PEAP Authentication before Login

Unanswered Question
Nov 27th, 2003
User Badges:

Hello,

I try to use PEAP in our Wireless Enviorment.

Authentication works fine, but only when I'm always be logged in on the Machine (Logged in Localy).

What I want is PEAP Authentication run before the

Network Login so that all our LoginScript's runs.

Enviroment:

XP Client SP1 with GTC Login and Cisco PCMCIA

XP Client SP1 with MS-CHAP v2 and INTEL MINI PCI

Cisco ACS 3.2

AP 350

AP 1200


Could anyone help me?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
c.fritz Fri, 11/28/2003 - 05:50
User Badges:

Hello,


I tried to do the same thing and the only way I found

is to use Odyssey client from Funk Software.

Using its own GINA, Odyssey is able to authenticate

using PEAP after the username and password are entered, but just before the winlogon process.


Hope that help,

Christian.

c.fritz Tue, 12/02/2003 - 03:38
User Badges:

Thanks, I tried host based authentication and it works fine. But the problem is that we use W2K and it doesn't support WPA.


Is there a way for using W2K host based authentication (via PEAP) with WPA ?

mhs Tue, 12/30/2003 - 09:02
User Badges:

Did you get host based authentication using IAS server to work 100% of the time. I have it working but it is totally unreliable. Sometimes it would authenticat and other times it would not. Did you have this problem?

b.tay Fri, 12/26/2003 - 09:14
User Badges:

Yes, we have implemented the following with success :


Windows Client <==> Access Point <==> FW <==> Radius <==> Windows DC/AD


Windows OS : XP Client SP 1

Supplicant : Built-in Wireless Supplicant

Authentication : 802.1x PEAP(MS-Chapv2)

Access Point : Aironet 1200

Radius : ACS 3.2

Adaptors : 350 /340

CA : Microsoft


Once configured correctly, five phases of authentication will take place :

1st Authentication ==> Wireless Open/Shared Authentication

(transparent to user - activated by the wireless supplicant automatically)

2nd Authentication ==> 802.1x PEAP "computer account" authentication

(transparent to user - activated by wireless supplicant and enabling "authenticated when computer information")

3rd Authentication ==> "computer logon process" authentication to domain controller/active directory

(transparent to user - activated by Windows 2000 or Windows XP)

4th Authentication ==> "user logon process" authentication to domain controller/active directory

(transparent to user - activated by Windows 2000 or Windows XP)

5th Authentication ==> 802.1x PEAP "domain account" authentication

(transparent to user - activated by wireless supplicant and enabling wireless supplicant for PEAP-use my windows username and password)


- 2nd authentication will enable the computer have TCP/IP connectivity after 802.1x authenticates.

- 3rd authentication will allow the computer startup/group policies to load from DC/AD.

- 4th authentication will activate the user logon to load from DC/AD.

- Make sure "Authenticate as Computer when computer information is available on the wireless supplicant"

- Search for microsoft patches using the following keywords : wireless OR PEAP OR 802.1x OR WPA.

Especially those relating to DHCP.

- Use lastest IOS from Cisco.


Actions

This Discussion

 

 

Trending Topics - Security & Network