Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
3
Replies

PEAP Authentcation order, before Win Login

oguarisco
Level 3
Level 3

‎04-21-2004 12:25 AM - edited ‎07-04-2021 09:33 AM

Hello,

I've noticed a problem and I've not found any suitable information...maybe anyone has already experienced this scenario

I'm using PEAP Auth on both Wired and Wireless Networks for authenticating client (XP SP1) to Win AD/SAM via Radius (appliance ACS 3.2)

If I use Win XP 802.1x Native support I register the following problem...

Authentication works fine ONLY when I'm logged locally in on the client.

When I boot the PC, it seems that XP first try to authenticate user on AD/SAM and ONLY then try to authenticate it via PEAP (only when the desktop is been loaded)...Due to the fact that when it tried to authenticate the user, the network is not available the client register the classic error mesages that states "PDC/BDC is not available and to use local profiles"...

What I want to do is that PEAP authentication happen before user authentication so that I can run correctly our Logonscript and access to the correct Profile...

If I use AEGIS client it happen the same...but there is a fundamental difference; AEGIS can be configured to choose when PEAP Authentication happen: at boot, at logon(pre-Desktop) or at Desktop....Windows seem to use ONLY at Desktop

Do I have to setup something special in Windows ???

Thnaks

Omar

Labels:
0 Helpful
3 Replies 3

dsidley
Level 1
Level 1

‎04-23-2004 04:35 AM

That is why not many Enterprise's will even consider using Windows XP's wireless supplicant. It doesn't have the capabilities to setup the network prior to the logon process...

We use Funk's Odyssey client which has that capability.

Dave S.

0 Helpful

rsumpter
Level 1
Level 1

‎04-23-2004 07:22 AM

Do you have "computer" authentication on? The computer should authenticate to AD with the machine authentication 1st (before the windows logon). This is the way it happens on a wired connection. Once the computer authentication occurs the login script, etc will run when the user logs in.

0 Helpful

oguarisco
Level 3
Level 3
In response to rsumpter

‎04-25-2004 11:14 AM

Hi,

Thanx a lot for the info...so basically you should configure on both ACS and client side Machine authentication...and then you should be able to do authentication 1x before contacting PDC/BDC and downloading the user profile and run loginscript.

Machine authentication happen, if I remember correctly, with the value host/namepc to the AD/SAM...isn't it ?

By the way ...why did you enphasize that this happen on WIRED connections? Is in Wireless topology different ?

Saluti

Omar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card