Education

Reply
New Contributor
Posts: 2
Registered: ‎03-10-2010

AD WPA2 login issues

Good day to all!

We use WPA2 on our wireless verifying credentials to an AD backend.

the issue I present:

Users using Windows XP that need to logon to their machines through AD, but can't because they haven't authenticated onto the wireless network. Since they haven't logged on to their machines, they can't authenticate onto wireless, but since they don't have a network connection (no wireless) they can't logon to their machines through AD.

The gina "client" in Windows 7 fixes this issue. How can i work through or around this issue with XP?
Any gina clients for XP or a particular setup on the wireless side?

thanks
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: AD WPA2 login issues

The way most people have dealt with that issue (if I understand it correctly) is the implement machine authentication. When the machine boots, if it is configured to login as machine when credentials are available (or something to that effect), it will pass it's host name, in the form host/, and its computer password to AD. If the controller is configured for this, it will place the machine in a role where it can talk to AD prior to a user login. If the machine is not on your domain, the machine auth will fail and you can assign a restrictive role. There are some drawbacks to doing this, however. If you have a policy where computers MUST reboot every 24 hours, then you can set the machine auth cache interval to >24 hours and everything would be OK (except for the people who don't follow the reboot policy). 24 hours is just an example, you can set the cache up to 1000 hours.
Aruba Employee
Posts: 664
Registered: ‎04-15-2009

Re: AD WPA2 login issues

Another tidbit... machine auth only occurs at login and logout, not after the machine comes out of hibernation or resumes. The cache timer gets updated every time the PC reboots, so as long as it REBOOTS (not hibernate or standby) in less time than the cache time, you are good. A typical issue will be when someone is logged into the wired network on a docking station, then undocks (and hasn't logged into the wireless network since the cache timeout). The machine auth will fail, since the user's MAC is not cached and the restrictive role will be applied. One of my customers set the cache to 72 hours, implemented a nightly reboot policy and made a web page that told the user to reboot, which they would hit if they failed machine auth.
New Contributor
Posts: 2
Registered: ‎03-10-2010

Re: AD WPA2 login issues

thanks for the input!
Regular Contributor I
Posts: 179
Registered: ‎08-29-2008

Re: AD WPA2 login issues

If your domain is still using 2003 I have a schema fix that allows you to use Group Policy to configure Window's wireless client. Just let me know and I'll post it.

Server 2008 R2 already has this...
Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Post it


If your domain is still using 2003 I have a schema fix that allows you to use Group Policy to configure Window's wireless client. Just let me know and I'll post it.

Server 2008 R2 already has this...




Please post it.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 179
Registered: ‎08-29-2008

Re: AD WPA2 login issues

This is how I setup Active Directory Server 2003 Group Policy to automatically configure Windows's (XP/Vista/7) wireless client. (This is already implemented in AD Server 2008 and 2008R2)

PROCEED AT YOUR OWN RISK

NOTE: This must be done from a workstation running Vista or Windows 7.
1. I extended the schema to allow the use of "Vista/2008" wireless profiles.
See these steps below.

2. Opened up Group Policy Management Editor

3. Created a new Group Policy Object.

4. Browse out to "Computer Configuration/Policies/Windows Settings/Security Settings/Wireless Network (IEEE 802.11) Policies"

5. Right click in the right pane and select Create a new XP Wireless Network Policy.

6. In the "General" tab I set the "Networks to access:" to Access point (infrastructure) networks only.

7. Place a check mark next to "Use Windows WLAN AutoConfig service for clients.

8. In the "Preferred Networks" tab, you click the "Add" button to add and configure the Windows Wireless Client settings per your wireless network's requirements.

9. Once you're finished and it is saved, associate this Group Policy to a Group or Container and you're good to go.

Because this is hardware based and not user, all users who use a laptop associated with this group policy will have the same wireless profile, and the Students or Staff cannot delete them permanently. :-)



(From MS Technet)

Extending the Schema for Wireless Group Policy Settings

To extend the Active Directory schema for Windows Vista wireless Group Policy enhancements, you need to do the following:

1.Create the 802.11Schema.ldf file.

2.Use the Ldifde.exe tool to extend the Active Directory schema.

Creating the 802.11Schema.ldf File

To create the 802.11Schema.ldf file, do the following:

1.From the Windows desktop, click Start, click Programs, click Accessories, and then click Notepad.

2.Select the text of the "Contents of 802.11Schema.ldf" section of this article (not including the section title).

3.Right-click the selected section, and then click Copy.

4.Click the open Notepad window, click Edit, and then click Paste.

5.Click File, click Save As, navigate to the appropriate folder, type 802.11Schema.ldf for the File name, in Save as type, select All files, select ANSI for the Encoding, and then click Save.

Using the Ldifde.exe Tool to Extend the Active Directory Schema

To use the Ldifde.exe tool to extend the Active Directory for wireless settings, do the following:

1.If needed, copy the 802.11Schema.ldf file to a folder on a domain controller running Windows Server 2003 or Windows Server 2003 R2.

2.On a domain controller running Windows Server 2003 or Windows Server 2003 R2, click Start, click Run, type cmd, and then click OK.

3.Change to the folder containing the 802.11Schema.ldf file.

4.At the Windows command prompt, issue the following command:

ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain

Dist_Name_of_AD_Domain is the distinguished name of the Active Directory domain whose schema is being modified. An example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com Active Directory domain.

The 802.11Schema.ldf file uses the string "DC=X" to denote the distinguished name of the Active Directory domain. The -c option substitutes the string "DC=X" with the string corresponding to your Active Directory domain name when the 802.11Schema.ldf is imported.

For example, for the Active Directory domain named example.com, the command is:

ldifde -i -v -k -f 802.11Schema.ldf -c DC=X DC=example,DC=com

For more information about the Ldifde.exe tool, see LDIFDE.

The Ldifde.exe tool uses the instructions in the 802.11Schema.ldf file to modify the Active Directory schema to contain the additional attributes and values needed to store the enhancements for wireless Group Policy settings supported by Windows Vista wireless clients.

For information about troubleshooting Active Directory schema issues, see Troubleshooting schema.

Contents of 802.11Schema.ldf
# -----------------------------------------------------------------------
# Copyright (c) 2006 Microsoft Corporation
#
# MODULE: 802.11Schema.ldf
# -----------------------------------------------------------------------

# -----------------------------------------------------------------------
# define schemas for these attributes:
#ms-net-ieee-80211-GP-PolicyGUID
#ms-net-ieee-80211-GP-PolicyData
#ms-net-ieee-80211-GP-PolicyReserved
# -----------------------------------------------------------------------

dn: CN=ms-net-ieee-80211-GP-PolicyGUID,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDisplayName: ms-net-ieee-80211-GP-PolicyGUID
adminDescription: This attribute contains a GUID which identifies a specific 802.11 group policy object on the domain.
attributeId: 1.2.840.113556.1.4.1951
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 64
schemaIdGuid:: YnBpNa8ei0SsHjiOC+T97g==
showInAdvancedViewOnly: TRUE
systemFlags: 16

dn: CN=ms-net-ieee-80211-GP-PolicyData,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDisplayName: ms-net-ieee-80211-GP-PolicyData
adminDescription: This attribute contains all of the settings and data which comprise a group policy configuration for 802.11 wireless networks.
attributeId: 1.2.840.113556.1.4.1952
attributeSyntax: 2.5.5.12
omSyntax: 64
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: pZUUnHZNjkaZHhQzsKZ4VQ==
showInAdvancedViewOnly: TRUE
systemFlags: 16

dn: CN=ms-net-ieee-80211-GP-PolicyReserved,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: attributeSchema
ldapDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDisplayName: ms-net-ieee-80211-GP-PolicyReserved
adminDescription: Reserved for future use
attributeId: 1.2.840.113556.1.4.1953
attributeSyntax: 2.5.5.10
omSyntax: 4
isSingleValued: TRUE
systemOnly: FALSE
searchFlags: 0
rangeUpper: 4194304
schemaIdGuid:: LsZpD44I9U+lOukjzsB8Cg==
showInAdvancedViewOnly: TRUE
systemFlags: 16


# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-

# -----------------------------------------------------------------------
# define schemas for the parent class:
#ms-net-ieee-80211-GroupPolicy
# -----------------------------------------------------------------------

dn: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
changetype: ntdsSchemaAdd
objectClass: classSchema
ldapDisplayName: ms-net-ieee-80211-GroupPolicy
adminDisplayName: ms-net-ieee-80211-GroupPolicy
adminDescription: This class represents an 802.11 wireless network group policy object. This class contains identifiers and configuration data relevant to an 802.11 wireless network.
governsId: 1.2.840.113556.1.5.251
objectClassCategory: 1
rdnAttId: 2.5.4.3
subClassOf: 2.5.6.0
systemMayContain: 1.2.840.113556.1.4.1953
systemMayContain: 1.2.840.113556.1.4.1952
systemMayContain: 1.2.840.113556.1.4.1951
systemPossSuperiors: 1.2.840.113556.1.3.30
systemPossSuperiors: 1.2.840.113556.1.3.23
systemPossSuperiors: 2.5.6.6
schemaIdGuid:: Yxi4HCK4eUOeol/3vcY4bQ==
defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)
showInAdvancedViewOnly: TRUE
defaultHidingValue: TRUE
systemOnly: FALSE
defaultObjectCategory: CN=ms-net-ieee-80211-GroupPolicy,CN=Schema,CN=Configuration,DC=X
systemFlags: 16


# -----------------------------------------------------------------------
# Reload the schema cache to pick up altered classes and attributes
# -----------------------------------------------------------------------
dn:
changetype: ntdsSchemaModify
add: schemaUpdateNow
schemaUpdateNow: 1
-
Occasional Contributor II
Posts: 27
Registered: ‎03-16-2010

Re: AD WPA2 login issues

Just a quick note to confirm that the schema extension worked for us (I followed the MS technet guide before seeing the post here), allowing me to apply WPA2/AES SSIDs to XP SP3 clients via a Win2003 group policy.

We have no Vista/Win7 clients yet, but I used a Vista VM to test the GP editing, and it appears to work as advertised. Actually getting the GP editor installed on Vista SP1 was a major pain however, so I recommend using win7. (Vista SP1 removes the GPMC, and re-installing it requires dotnet 1.1... )

So far I have seen no ill effects to our other GPs, all managed with Win2003 (no Win2008 servers yet).
Occasional Contributor I
Posts: 6
Registered: ‎07-01-2009

How to display reboot web page?




What a great idea. I would be REALLY interested in knowing how to implement this type of web page!

Occasional Contributor I
Posts: 6
Registered: ‎10-19-2009

Re: AD WPA2 login issues

Me too. : )
Search Airheads
Showing results for 
Search instead for 
Did you mean: