cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2451
Views
0
Helpful
5
Replies

Help with machine based wifi login (Windows 7) (WLC)

philip.r.hayes
Level 1
Level 1

I've been looking all over for some information and hope someone here might point me in the right direction.

We have 40 laptops in two training carts. I need to set them up so that when they are booted up, they automatically connect to an access point (1142's, 3500's, & 3600's). The goal is to have a user that has never used the laptop before be able to boot it up, and log in with domain credentials and get the GPO, drive mappings, etc, just as if they were at a desktop.

I know it can be done but somehow I haven't found any configuration, explanation, or tutorial that fits my situation.

I have a 5508 WLC with 7.1.91.0 running, a Windows 2003 RADIUS server, AD, cert server, etc. If I have to pre-load machine based cert's on the laptops, that's OK. Right now, I have SSID's for a guest WLAN (straight to the internet), an internal SSID, and an internal-io SSID using RADIUS/AD for employees that have a personal device (iPhone, etc.) and only need access to the internet. The internal-io uses the same authentication method as the the internal ssid but once connected gets sent to the same vlan as the guest wlan. Sounds confusing as I type this but hopefully not.

To reiterate what I need, I need a user to be able to boot up a laptop, have the laptop automatically be authenticated, get connected to the internal SSID, and thus, when the user logs into the lapop, get an active directory login with policies applied and drive mappings.

Thanks,

Flip

5 Replies 5

Stephen Rodriguez
Cisco Employee
Cisco Employee

Can you share screenshots of the supplicant configuration?  Generally you should only need to select the box that says Use machine credentials if available. 

I know that in the Intel supplicant there is a module that needs to be installed that allows the pre-logon 802.1x to happen.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I think I have the laptop set up correctly; or at least I'm pretty sure it is capable. It has settings for pre-logon 802.1x. What I'm missing is what is required on the WLC.

Currently, if a user has his/her domain credentials cached on a laptop, they can boot up and login locally using those credentials. Those credentials are passed along to the AP and connect them to the SSID. I'm missing the WLC piece.

There is nothing special you have to do on the WLC.  So far as the WLC is concerned, it's the same WLAN that the user would login to.

  So long as the machine authentication happens, it should work.  Sometimes getting machine auth to work is the biggest pain in the arse part of this.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I had to let this discussion sit for a bit. Been busy with other fires.

I found this link on microsoft.com: http://technet.microsoft.com/en-us/library/dd759176.aspx

I haven't had a chance to try it yet.

Also this one: http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx

The 2nd listing seemed to make more sense and was better organized.

Thoughts?

It's been a long time from when I first posted but I thought I should update this. We have installed ISE and that basically solved most of the issues I was facing. I'm looking for an answer on another question so I'll do that in a new post.

The ISE implementation uses the machine certificate from active directory and that occurs before any user tries to login. Therefore, a user that does not have a local profile on a laptop can sit down and get a domain login on any AP.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: