Wirless and Logon Scripts

Unanswered Question
May 16th, 2008
User Badges:


New to enterprise wireless. Just installed 20 WAPs 1240s and 1 WLC 4402.

The users are using a radius server to authenticate against the AD.

How can I get the logon scripts to run?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
SHANNON WYATT Fri, 05/16/2008 - 16:23
User Badges:

The easiest way to do this is on the client side use the Microsoft client (suplicant) and use either PEAP or EAP-TLS. If you are using IAS, configure the wireless policy for a wireless users group and add the users as well as the computers to the group. When the users log in, they will be authenticated as that user. When they log off it reauthenticates as the PC. This allows group policy, remote desktop etc. The only problem you can have is with remote desktop and EAP-TLS. If you do a remote desktop connection to a PC that is authenticated with EAP-TLS it will drop your connection as the RDP client does not pass your cert info in the remote desktop session.

You can potentially do this with a third party supplicant, but they are usually pretty cludgy.

svillardi Mon, 05/19/2008 - 06:24
User Badges:

OK, the Microsoft Client, meaning the Windows Zero Configuration?

Then, you're saying, put the laptops and users in the same OU?

We are using PEAP (that's what our corporate setup requires).

Thanks for the further explanation.

SHANNON WYATT Mon, 05/19/2008 - 06:36
User Badges:

The OU doesn't matter, only the Windows Group. Yup, you can add computers to groups as well as PCs!

Once you add the computers to the WiFi users group they will authenticate to the network. You do have to click the button "Authenticate as a computer..." on the config, but that is the default.

svillardi Mon, 05/19/2008 - 06:47
User Badges:

I'm sorry for being so uninformed but I am geting confused as to where are these changes being made.

For starters, I have access to the WLC, the AD, the APs, and the Wireless PCs, but not the radius server.

OK, so you are saying create a WiFi Users group in AD. Put the users and the laptops in it. Yes??

Now what about the Authenticate as a computer setting? Where's that?

I need this spelled out because this is the first wireless implementation I have done. I simply followed the instructions given to me via corp IT, so some of this is new to me.



SHANNON WYATT Mon, 05/19/2008 - 06:55
User Badges:

Ok, I was thinking that you where using IAS, Microsoft's RADIUS Server. When using IAS you specify a group that has WiFi access. I now assume that you are using ACS, or some other group. You may have to do a group matching (Check with the person who manages the RADIUS server) to get it to allow the computer accounts to authenticate. This does work with Cisco ACS, and should work with any RADIUS.

If you are doing group matching for WiFi authentication you want to put the computers and the users in the same Windows Group for WiFi authentication as the PC and the user.

The authenticate as a computer is on the Wireless Zero config on the client. This is the default setting, so this should be enabled already.


This Discussion



Trending Topics - Security & Network