Wireless Access

Hi all,

 

My office wi-fi is running 802.1x and EAP termination in windows nps. All the staffs domain laptop works fine until recently my boss has decide to allocate 2 unit of domain workstation in our pantry as public PC for staff access during break time.

 

The domain workstation is running wireless, no wired. The challeging part is everyday i'm annoyed by all these users complaining they can't logon the workstation with their AD credentials.

This is due to all these users is first time logon into the workstation. Without the connection, the PC couldn't validate the users and logon.

 

My current workaround is create a preshared key SSID for these 2 workstation and stay connected. Thus those first time logon users able to login with their domain credentials.

But this workaround is imperfect so I'm here to seeking every suggestion to improve this.

 

Do we able to achieve by removing the preshared-key SSID and all the first time login domain user still able to login in?

 

Thanks.

Machine authentication is not successful with termination and NPS. You would need a valid certificate on your NPS server and remove termination from the controller.

If machine authentication does not work, new users cannot login. It is that simple.

Hi cjoseph,

 

no termination in the controller and all are passed to the NPS server.

The issue is new logon domain user failed to login the pantry public domain pc as i believe it is unable to verify the user account credentials with my domain controller.

I'm seeking on the possible soluton for this.

 

Thanks.

Sorry, I read that wrong.

Do you have your laptop's configured for machine authentication?

so far is not configured in the pc.

Will the machine auth solved my issue?

The main challenge is every first logon domain user do not have the dot1x SSID profile configured when logging in thus it cause failure.

Yes.  The machine needs to be configured for user or machine authentication for users that have never logged on before to be able to login.  NPS also needs to be able to allow users in the Domain Computers AD group to login.

tested with machine auth and still doesnt work.

the pc did not have any connection during user logon, is the machine auth  still works and able to authenticate?

 

error "there are currently no logon servers available to service the logon request"

 

Thanks.

Look in the eventviewer of the NPS server to see if the computer passed authentication with a username of host/hostname.  If the computer passed authentication, it should have an ip address at the ctrl-alt-delete screen.

yep, managed to resolve it by using machine auth now after long day today.

i missed out to configure the machine GPO for the wireless settings.

now is working. thanks!

Yes, you should configure a machine authentication system profile via group
policy.