Wireless Access

Has anyone done any workaround for this?

I got a clietn which need to do a SSO  like with  EAP PEAP which is possible.

He runs a scritp  but the device need to authenticate before the user log in, in windows... it need to run a script the scritp, and if it does not have the single sign on, the script cannot run because is not int he network yet..  

When he had SSO with EAP PEAP with single sign on configured on windows supplicant,  everything worked pretty good but now that he moved to EAP TLS for more security, now the EAP TLS lack of Single sign on on the windows suplicant  like it says on microsoft document http://support.microsoft.com/kb/2717916

Has anyone encounter this issue? any workd aroudn for it?

Cheers

Carlos

You can use EAP-TLS with machine authentication.

Hello Collin

If i do eap tls with machine authentication that means i would need to enable the machine authentication on the controller?

Cheers

Carlos

Anyone???

Cheers

Carlos

No.

You do not need to configure anything on the controller, except define a radius server.  On the radius server is where you decide what users or machines to allow authentication based on AD Groups.

Thank you

Ill do some testing then

Cheers

Carlos

Hello Collin

I tested and it seems to work!

2 More questions

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?

Cheers

Carlos

---

@NightShade1 wrote:

Hello Collin

I tested and it seems to work!

2 More questions

 

1-There is no way to make the name rather than the computer name on the client list? when authenticating with the computer?

host/pcname.domain.local - You would have to distribute a Client Certificate to each computer and allow user and computer authentication.  Unfortunately, each user would have to had logged into the computer once on the wired network to obtain an EAP-TLS certificate before getting onto the wireless for the frist time.

2-The only way to authenticate computer AND the user name its by using the feature of the controller of machine authentication?  - You  can using group policy setup the computer to authenticate the user and computer without configuring anything on the controller.  The user would have to already have had an eap-TLS certificate distributed to the machine, like I mentioned in question #1.

 

Cheers

Carlos

---

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

On the configuration on my computer i got authenticate user or computer authetnication.

Where do i tell it to authenticate Machine AND user

On the radius server?

On network policiy do a build one single rule which contain one condition which contains the domain users

And another condition which contain domain computers?

If i test it individually i mean just computer authetnication works fine... or just user authentication....

Cheers

Carlos

---

@NightShade1 wrote:

Hello Collin

On the computer i do have a user certificate

on  mmc-->add snap in --->Certificate add ---> my user account---> con personal folder, i already got  a certificate for user which is using a client authentication template

 

Also i already got a computer certificate

on  mmc-->add snap in --->Certificate add ---> my computer account---> con personal folder, i already got  a certificate for computer which is using a machinet authentication template

 

On the configuration on my computer i got authenticate user or computer authetnication.

 

Where do i tell it to authenticate Machine AND user - You only need to allow it on the radius server.

On the radius server? The radius server only uses the username from the certificate, so as long as you are allowing logins from the AD group of the user, it should allow you to authenticate

On network policiy do a build one single rule which contain one condition which contains the domain users - Correct.

And another condition which contain domain computers?  Correct x2

 

 

If i test it individually i mean just computer authetnication works fine... or just user authentication....

 

Cheers

Carlos

 

---

Hello Collin

The machine authentication doesnt seems to work if i dont put onthe client  on specify authentication mode computer authentication

If i for example on the on my computer i put user or machine authentication

And on the radius server i put just a condition to machine authenticate it doesnt work

I have to put on my computer machine authentication only

If i put both conditions separetaly like this:

And i put on my computer user or machine authentication it does not work....

If i put a single rule on the radius server which refer to domain user group

And on my computer i put user or machine authentication then it works....

I fail to make both authenticate.... but i can do it individually.... :(