cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
4
Replies

Windows PreLogon problem

Hi there

this is more a generel question than an actual problem. If we have a windows client with windows XP and would like to "user authenticate" with PEAP and we get the prelogon problem - the logon scripts start before the client is authenticated etc. - what solution is best to solve this problem?

One way is the machine authentication based on the AD information (and no certificates), but I'm not sure if this information can be spoofed?

Thanks in advance for your help.

Regards

Dominic

1 Accepted Solution

Accepted Solutions

When using PEAP, you don't need a cert on the user's machine to do machine authentication (with machines running Windows, I can't speak to the other OS's out there).

google "active directory computer account password" for lots of interesting hits

When using PEAP with Windows (assuming your RADIUS server supports this), the user's computer/machine will authenticate through RADIUS using its AD credentials during startup. Once the actual user logs on, then the user is authenticated against AD (not cached credentials, because the computer account auth created a wireless network connection) . Logon scripts are supposed to run in this scenario.

I think what happens after the user logs off, but leaves the wireless card on, is up to the wireless client (supplicant). Does the connection stay active? If so, is the wireless connection maintained via the user's auth, or does the machine re-auth with the computer account credentials?

View solution in original post

4 Replies 4

This doesn't answer your question, but you already have a huge hole by *not* requiring machine auth. Currently, anyone with logon credentials and a high-level knowledge of how your wireless security is configured can create a wireless profile on any device that supports PEAP and connect it to your network.

I believe (but do not know for sure) that machine auth via XP uses the computer's AD "password" and domain credentials when authenticating. That "password" would be hard to spoof as it is not something that user's can generally see/modify.

hi Robert

thanks for your answer. Sometimes it is not possible (no PKI, etc.) to authenticate the machine, but I agree with you, that additional machine authentication would be much better.

I didn't know that there a "AD password" exists, i thought that only the domain name and the hostname are sent to authenticate the machine.

Is it possible to authenticate the client when it starts up and when the users loggs in, she/he gets authenticated in a second step?

Any other experiances with this problem?

When using PEAP, you don't need a cert on the user's machine to do machine authentication (with machines running Windows, I can't speak to the other OS's out there).

google "active directory computer account password" for lots of interesting hits

When using PEAP with Windows (assuming your RADIUS server supports this), the user's computer/machine will authenticate through RADIUS using its AD credentials during startup. Once the actual user logs on, then the user is authenticated against AD (not cached credentials, because the computer account auth created a wireless network connection) . Logon scripts are supposed to run in this scenario.

I think what happens after the user logs off, but leaves the wireless card on, is up to the wireless client (supplicant). Does the connection stay active? If so, is the wireless connection maintained via the user's auth, or does the machine re-auth with the computer account credentials?

It was clear for me, that PEAP has no need for certificates in any os.

Thanks a lot for the keyword "active directory computer account password", I already googled it and got the information I need.

What I ment with a two step authenticaion is, is it possible to:

1. authenticate the machine via an ACS against an AD to be sure, that a connection already exists, when the user logs in -> you already answered this question

2. authenticate the user also via an ACS and an AD, so you can check if you have to break down the connection because of some reasons (say for example the machine is granted to access the wireless network, but a certain user is not granted)

I hope you understand my question, if not do not hesitate to ask once more ;-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: