Phil, thanks for the information! "Finally you need an AD domain (not NT4) to do that."
Are you saying I actually need a Microsoft Server? A Samba domain control won't suffice? Being that I have no (ZERO) Microsoft servers, are my chances of doing machine authentication nil? Stefan > Date: Thu, 22 Dec 2005 12:44:04 +0000 > From: Phil Mayers <[EMAIL PROTECTED]> > Subject: Re: Windows WPA > To: FreeRadius users mailing list > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Stefan Adams wrote: > > Does anyone know how it's possible to log into a windows domain (no > > local account) from a Windows XP computer using WPA when the user has > > never logged in before (making cached credentials impossible)? > > > > I work at a high school. We have several mobile carts with laptop > > computers that do NOT have local accounts for each student. > > Therefore, each student is required to logon to the windows domain > > using wireless. This works fine using WEP. > > > > However, using WPA, with the automatically supply windows > > username/password/domain checkbox selected, a user that has never > > logged into that machine before is not able to log on. The Windows > > computer complains that the domain controller is not available. This, > > of course, is true because there are no 'up' network interfaces. > > > > But wouldn't it be logical for Windows to first supply the entered > > credentials to the access point for authorization to the WPA WLAN and > > then supply those same credentials to the domain controller? > > It would be logical. It does not do that. > > See the archives for "machine AND PEAP" - basically, you need to make > the machines authenticate themselves with their machine account first, > then those creds are used for the network login during profile download, > at which point windows will switch to the user creds. > > One point to note: apparently the inbuilt windows supplicant has to use > the *same method* for both the machine and user creds (e.g. both TLS or > both PEAP+MS-CHAP). > > Also note that in order to authenticate a machine (as opposed to user) > account, FreeRadius needs to be talking to an "ntlm_auth" which in turn > talks to a patched samba (the messages you find with the above search > should reference the location of the patch and/or the version from which > it's integrated). Finally you need an AD domain (not NT4) to do that. > > > > > Is that the way it works, is there some other way, or are people that > > have never logged on to these laptops before condemned to never logon > > at all given our new WPA infrastructure? > > No, you just have to work hard to fix microsoft's broken behaviour. As > always. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
