> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On > Behalf Of M.Cerqui - PUBLISHERIA > Sent: Friday, October 08, 2004 8:01 AM > To: [EMAIL PROTECTED] > Subject: Re: Freeradius, Cisco Catalyst 2950, Windwos Domain > > > My goal is, that the windows supplicant does the > authentication BEFORE the windows login, because without that > I don't have any connection to the domain controller.
When a Windows machine belongs to a domain, it needs to contact the DC on boot (way before a successful login or any user interaction). At that time the PC acquires policies from GPO's. This means that you must have 802.1X credentials stored somewhere on the PC so the box can authenticate without any user interaction. The only way I know making it work is by using EAP-TLS. I got this to work by setting up the PC to use EAP-TLS, get a client certificate, and store it in the COMPUTER ACCOUNT certificate store of the PC. When an XP box (post SP1) boots, it will check the computer account certificate store for a valid cert, do an EAP-TLS auth session and change the authenticator mode (doesn't matter if it's a switch port or an AP) to authorized and get the PC on the network to continue with domain association. When a user logs into this box, the default behavior (post SP1) will be to re-authenticate with the user credentials (this can be changed in the registry). Read all about it at: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/techref/en-us/w2k3tr_wir_tools.asp -- Matanya - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
