Windows WPA

Phil Mayers p.mayers at imperial.ac.uk
Thu Dec 22 13:44:04 CET 2005 

Stefan Adams wrote:
> Does anyone know how it's possible to log into a windows domain (no
> local account) from a Windows XP computer using WPA when the user has
> never logged in before (making cached credentials impossible)?
> 
> I work at a high school.  We have several mobile carts with laptop
> computers that do NOT have local accounts for each student. 
> Therefore, each student is required to logon to the windows domain
> using wireless.  This works fine using WEP.
> 
> However, using WPA, with the automatically supply windows
> username/password/domain checkbox selected, a user that has never
> logged into that machine before is not able to log on.  The Windows
> computer complains that the domain controller is not available.  This,
> of course, is true because there are no 'up' network interfaces.
> 
> But wouldn't it be logical for Windows to first supply the entered
> credentials to the access point for authorization to the WPA WLAN and
> then supply those same credentials to the domain controller?

It would be logical. It does not do that.

See the archives for "machine AND PEAP" - basically, you need to make 
the machines authenticate themselves with their machine account first, 
then those creds are used for the network login during profile download, 
at which point windows will switch to the user creds.

One point to note: apparently the inbuilt windows supplicant has to use 
the *same method* for both the machine and user creds (e.g. both TLS or 
both PEAP+MS-CHAP).

Also note that in order to authenticate a machine (as opposed to user) 
account, FreeRadius needs to be talking to an "ntlm_auth" which in turn 
talks to a patched samba (the messages you find with the above search 
should reference the location of the patch and/or the version from which 
it's integrated). Finally you need an AD domain (not NT4) to do that.

> 
> Is that the way it works, is there some other way, or are people that
> have never logged on to these laptops before condemned to never logon
> at all given our new WPA infrastructure?

No, you just have to work hard to fix microsoft's broken behaviour. As 
always.

More information about the Freeradius-Users mailing list