Enterprise Lockdown

Reply
New Contributor
Posts: 2
Registered: ‎05-18-2009

Radius authentication configuration without being hard wired

Hello, We've had an issue for a while and we just can't figure out a solution.

Scenario:

We have 100 netbooks for students running windows xp sp3. We currently use radius for authentication to MS active directory. We can push the radius configuration/ certificate via group policy. But we have no way for the client to get the policy without plugging in. This can be very annoying for hundreds of clients, especially students.

Basically we want this to be as seemless as possible. If a user brings a netbook unconfigured off the streets. We them to easily get the configuration without hard wiring in advance to get the policy.

Has anyone had this problem?:confused:
New Contributor
Posts: 1
Registered: ‎04-27-2010

Re: Radius authentication configuration without being hard wired

I've had this problem too but don't know what to do either.
Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Please Try

The suggestion in the post here: http://airheads.arubanetworks.com/vBulletin/showpost.php?p=726&postcount=4


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Radius authentication configuration without being hard wired


Hello, We've had an issue for a while and we just can't figure out a solution.

Scenario:

We have 100 netbooks for students running windows xp sp3. We currently use radius for authentication to MS active directory. We can push the radius configuration/ certificate via group policy. But we have no way for the client to get the policy without plugging in. This can be very annoying for hundreds of clients, especially students.

Basically we want this to be as seemless as possible. If a user brings a netbook unconfigured off the streets. We them to easily get the configuration without hard wiring in advance to get the policy.

Has anyone had this problem?:confused:




We created a captive portal on the failed auth role and put a simple exe on that page that imports the wired config using netsh and the appropriate xml file. It isn't perfect since it assumes the user has their NIC named the default but I plan on working around that at some point in the future but it is a low priority item.

You can't import the wireless config using netsh for XP SP3 but you can probably do it via a similar process or just link to instructions?
Guru Elite
Posts: 21,037
Registered: ‎03-29-2007

Captive Portal on Failed Auth Role

The following was assumed, based on the initial question:

- Laptops were configured to use WPA/WPA2 802.1x authentication with PEAP.
- The same configuration has "authenticate as computer when computer information is available" option checked so that new users to a laptop can login wirelessly even if they never logged in before
- There is a backend radius server authenticating users from the "domain users" group as well as the "domain computers" group, so that computers can also get an ip address at the ctrl-alt-delete screen, authenticate new users and run login scripts. Attached is the chapter on setting up Windows XP 802.1x clients from the user guide.

When a 802.1x computer fails authentication, it does NOT get an ip address, so you cannot bring up a captive portal with a "failed" role. The device may be in that initial or failed role, but does not have an ip address, which is necessary to bring up a web page. Is there another SSID that the computer fails back to that allows it to get the captive portal?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: