PEAP authentication during windows startup.

usskenet · ‎04-11-2003

Hi,

I have succesfully configured PEAP Authentication on Win 2000 Professional (Aironet PCMCIA 350, ACU 6.0). But PEAP Authentification promt for PEAP username and password is launched after login to the Win 2k system via workstation login only. So there is no way to login to Win 2k with network resources during Win 2k startup. How to tell to Win 2000 Pro to launch PEAP Authentication prompt for PEAP username and password before system prompt?

P.S. If I switch to LEAP, then all is running O.K. The first is launched LEAP Authentication dialog, and the second is Win 2k Authentication dialog.

Thanks.

tcggg0 · ‎04-11-2003

Is this a configurable option on the ACU? Within the network security tab, click configure and choose "use windows username and password"? I know it is for LEAP but not sure about PEAP.

usskenet · ‎04-11-2003

No, this isn't configurable option on the ACU. For LEAP it is, for PEAP it isn't.

usskenet · ‎04-30-2003

I find out that Win 2k Pro PEAP Client - native Microsoft client - tries to authenticate via PEAP as a computer account in MS Domain during windows startup. If I use ACU 6.0 and I have checked option "Authenticate as computer when computer information is available", Win 2k Pro client doesn't try to authenticate as a computer.

bjoslin · ‎04-17-2003

Usskenet,

I can't get PEAP to work on W2K Server with IAS. Would you be willing to chat with me about your windows setup on your wireless? I am using a 1220 Cisco AP and W2K radius server, ACU 6.0 w/ CB20A adapter...

I can't seem to get a valid certificate. R U using a Cert Authority?

usskenet · ‎04-22-2003

Hi,

my config is:

Win2kPro client (with ACU 6.0) -> 350 Sisco AP -> ACS 3.1 -> Novell LDAP Server. I'm using my own certification server based on Novell Netware 6.0. I issued more certificates: 1. ACS Certificate based on CISCO ACS request to CA; 2. CA Certificate for Trusted CA (my own CA), 3. Personal Certificate for ACS like SSL LDAP client; 4. LDAP Server Certificate for Novell LDAP Server.

My problem is to force PEAP Authentication on Win2k Pro client before W2k system auth prompt.

ambrosio.park · ‎04-21-2003

I am trying to use PEAP also. Do you know any links to "how to" documents or whitepaper on PEAP implementation? I know a few, but I cannot find all that I need. I am using ACS 3.1, AP1220, MS CA server, various clients.

The few I have found,

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg/win_ch7.htm#38329

http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safwl_wp.htm

http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wswpf_wp.htm

rsumpter · ‎04-24-2003

I'm having trouble finding the PEAP settings within W2k pro, SP3. I can't find the authentication information under network properties within the control panel. I have reinstalled SP3 and installed "Q313664_W2K_SP4_X86_EN.exe" but I still don't have the EAP information. From what I can tell there is supposed to be an authentication screen under the advanced settings within Network Properties.

Any help would be greatly appreciated.

Thanks.

usskenet · ‎04-24-2003

Find service "Wireless Configuration" in Computer Management Services section and setup Automatic Startup and START this servis. You'll finnaly find Authentication section under the advanced setting within Network Properties.

kerrow · ‎04-24-2003

Go to services and start the service for wireless configuration, this will enable you to have the Authetication Tab on you LAN properties.

rsumpter · ‎05-02-2003

Just curious....Did you ever get the PEAP authentication to occur before the Network login?

usskenet · ‎05-04-2003

I find in CISCO ACS 3.1 authentication log that Win 2k Pro client tried to authenticate during windows startup by cached credentials - but only native Microsoft PEAP client. It used name of computer as PEAP username. So there wasn't any PEAP authentication dialog for typing username and password. If I installed ACU 6.0 Win 2k Pro client stops this authentication - I didn't find more records in ACS Auth log after.

usskenet · ‎05-13-2003

Please nobody from CISCO staff have any idea? Thanks for ANY answer.

bloconnor · ‎05-15-2003

usskenet,

I found a paper on the net that has a good description of the MS PEAP login process. It discusses the machine login that you described, as well as the user logon process. My reading of his document is that after the windows login, the windows credentials are presented to the radius server, so you wouldn't need another prompt for credentials. This is all theroretical as I don't have any of this set up yet (I'm waiting for WPA). The web reference:

http://216.239.33.104/search?q=cache:Ik_cLkgDuIYC:www.blackhat.com/presentations/win-usa-03/bh-win-03-riley-wireless/bh-win-03-riley.pdf+steve+%2Briley+%2Btrustworthy+%2Bcomputing+%2Bservices&hl=en&ie=UTF-8

or do a google search for steve +riley +trustworthy +computing +services

to find the pdf file PEAP description. Hope that helps some.