Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Microsoft Networking Services > Active Directory
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

802.1x XP Radius Wireless Authentication Pre-logon

802.1x XP Radius Wireless Authentication Pre-logon

this thread has 2 replies and has been viewed 4688 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 6th March 2013, 18:03
ntoupin ntoupin is offline
Casual
Casual
 
 Join Date: Mar 2013
  6 month star 12 month star
 Posts: 6
 Reputation: ntoupin is on a distinguished road (10)
Default 802.1x XP Radius Wireless Authentication Pre-logon

Hello,
Currently have a Radius server set up with our 802.1x wireless system, the radius authenticates users via their domain credentials, all has been working great until now where I need to have XP laptops use the network.

The laptops are on the domain and log on using domain credentials but obviously users can't logon until the network is connected to authenticate their credentials but can't get the network connected until they are logged on, a fun circle!

It was a very easy process setting up with Windows 7, the wireless configuration on the device allows you to set the SSID to connect pre-logon as a SSO configuration. Unfortunately this is not the case with XP.

Basically what is happening now is the network connection is set up on a laptop, a user tries to connect and gets rejected by the Radius server. This to me shows that the wireless connection is active before logon by setting "Always wait for the network at computer startup and logon" via GPO. However what seems to be happening is that because the user does not have a local profile, it does not log on to the machine with the domain credentials authenticating to the Radius Server.


The user receives "The Domain is not available"
The Radius server denies authentication with the message:

Code:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/6/2013 9:50:33 AM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      Server
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			host/MACHINE.DOMAIN
	Account Domain:			DOMAIN
	Fully Qualified Account Name:	DOMAIN\MACHINE$

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		000B866111DC
	Calling Station Identifier:		0017F247AB7C

NAS:
	NAS IPv4 Address:		IP
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		WLAN
	Client IP Address:			IP

Authentication Details:
	Connection Request Policy Name:	Secure Wireless Connections
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		SERVER
	Authentication Type:		MS-CHAPv2
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			16
	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Event Xml:

  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-03-06T14:50:33.593542800Z" />
    <EventRecordID>358634403</EventRecordID>
    <Correlation />
    <Execution ProcessID="496" ThreadID="544" />
    <Channel>Security</Channel>
    <Computer>SERVER</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">host/MACHINE.DOMAIN</Data>
    <Data Name="SubjectDomainName">HPS</Data>
    <Data Name="FullyQualifiedSubjectUserName">HPS\HPS-MBI$</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">000B866111DC</Data>
    <Data Name="CallingStationID">0017F247AB7C</Data>
    <Data Name="NASIPv4Address">--------</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">-</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">WLAN</Data>
    <Data Name="ClientIPAddress">IP</Data>
    <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
    <Data Name="NetworkPolicyName">-</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">SERVER</Data>
    <Data Name="AuthenticationType">MS-CHAPv2</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">16</Data>
    <Data Name="Reason">Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>

In that message it is showing the Account Name and Fully Qualified Account Name as the machine name instead of a user, when a successful authentication through the Radius is made it shows the domain\user not machine.

Now IF the user HAS a local account already such as a test user I made to try all of this that logged on via a wired connection, that user can log on (due to having a local profile and saved/cached credentials that allow it to logon regardless of the network connection) and then the wireless authenticates via their windows account.



So has anyone gotten XP SSO/Pre-logon working in this situation?

I have tried several changes of settings to the wireless configuration on the machine itself as well as making new network policies on the radius to try to "Grant Access" based on the machine security group instead of the user at first with no luck.

Last edited by ntoupin; 6th March 2013 at 18:30..
  #2  
Old 6th March 2013, 19:29
James Haynes's Avatar
MVM James Haynes James Haynes is offline
Member
MVM
 
 Join Date: Jan 2006
  6 month star 12 month star
 Location: Jacksonville, Florida
 Posts: 933
 Reputation: James Haynes is a jewel in the roughJames Haynes is a jewel in the roughJames Haynes is a jewel in the roughJames Haynes is a jewel in the rough (307)
Wink Re: 802.1x XP Radius Wireless Authentication Pre-logon

have you created a security group for the domain computers on the radius server? just write another policy like your domain users policy, except make it the domain computers, and you should be good to go.

the setup is much easier with win 7 and sso, just like you said, but with XP you have to get byzantine to make it work.

hope that helps, and i hope i understood correctly.

best of luck,

J
__________________
its easier to beg forgiveness than ask permission.
Give karma where karma is due...
  #3  
Old 6th March 2013, 19:37
ntoupin ntoupin is offline
Casual
Casual
 
 Join Date: Mar 2013
  6 month star 12 month star
 Posts: 6
 Reputation: ntoupin is on a distinguished road (10)
Default Re: 802.1x XP Radius Wireless Authentication Pre-logon

Quote:
Originally Posted by James Haynes View Post
have you created a security group for the domain computers on the radius server? just write another policy like your domain users policy, except make it the domain computers, and you should be good to go.

the setup is much easier with win 7 and sso, just like you said, but with XP you have to get byzantine to make it work.

hope that helps, and i hope i understood correctly.

best of luck,

J
Hi,
I did make another request policy and set it to domain\domain computers as well as trying to make a specific security group that the laptops were a member of, both with no success.
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Radius WiFi Authentication not working for specific users supanatral Windows Server 2008 / 2008 R2 1 19th December 2011 02:38
RADIUS Authentication dcoughlan Cisco Routers & Switches How-to 0 28th September 2011 06:44
WLAN with Radius authentication mobius2011 General Networking 3 11th June 2011 12:13
Wireless authentication using RADIUS CypherBit Windows Server 2008 / 2008 R2 0 21st January 2011 15:24
Central Authentication - No Domain (RADIUS or Kerberos??) Wizball Windows Server 2000 / 2003 / 2003 R2 5 27th April 2010 16:00


All times are GMT +3. The time now is 12:37.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri