Wireless Access

Reply
Occasional Contributor II
Posts: 27
Registered: ‎09-06-2013

New Machine requires to connect to LAN first before connecting to LAN

[ Edited ]

Whenever we build new machine we need to connect it to LAN first before connecting to WAN,

 

Can someone please help me understand  , how this works and whey we cannot directly to Wireless.

 

Thanks for help.

 

Guru Elite
Posts: 8,634
Registered: ‎09-08-2010

Re: New Machine requires to connect to LAN first before connecting to LAN

Couple of questions.

What type of clients?

Owned or BYOD? Joined to the domain?

What authentication method are you using on your wireless?
Username/password, pre-shared key, certificates, MAC-auth?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 27
Registered: ‎09-06-2013

Re: New Machine requires to connect to LAN first before connecting to LAN

Below are answers :-

 

Windows 7 or windows 8 client.

 

Joined to domain.

 

Authentication we use is certificates and user-auth.

 

 

 

Thanks.

Guru Elite
Posts: 21,262
Registered: ‎03-29-2007

Re: New Machine requires to connect to LAN first before connecting to LAN

MK_1707,

 

You need to ensure that machine authentication is working correctly.  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/802-1x-Machine-Authentication-Using-Aruba-3600-Controllers-and/m-p/28250/highlight/true#M1349

 

Machine authentication ensures that the machine itself can authenticate successfully at the ctrl-alt-delete screen and get an ip address.  That gives it the domain "dial tone" needed to successfully run login scripts and for new users to authenticate and build a new profile.  If machine authentication does not succeed, only users with cached credentials can login, because the machine does not have a connection to domain controllers to login new users.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 205
Registered: ‎09-28-2010

Re: New Machine requires to connect to LAN first before connecting to LAN

Are the machines already joined to the domain and have the certificate installed, or are you trying to connect  via wireless to do that?

 

Probably best to search Windows Single Sign On Wireless and read some of the things on that.

 

I've had limited success using what I've found, but honestly it's just easier (for us) to hard wire.   We push out our certificate and wireless settings via AD and GPOs. 

 

The time it takes to manually create the wireless profile and bypass the certificate check, it's just as easy to hard wire the machine and join the domain.  If only tech people are doing the work it's okay, but if end users are doing it, consider that by showing them how to bypass the certificate check, you've basically showed your users how to get on your network without following whatever protocols you have in place.   We've had plenty of users that have figured out how to just copy settings from other users and get on the network without the proper patching, anti-virus, etc.

 

 

Occasional Contributor II
Posts: 27
Registered: ‎09-06-2013

Re: New Machine requires to connect to LAN first before connecting to LAN

Yes system is joined to domain already using admin credentials but , as new user logs in to box which does not have his profile set over there he cannot contact domain controller for authentication.

Guru Elite
Posts: 21,262
Registered: ‎03-29-2007

Re: New Machine requires to connect to LAN first before connecting to LAN

[ Edited ]

MK_1707,

 

All your wireless client (Windows 7 shown) needs is User or Computer authentication enabled like in the picture below.

 

machine.PNG

 

If you are using Microsoft NPS server all you need to do is ensure that Domain Computers is one of your AD groups that you are allowing to authenticate:

 

nps.PNG

 

That is pretty much the lion's share of it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎09-06-2013

Re: New Machine requires to connect to LAN first before connecting to LAN

Yes exactly i have checked those two settings and they are setup correctly for me.

 

still if any new user tries to login they get error no logon servers are available.

Guru Elite
Posts: 21,262
Registered: ‎03-29-2007

Re: New Machine requires to connect to LAN first before connecting to LAN

[ Edited ]

Okay.  Log out of Windows on the wireless laptop and wait a few seconds.  Then go into the event viewer on NPS and see if the machine is trying to authenticate (username host/xxxxxxx).

nps2.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 27
Registered: ‎09-06-2013

Re: New Machine requires to connect to LAN first before connecting to LAN

My doubt is :-

 

When will this computer authentication wil come in picture .

 

I press alt+ctrl+del and it says no logon server available, i mean if it is not able to contact domain controller , how will NPS authentication work here ?

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: