Wireless Access

We are working on whole disk encryption for our laptops used to connect to our internal wireless network. The program is called WinMagic Securedocs and it boots to a login screen that is attempting a connection to the WinMagic server BEFORE it allows the laptop to load windows and actually Authenticate to our AD through Radius.

In the login structure there are minor settings available that allow you to scan for wireless networks, select the type of encryption, and even Authenticate with WPA2-Enterprise.
The boot system gets its major wireless settings from server before the drive is encrypted, so a lot of the features are not available to the end user. So we still have to muttle through those settings to get the AAA to work.

My question, is this a textbook use of the Initial-Role feature in the aaa-profile settings? In other words, the laptop boots to the Linux loader, connects to the ESSID (that requires aaa) but it is "allowed" to get to ONLY the Winmagic Server verifying the Securedoc credentials, thus allowing Windows to boot up and eventually authenticate to our AD, giving users the access to our internal wlan.

Does this sound right? Or am I gone down a rabbit hole?

---

@Lizrad wrote:

We are working on whole disk encryption for our laptops used to connect to our internal wireless network. The program is called WinMagic Securedocs and it boots to a login screen that is attempting a connection to the WinMagic server BEFORE it allows the laptop to load windows and actually Authenticate to our AD through Radius.

In the login structure there are minor settings available that allow you to scan for wireless networks, select the type of encryption, and even Authenticate with WPA2-Enterprise.
The boot system gets its major wireless settings from server before the drive is encrypted, so a lot of the features are not available to the end user. So we still have to muttle through those settings to get the AAA to work.

My question, is this a textbook use of the Initial-Role feature in the aaa-profile settings? In other words, the laptop boots to the Linux loader, connects to the ESSID (that requires aaa) but it is "allowed" to get to ONLY the Winmagic Server verifying the Securedoc credentials, thus allowing Windows to boot up and eventually authenticate to our AD, giving users the access to our internal wlan.

 

Does this sound right? Or am I gone down a rabbit hole?

---

I'm not familiar with this disk encryption software specifically, but I suspect a more simple approach is possible.

Since the laptop is first booting a linux loader to check the disk before it restarts with Windows, the wireless adapter will likely be started using a linux driver first for that host check, before it is disconnected and reloaded with the appropriate Windows driver. In this case, the wireless association is not retained across the two OS loads, so two different sets of credentials could potentially be used.

The credentials used for the WinMagic connection can be placed into a role that only allows access to the WinMagic server for settings validation. This would be a successful authentication, so the initial role is not utilized. After the linux loader completes and the machine then goes into Windows, your standard machine/user authentication process would start new, and would continue as it is currently deployed.

If you are doing 802.1x, the initial role is not really applied in the AAA profile.  The 802.1x default role would be applied if successfull authentication has occured. You could also consider Machine/User Default Roles. Machine Default role would allow ACL's to be applied prior the the User Authentication occurring.

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-machine-authentication-work-on-the-Aruba-controller/ta-p/183440