Stefan Adams wrote:
Does anyone know how it's possible to log into a windows domain (no
local account) from a Windows XP computer using WPA when the user has
never logged in before (making cached credentials impossible)?
I work at a high school. We have several mobile carts with laptop
computers that do NOT have local accounts for each student.
Therefore, each student is required to logon to the windows domain
using wireless. This works fine using WEP.
However, using WPA, with the automatically supply windows
username/password/domain checkbox selected, a user that has never
logged into that machine before is not able to log on. The Windows
computer complains that the domain controller is not available. This,
of course, is true because there are no 'up' network interfaces.
But wouldn't it be logical for Windows to first supply the entered
credentials to the access point for authorization to the WPA WLAN and
then supply those same credentials to the domain controller?
It would be logical. It does not do that.
See the archives for "machine AND PEAP" - basically, you need to make
the machines authenticate themselves with their machine account first,
then those creds are used for the network login during profile download,
at which point windows will switch to the user creds.
One point to note: apparently the inbuilt windows supplicant has to use
the *same method* for both the machine and user creds (e.g. both TLS or
both PEAP+MS-CHAP).
Also note that in order to authenticate a machine (as opposed to user)
account, FreeRadius needs to be talking to an "ntlm_auth" which in turn
talks to a patched samba (the messages you find with the above search
should reference the location of the patch and/or the version from which
it's integrated). Finally you need an AD domain (not NT4) to do that.
Is that the way it works, is there some other way, or are people that
have never logged on to these laptops before condemned to never logon
at all given our new WPA infrastructure?
No, you just have to work hard to fix microsoft's broken behaviour. As
always.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
