each machine is currently auto-logged in to local account and authenticated via a RADIUS using PEAP/EAP cached credentials.

The problem I have is that they now want to have the users login to an Active Directory Domain.
We were able to join the handheld to the Domain but when it was rebooted we were unable to login to the Domain because the "Domain was not available".

According to our Windows guy, the drivers for the wireless card will not be loaded until after login.
Is that correct?
How can I have the tablets login to the domain wirelessly if the wireless card won't become active until after login?

I would appreciate any assistance with this issue. I've searched around and haven't been able to come up with a easy solution.

Thanks,
Bob Yaworski
Frequent Contributor II
Posts: 142
Registered: ‎08-08-2007

Re: Windows XP wireless Domain Login issue

The wireless will connect before login, otherwise you would not get authenticated and not get mapped drives. There is an option in Group Policy that forces the client to wait until a connection rather than trying to use cached data.

We normally get users to wait 30 seconds before trying to log in. Take a look at MS KB 840669.
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Thread


Hello,
I'm looking for a little assistance in getting wireless handheld tablet PC's to login to an AD Domain.
The handhelds run Windows XP and are configured with Windows Wireless Zero Config.

Each machine is currently auto-logged in to local account and authenticated via a RADIUS using PEAP/EAP cached credentials.

The problem I have is that they now want to have the users login to an Active Directory Domain.
We were able to join the handheld to the Domain but when it was rebooted we were unable to login to the Domain because the "Domain was not available".

According to our Windows guy, the drivers for the wireless card will not be loaded until after login.
Is that correct?
How can I have the tablets login to the domain wirelessly if the wireless card won't become active until after login?

I would appreciate any assistance with this issue. I've searched around and haven't been able to come up with a easy solution.

Thanks,
Bob Yaworski




Bob,

A number of users have had this problem. Please check out the thread here for some insight: https://airheads.arubanetworks.com/vBulletin/showthread.php?t=813


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 7
Registered: ‎03-27-2008

Still unable to get it working....

Here's some additional details:
Windows side: XP SP2
The windows client is not using certificates
WPA2/AES
PEAP
Vaidate server certificate unchecked
Authentication Method: EAP-MSCHAP v2
Automatically use my Windows login is NOT checked
(I enter the crendtials in a pop-up window which are cached and autmatically used the next time.)

Aruba side:
user-role FBMS-Logon-Role
vlan 10
session-acl FBMS-Logon-Policy
ip access-list session FBMS-Logon-Policy
any any any permit log
any any svc-dns permit
user any svc-icmp permit
aaa authentication dot1x "FBMS-802.1x-profile"
machine-authentication machine-default-role "logon"
machine-authentication user-default-role "logon"
no opp-key-caching
termination enable
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
!
aaa profile "FBMS-AAA-dot1x"
initial-role "FBMS-Logon-Role"
mac-default-role "FBMS-Logon-Role"
authentication-dot1x "FBMS-802.1x-profile"
dot1x-default-role "FBMS-Role"
dot1x-server-group "RADIUS-CSBB"
radius-accounting "RADIUS-CSBB"
no wired-to-wireless-roam
!

I added the GpNetworkStartTimeoutPolicyValue to these locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

The handhelds currently work because the machine does an auto-login to a local account. We need to get these to login into the Domain. That where I am haveing the "Domain unavailable" issue. Thanks again for any assitance
Guru Elite
Posts: 21,493
Registered: ‎03-29-2007

Termination

Yaworski,

The successful passing of machine credentials does not work with Aruba doing EAP-Termination. You need to have a certificate on your IAS box and uncheck "Termination" in the 802.1x profile for machines to login to the domain successfully.

You also need to make sure that in your Remote Access policy on your IAS server you are not only permitting domain users, you are permitting domain computers, as well.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: