PEAP and Windows Logon

eerten · ‎06-15-2005

Hi,

I am using WPA/PEAP-MsCHAPv2 on our network with single-sign-on and machine authentication. I use WinXP/SP1 and ACS v3.3.

I noticed that when Windows Ctrl-Alt-Del screen appears on laptop, cached users can login to laptop without any problems.

However, when a first time user (on laptop) enters Windows username/password, Windows replies with "Unknown user or domain not available" error.

I guess the reason is that network authentication (PEAP) has to be done before Windows logon but Windows will not wait for this ?!

Does anyone know how to delay Windows logon, so that PEAP completes successfully, laptop gets IP address and can talk with the Active Directory before Windows logon occurs.

thanks,

Eniz

stuart.webber · ‎06-15-2005

I have found that using XP SP2 can make a big difference with PEAP authentication.

I don't know that it will necessarily help in your case but I have seen sites using OTP through PEAP where there are long delays on logon waiting to contact the AD (which times out because of the network connection isn't fully up yet). This was resolved in SP2 to make Windows smart enough to know that if the network adapter isn't 802.1x authenticated the adapter isn't up and there is no point looking for a DC. It lets people log on with no delay if the credentials are cached and then supply the OTP for network access.

Given that they put this functionality into SP2 I guess there is a chance that they also put functionality to use the user credentials supplied for 802.1x before trying to contact the DC.

It might also be helpful asking Microsoft this question.

kwooten · ‎06-24-2005

The only way to get authenticated at logon is to setup machine authentication. This allows your machine to validate with radius to complete the network connection, then when you log on your windows credentials will be passed and the user will be validated by radius. It works very well for us, but an issue I am having right now is if a user is docked using a copper connection and then undocks, the windows credentials are not passing to the radius server correctly and the account gets locked out. If the user shuts down and restarts it all works fine. This appears to be a Microsoft hardware profile issue, but I just can’t put my finger on the cause.

esaoperationsbridge · ‎07-29-2005

Hi ,\I think this problem is not related to the wireless authentication. With XP a new user can only access the device if the device is connected to the network, you will have the same problem if you try to logon to a desktop for the first time without the network cable connected.

Hope this helps

ciao

cristiano

8gdonald · ‎08-05-2005

Hi Eniz

We have exactly the same problem as this. Have you found a way to bypass this issue?

We don't want to use machine authentication but rather on a per user basis

Thanks

Grant

n.manlangit · ‎08-05-2005

You can try using the Cisco ACU and configure LEAP options. It works seamlessly. You can set LEAP to authenticate using the domain credentials and it will do all the authentication at the Windows logon performing the so called SINGLE SIGN-ON (SSO). But I've no success with PEAP nor EAP-TLS. I just want to ask how machine authentication works. If anyone can ran by me the step-by-step configuration, I'd appreciate it very much. Also, does SSO works with just Windows' PEAP or EAP alone or does it require client wlan card utility software to be able to do SSO?

durkac · ‎08-24-2005

We are using WPA, PEAP, Win XP SP1, Windows builtin supplicant (zero config), IOS 12.3(4), first machine authentication, then user authentication.

We have seen sometimes delays at logon (~60 sec). With a sniffer we saw that Win XP is trying check the root certificates in the Internet, which did not work because of our proxy. Disabling "update root certificates" in settings - software - windows components did help.

Has anybody seen the same behaviour?

mages_mark · ‎08-31-2005

Did you ever find a workable solution to this?

We are having a very similar problem. Looking at the debug and authentication logs, Windows is sending "host/computername.domain" for authentication instead of a username. Radius error is that Machine authentication is not allowed. When a cached profile is used, or another account has authenticated during that boot-period it works fine.

Our machines are in a lab / classroom setting, so caching profiles for all users (100-200) is not practical. I have had a TAC call open for a week with little success.

eerten · ‎09-02-2005

Hello all,

After 2 months on working on this, my conclusion is as follows:

There is no way to do this with Cisco Secure ACS. However, I was able to solve the problem using Microsoft IAS. As soon as machine authentication is performed, IAS allows the client to get an IP address and talk with the Domain Controller. Now, domain login can be done without problem (even if the user is not in cache) and afterwards the same username/password is again used for wireless login.

regards,

Eniz

jafrazie · ‎09-02-2005

What version of ACS?

Does this help?

<http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A//www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml&ei=6FQYQ-aAMYbK-QH_4cWjCw>

eerten · ‎09-05-2005

ACS v3.3

Thanks for your feedback.

This document is a good starting point for beginners with PEAP, but doesn't cover much on the details that are discussed here.

mages_mark · ‎09-08-2005

It's reassuring that you actually got IAS to work. We're upgrading ACS to 3.3.3 later this week, and if that doesn't help we may give IAS a shot for wireless-only authentication. I don't think we're ready to move Dialup and VPN off of ACS just yet.

The only answer I ever got out of TAC was that "A lot of other people are having this problem". We've put the case through to some private contractors we deal with, and if anything comes of that I will update here.

Thanks for the info!

Mark