09-14-2007 08:42 AM - edited 07-03-2021 02:37 PM
We are using 802.1x/PEAP with IAS 2003 server. We are having problems with computers not being authenticated to network. If a user has already has a profile on the computer they are authenticated, however if they log off and the next user does not have a profile they cannot get logged in. They receive a message "Domain is not available".
After doing some debugs off our 4404 contoller I've come to see that there is an issue between the computer and the IAS server. Attached is the debug out put. Any help would be great
09-15-2007 04:44 PM
See if this tracks.
If the computer has "cached credentials" then the user can login with no problems. However if it is a new user then you receive a " Domain is Not Available" message.
I am having the very same issue,& believe it to be because we need to be using hardware (or Computer)authentication into Active Directory.
Without using Computer Authentication, the PC doesn't enable the wireless card or connect to the SSID until after the user successfully logs into the PC.
I'm searching for documents on how to properly Cconfigure this with ACS v3.3, WCS, WLC 4404, and Active Directory Domain Controller.
I hope this helps, and I'll check back here to see if you found the directions. If I find them, I'll post them here.
DCM
09-17-2007 06:21 AM
That is exaclty what I'm seeing. If a user has a profile on the machine they are able to login fine. New user, not able to login.
09-18-2007 08:12 AM
Got it!
? Login to the computer as Local Administrator
? Get into the Wireless Connection Configuration through Start, Settings, Network?
? Under Preferred Networks, Click ADD
? type in your SSID Name - Ours is XX-Secure
? Under Network Authentication, select WPA
? Under Data Encryption, select TKIP
Click on the Authentication Tab and go to the next step
Under the Authentication tab, Select ?Protected EAP (PEAP)? as the EAP type.
Make sure that the Authenticate as computer when computer information is available has a check-mark next to it.
You will receive an error message when you try to login that the Domain is not available if this is not checked
This is what allows the computer to authenticate against the Domain BEFORE the user logs in. If this is not checked, then un-cached user accounts will not be able to login on the PC.
Click on the Properties button to change the EAP/PEAP Properties
When you click on the Properties button The Protected EAP (PEAP) properties page opens up.
I did not check the "Validate server certificates" box here
Check mark in enable fast reconnect
select secured Password (EAP-MSCHAPv2)
click on the Configure button next to Secured password (EAP-MSCHAPv2)
Here, make sure there is a check-mark in the box for ?Automatically use my Windows logon name and password (and domain if any).
This allows for the user to automatically authenticate to the Wireless LAN and your Domain by passing the username and password that they logged into the computer with.
On the ACS Server, do this
Click on External User Databased
Click on Database Configuration
Click Windows Database
Click Configure
MSCHAP Settings
Checkbox in Enable Password Changes using MS-CHAP-version 2
Windows EAP Settings
Checkbox for Enable Password changes inside PEAP or EAP-FAST
Machine Authentication
Checkbox for Enable PEAP Machine Authentication
Checkbox for Enable EAP-TLS and Authentication
EAP-TLS and PEAP Machine Authentication name prefix = host/
Leave the rest as default
That did it for me. When the computers are configured as above, and they boot up, you'll see that they register in the Passed Authentications log under Reports and Activities. The steps should be that the Computer authenticates, then the user. For logouts, the user logs out, then the computer de-authenticates. This shows that the computer is pulling AD Computer Policies, then the user based policies for startup/login and logout/shutdown
let me know if you're successful
DCM
10-16-2007 06:59 PM
Is it possible to have the machine authenticate, but then not check the user authentication? In our setup we want to base wireless access on computers, not users.
10-17-2007 08:47 AM
Using certificates on the wireless clients, I'm sure this would work. You would be authenticating the computer against active directory computer objects, the same as I am doing, however you would not need to perform user authentication. Go through the steps in the links I posted above and see if that doesn't help you.
11-12-2007 09:34 AM
I too am having this same problem, however it appears that the suggestion above is written for someone using XP to manage their wireless and not the Cisco client software. With the Cisco client, I can find nearly all of the options listed above, however I do not see an equivalent to the "Authenticate as computer when computer information is available" option in the Cisco client for the AIR-CB21AG card. I have followed the instructions otherwise, but obviously this one setting is key.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide