Windows WPA

Stefan Adams stefan at borgia.com
Thu Dec 22 16:38:38 CET 2005


Phil, thanks for the information!

"Finally you need an AD domain (not NT4) to do that."

Are you saying I actually need a Microsoft Server?  A Samba domain
control won't suffice?  Being that I have no (ZERO) Microsoft servers,
are my chances of doing machine authentication nil?

Stefan

> Date: Thu, 22 Dec 2005 12:44:04 +0000
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Subject: Re: Windows WPA
> To: FreeRadius users mailing list
>         <freeradius-users at lists.freeradius.org>
> Message-ID: <43AA9F94.5070108 at imperial.ac.uk>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Stefan Adams wrote:
> > Does anyone know how it's possible to log into a windows domain (no
> > local account) from a Windows XP computer using WPA when the user has
> > never logged in before (making cached credentials impossible)?
> >
> > I work at a high school.  We have several mobile carts with laptop
> > computers that do NOT have local accounts for each student.
> > Therefore, each student is required to logon to the windows domain
> > using wireless.  This works fine using WEP.
> >
> > However, using WPA, with the automatically supply windows
> > username/password/domain checkbox selected, a user that has never
> > logged into that machine before is not able to log on.  The Windows
> > computer complains that the domain controller is not available.  This,
> > of course, is true because there are no 'up' network interfaces.
> >
> > But wouldn't it be logical for Windows to first supply the entered
> > credentials to the access point for authorization to the WPA WLAN and
> > then supply those same credentials to the domain controller?
>
> It would be logical. It does not do that.
>
> See the archives for "machine AND PEAP" - basically, you need to make
> the machines authenticate themselves with their machine account first,
> then those creds are used for the network login during profile download,
> at which point windows will switch to the user creds.
>
> One point to note: apparently the inbuilt windows supplicant has to use
> the *same method* for both the machine and user creds (e.g. both TLS or
> both PEAP+MS-CHAP).
>
> Also note that in order to authenticate a machine (as opposed to user)
> account, FreeRadius needs to be talking to an "ntlm_auth" which in turn
> talks to a patched samba (the messages you find with the above search
> should reference the location of the patch and/or the version from which
> it's integrated). Finally you need an AD domain (not NT4) to do that.
>
> >
> > Is that the way it works, is there some other way, or are people that
> > have never logged on to these laptops before condemned to never logon
> > at all given our new WPA infrastructure?
>
> No, you just have to work hard to fix microsoft's broken behaviour. As
> always.




More information about the Freeradius-Users mailing list