Windows computers are not authenticating to network

Unanswered Question
Sep 14th, 2007

We are using 802.1x/PEAP with IAS 2003 server. We are having problems with computers not being authenticated to network. If a user has already has a profile on the computer they are authenticated, however if they log off and the next user does not have a profile they cannot get logged in. They receive a message "Domain is not available".

After doing some debugs off our 4404 contoller I've come to see that there is an issue between the computer and the IAS server. Attached is the debug out put. Any help would be great

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dcmueller Sat, 09/15/2007 - 16:44

See if this tracks.

If the computer has "cached credentials" then the user can login with no problems. However if it is a new user then you receive a " Domain is Not Available" message.

I am having the very same issue,& believe it to be because we need to be using hardware (or Computer)authentication into Active Directory.

Without using Computer Authentication, the PC doesn't enable the wireless card or connect to the SSID until after the user successfully logs into the PC.

I'm searching for documents on how to properly Cconfigure this with ACS v3.3, WCS, WLC 4404, and Active Directory Domain Controller.

I hope this helps, and I'll check back here to see if you found the directions. If I find them, I'll post them here.

DCM

fynskisb16 Mon, 09/17/2007 - 06:21

That is exaclty what I'm seeing. If a user has a profile on the machine they are able to login fine. New user, not able to login.

dcmueller Tue, 09/18/2007 - 08:12

Got it!

? Login to the computer as Local Administrator

? Get into the Wireless Connection Configuration through Start, Settings, Network?

? Under Preferred Networks, Click ADD

? type in your SSID Name - Ours is XX-Secure

? Under Network Authentication, select WPA

? Under Data Encryption, select TKIP

Click on the Authentication Tab and go to the next step

Under the Authentication tab, Select ?Protected EAP (PEAP)? as the EAP type.

Make sure that the Authenticate as computer when computer information is available has a check-mark next to it.

You will receive an error message when you try to login that the Domain is not available if this is not checked

This is what allows the computer to authenticate against the Domain BEFORE the user logs in. If this is not checked, then un-cached user accounts will not be able to login on the PC.

Click on the Properties button to change the EAP/PEAP Properties

When you click on the Properties button The Protected EAP (PEAP) properties page opens up.

I did not check the "Validate server certificates" box here

Check mark in enable fast reconnect

select secured Password (EAP-MSCHAPv2)

click on the Configure button next to Secured password (EAP-MSCHAPv2)

Here, make sure there is a check-mark in the box for ?Automatically use my Windows logon name and password (and domain if any).

This allows for the user to automatically authenticate to the Wireless LAN and your Domain by passing the username and password that they logged into the computer with.

On the ACS Server, do this

Click on External User Databased

Click on Database Configuration

Click Windows Database

Click Configure

MSCHAP Settings

Checkbox in Enable Password Changes using MS-CHAP-version 2

Windows EAP Settings

Checkbox for Enable Password changes inside PEAP or EAP-FAST

Machine Authentication

Checkbox for Enable PEAP Machine Authentication

Checkbox for Enable EAP-TLS and Authentication

EAP-TLS and PEAP Machine Authentication name prefix = host/

Leave the rest as default

That did it for me. When the computers are configured as above, and they boot up, you'll see that they register in the Passed Authentications log under Reports and Activities. The steps should be that the Computer authenticates, then the user. For logouts, the user logs out, then the computer de-authenticates. This shows that the computer is pulling AD Computer Policies, then the user based policies for startup/login and logout/shutdown

let me know if you're successful

DCM

mhurley131 Tue, 10/16/2007 - 18:59

Is it possible to have the machine authenticate, but then not check the user authentication? In our setup we want to base wireless access on computers, not users.

dcmueller Wed, 10/17/2007 - 08:47

Using certificates on the wireless clients, I'm sure this would work. You would be authenticating the computer against active directory computer objects, the same as I am doing, however you would not need to perform user authentication. Go through the steps in the links I posted above and see if that doesn't help you.

neilhall Mon, 11/12/2007 - 09:34

I too am having this same problem, however it appears that the suggestion above is written for someone using XP to manage their wireless and not the Cisco client software. With the Cisco client, I can find nearly all of the options listed above, however I do not see an equivalent to the "Authenticate as computer when computer information is available" option in the Cisco client for the AIR-CB21AG card. I have followed the instructions otherwise, but obviously this one setting is key.

Actions

This Discussion

 

 

Trending Topics - Security & Network