Wireless Access

Whenever we build new machine we need to connect it to LAN first before connecting to WAN,

 

Can someone please help me understand  , how this works and whey we cannot directly to Wireless.

 

Thanks for help.

 

Couple of questions.

What type of clients?

Owned or BYOD? Joined to the domain?

What authentication method are you using on your wireless?
Username/password, pre-shared key, certificates, MAC-auth?

Below are answers :-

 

Windows 7 or windows 8 client.

 

Joined to domain.

 

Authentication we use is certificates and user-auth.

 

 

 

Thanks.

MK_1707,

 

You need to ensure that machine authentication is working correctly.  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/802-1x-Machine-Authentication-Using-Aruba-3600-Controllers-and/m-p/28250/highlight/true#M1349

 

Machine authentication ensures that the machine itself can authenticate successfully at the ctrl-alt-delete screen and get an ip address.  That gives it the domain "dial tone" needed to successfully run login scripts and for new users to authenticate and build a new profile.  If machine authentication does not succeed, only users with cached credentials can login, because the machine does not have a connection to domain controllers to login new users.

Are the machines already joined to the domain and have the certificate installed, or are you trying to connect  via wireless to do that?

 

Probably best to search Windows Single Sign On Wireless and read some of the things on that.

 

I've had limited success using what I've found, but honestly it's just easier (for us) to hard wire.   We push out our certificate and wireless settings via AD and GPOs. 

 

The time it takes to manually create the wireless profile and bypass the certificate check, it's just as easy to hard wire the machine and join the domain.  If only tech people are doing the work it's okay, but if end users are doing it, consider that by showing them how to bypass the certificate check, you've basically showed your users how to get on your network without following whatever protocols you have in place.   We've had plenty of users that have figured out how to just copy settings from other users and get on the network without the proper patching, anti-virus, etc.

 

 

Yes system is joined to domain already using admin credentials but , as new user logs in to box which does not have his profile set over there he cannot contact domain controller for authentication.

MK_1707,

 

All your wireless client (Windows 7 shown) needs is User or Computer authentication enabled like in the picture below.

 

 

If you are using Microsoft NPS server all you need to do is ensure that Domain Computers is one of your AD groups that you are allowing to authenticate:

 

 

That is pretty much the lion's share of it.

Yes exactly i have checked those two settings and they are setup correctly for me.

 

still if any new user tries to login they get error no logon servers are available.

Okay.  Log out of Windows on the wireless laptop and wait a few seconds.  Then go into the event viewer on NPS and see if the machine is trying to authenticate (username host/xxxxxxx).

My doubt is :-

 

When will this computer authentication wil come in picture .

 

I press alt+ctrl+del and it says no logon server available, i mean if it is not able to contact domain controller , how will NPS authentication work here ?

 

 

The machine authenticates to the wireless network when (1) the computer boots (2) a user logs off of the computer.  That provides the connection necessary to make this work.

 

After checking logs on controller I see authentication is getting failed though i know my user name and pwd is correct.

 

 

below is error is get from logs on controller :-

-----------------------------------------------------------

Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

 

any help with this issue is appreciated.

What user is failing?  Does the event viewer say the OU or container that the user is in?  Please open a TAC case to get the details of your setup checked.

Might also want to check the Power Management of the wireless card and uncheck the "Allow the computer to turn off this device to save power."

 

Also check out this post for some other helpful ideas:   http://community.spiceworks.com/topic/403820-windows-7-temporary-profile-looking-for-a-preventative-measure

 

 

I had a similar issue a few months back - that was the last thing I sent my tech and I never heard back, so unfortunately I can't tell you what was the actual fix.