this is more a generel question than an actual problem. If we have a windows client with windows XP and would like to "user authenticate" with PEAP and we get the prelogon problem - the logon scripts start before the client is authenticated etc. - what solution is best to solve this problem?
One way is the machine authentication based on the AD information (and no certificates), but I'm not sure if this information can be spoofed?
Thanks in advance for your help.
When using PEAP, you don't need a cert on the user's machine to do machine authentication (with machines running Windows, I can't speak to the other OS's out there).
google "active directory computer account password" for lots of interesting hits
When using PEAP with Windows (assuming your RADIUS server supports this), the user's computer/machine will authenticate through RADIUS using its AD credentials during startup. Once the actual user logs on, then the user is authenticated against AD (not cached credentials, because the computer account auth created a wireless network connection) . Logon scripts are supposed to run in this scenario.
I think what happens after the user logs off, but leaves the wireless card on, is up to the wireless client (supplicant). Does the connection stay active? If so, is the wireless connection maintained via the user's auth, or does the machine re-auth with the computer account credentials?