Wireless Auth to AD thru ACS- in a Novell infrastructure

Unanswered Question
Sep 15th, 2008
User Badges:

Hi,

We are Novell Shop, we have AD running on the network in a limited environment.

We have LIghtweight AP's connected to 4400's.

I want to authenticate our wireless laptops to AD then MAP drives via NOVELL'S EDIRECTORY..

We authenticate to AD through ACS, The problem is that the Novell Client uses the machine name(laptop) as the DOMAIN Name and appends it to the user login. So ACS sends it to AD. We don't have machines in AD, so it fails AD Authentication. Because the Machine name is not a domain.

Is there a way to strip the MACHINE name in ACS and add the domain name, and send that and the user id to AD?

Pete

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rduke Wed, 09/17/2008 - 13:10
User Badges:

Pete,

FYI, we use Novell client version 4.91.4.20070720 on our PCs and Windows to manage the wireless cards (PEAP for authentication). It works OK for us. Also have Cisco LWAPP APs. Not sure what the problem would be. If you look in the connection attempts in ACS, we would normally see a machine account when the PC boots, but when the user logs in it will re-authenticate to the user name in the format Domain\username. It might help to know what wireless client and authentication you are using.


Randy

ppellettiere Thu, 09/18/2008 - 04:48
User Badges:

Our configurations/infrastructure appear to be similiar to yours. The problem is our Server guys will not allow us to add the machines to AD for no good reasons.

They will only allow User logins.


So I am trying to figure how I might be able to run it without the machine credentials.


Pete

ppellettiere Thu, 09/18/2008 - 04:51
User Badges:

PS we use the Windows Client or the Intel

Client with peap authentication.

rduke Thu, 09/18/2008 - 09:55
User Badges:

Not sure about using it like that. The machine account authentication is very helpful because all of the login scripts run properly. I have not tried this with the Intel client; however, it may be able to get around that problem using the pre-login connect. I don't know how familiar you are with that client, but in order to load that feature you need to install the administrator tool and generate an install package. Still, you should be able to log in using peap without machine authentication. We can log in with MACs and they don't have machine accounts. Make sure you have peap enabled in ACS. Also, the certifcate has to be loaded and you have to trust it on the PC if you "check the server certficate". When troublshooting I uncheck the box for checking server certificates to see if that is a problem. Another thing that can goof you up is that the date on the PC must be within the valid dates of the cert. That's about all I can think of. Good luck.


Randy

Actions

This Discussion