Windows PreLogon problem

Answered Question
Apr 7th, 2009

Hi there


this is more a generel question than an actual problem. If we have a windows client with windows XP and would like to "user authenticate" with PEAP and we get the prelogon problem - the logon scripts start before the client is authenticated etc. - what solution is best to solve this problem?


One way is the machine authentication based on the AD information (and no certificates), but I'm not sure if this information can be spoofed?


Thanks in advance for your help.


Regards

Dominic

Correct Answer by Robert.N.Barrett_2 about 7 years 10 months ago

When using PEAP, you don't need a cert on the user's machine to do machine authentication (with machines running Windows, I can't speak to the other OS's out there).


google "active directory computer account password" for lots of interesting hits


When using PEAP with Windows (assuming your RADIUS server supports this), the user's computer/machine will authenticate through RADIUS using its AD credentials during startup. Once the actual user logs on, then the user is authenticated against AD (not cached credentials, because the computer account auth created a wireless network connection) . Logon scripts are supposed to run in this scenario.


I think what happens after the user logs off, but leaves the wireless card on, is up to the wireless client (supplicant). Does the connection stay active? If so, is the wireless connection maintained via the user's auth, or does the machine re-auth with the computer account credentials?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (1 ratings)
Loading.
Robert.N.Barrett_2 Wed, 04/08/2009 - 05:09

This doesn't answer your question, but you already have a huge hole by *not* requiring machine auth. Currently, anyone with logon credentials and a high-level knowledge of how your wireless security is configured can create a wireless profile on any device that supports PEAP and connect it to your network.


I believe (but do not know for sure) that machine auth via XP uses the computer's AD "password" and domain credentials when authenticating. That "password" would be hard to spoof as it is not something that user's can generally see/modify.

Dominic Stalder Wed, 04/08/2009 - 05:41

hi Robert


thanks for your answer. Sometimes it is not possible (no PKI, etc.) to authenticate the machine, but I agree with you, that additional machine authentication would be much better.


I didn't know that there a "AD password" exists, i thought that only the domain name and the hostname are sent to authenticate the machine.


Is it possible to authenticate the client when it starts up and when the users loggs in, she/he gets authenticated in a second step?


Any other experiances with this problem?

Correct Answer
Robert.N.Barrett_2 Wed, 04/08/2009 - 06:46

When using PEAP, you don't need a cert on the user's machine to do machine authentication (with machines running Windows, I can't speak to the other OS's out there).


google "active directory computer account password" for lots of interesting hits


When using PEAP with Windows (assuming your RADIUS server supports this), the user's computer/machine will authenticate through RADIUS using its AD credentials during startup. Once the actual user logs on, then the user is authenticated against AD (not cached credentials, because the computer account auth created a wireless network connection) . Logon scripts are supposed to run in this scenario.


I think what happens after the user logs off, but leaves the wireless card on, is up to the wireless client (supplicant). Does the connection stay active? If so, is the wireless connection maintained via the user's auth, or does the machine re-auth with the computer account credentials?


Dominic Stalder Wed, 04/08/2009 - 10:49

It was clear for me, that PEAP has no need for certificates in any os.


Thanks a lot for the keyword "active directory computer account password", I already googled it and got the information I need.


What I ment with a two step authenticaion is, is it possible to:


1. authenticate the machine via an ACS against an AD to be sure, that a connection already exists, when the user logs in -> you already answered this question


2. authenticate the user also via an ACS and an AD, so you can check if you have to break down the connection because of some reasons (say for example the machine is granted to access the wireless network, but a certain user is not granted)


I hope you understand my question, if not do not hesitate to ask once more ;-)

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode