Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows Domain Not Available

Hi,

I'm running WLC 4402, 1242 AP's, ACS 4.x using Windows DB and WinXP SP2 clients.

Clients are authenticating using PEAP MS CHAPv2. I have it set to automatically use windows login name and password.

This works great if the user is a cached user on the laptop but if they have not logged onto the laptop before (eg through wired connection) they are told the domain is not available.

If they go to a wired connection (thus pulling down group policies) and then go to wireless it works fine.

On windows I checked Authenticate as computer when computer information is available ... as seen here ... http://articles.techrepublic.com.com/5100-10878_11-6148574.html ... but it still failed.

Any ideas?

5 REPLIES
New Member

Re: Windows Domain Not Available

you will need to authenticate the clients using its machine credentials rather then the user credentials, to do this you will need to edit the registry of every client to force it to use its machine details.

For all laptop and tablet clients to authenticate using the machine credential, you need to input the below registration keys on Client/Supplicant,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

• SupplicantMode =dword:00000003

• AuthMode =dword:00000002

Hope this helps

New Member

Re: Windows Domain Not Available

Thanks ... but is that not why Microsoft included the option "Authenticate as computer when computer information is available" in the windows supplicant GUI. I think they released this in XP SP2 ???

New Member

Re: Windows Domain Not Available

You would like to think so but it is not the case, neither is it available with xp SP3.

The only way I have achieved this is using the registry edit, if you find another way I would be interested to now.

New Member

Re: Windows Domain Not Available

Thanks for that.

I think I understand the process of authentication with MS-CHAPv2 but what is happening with Machine authentication?

New Member

Re: Windows Domain Not Available

Ok I have been reading up on MS-CHAP v2 machine authentication (as opposed to EAP-TLS machine authentication)... it basically uses machine credentials instead of user name credentials.

Do I need to make changes on ACS (and maybe AD) on top of what i've already done for MSCHAPv2 user authentication to support this ?

Similar to this possibly ... http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#auto

Thanks Guys.

153
Views
0
Helpful
5
Replies
CreatePlease to create content