Windows Domain Not Available

Unanswered Question
Nov 11th, 2008


I'm running WLC 4402, 1242 AP's, ACS 4.x using Windows DB and WinXP SP2 clients.

Clients are authenticating using PEAP MS CHAPv2. I have it set to automatically use windows login name and password.

This works great if the user is a cached user on the laptop but if they have not logged onto the laptop before (eg through wired connection) they are told the domain is not available.

If they go to a wired connection (thus pulling down group policies) and then go to wireless it works fine.

On windows I checked Authenticate as computer when computer information is available ... as seen here ... ... but it still failed.

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
krishanmistry Wed, 11/12/2008 - 09:59

you will need to authenticate the clients using its machine credentials rather then the user credentials, to do this you will need to edit the registry of every client to force it to use its machine details.

For all laptop and tablet clients to authenticate using the machine credential, you need to input the below registration keys on Client/Supplicant,


• SupplicantMode =dword:00000003

• AuthMode =dword:00000002

Hope this helps

eoinwhite Wed, 11/12/2008 - 10:02

Thanks ... but is that not why Microsoft included the option "Authenticate as computer when computer information is available" in the windows supplicant GUI. I think they released this in XP SP2 ???

krishanmistry Wed, 11/12/2008 - 12:25

You would like to think so but it is not the case, neither is it available with xp SP3.

The only way I have achieved this is using the registry edit, if you find another way I would be interested to now.

eoinwhite Wed, 11/12/2008 - 12:28

Thanks for that.

I think I understand the process of authentication with MS-CHAPv2 but what is happening with Machine authentication?

eoinwhite Mon, 11/17/2008 - 05:04

Ok I have been reading up on MS-CHAP v2 machine authentication (as opposed to EAP-TLS machine authentication)... it basically uses machine credentials instead of user name credentials.

Do I need to make changes on ACS (and maybe AD) on top of what i've already done for MSCHAPv2 user authentication to support this ?

Similar to this possibly ...

Thanks Guys.


This Discussion



Trending Topics - Security & Network