FreeRADIUS and Active Directory
Mike Loosbrock
m-loosbrock at bethel.edu
Thu Feb 19 17:23:34 CET 2009
On Feb 19, 2009, at 8:28 AM, Tomas wrote:
> My problem is that my windows box has no way of communicating with AD
> server to verify user credentials for initial login screen (reason for
> that is because switch port state is uncontrolled and no other but
> EAPOL
> traffic can pass through)
> Is there any way setting my windows box so that user gets
> authenticated
> against radius and then AD using single sign on without doing any
> hacks
> to MS GINA or stuff like that?
Tomas, it sounds like you want the following behavior:
1.) machine boots up
2.) machine 802.1x authenticates, opening switch port for AD
communication
3.) user enters credentials into OS login screen
4.) machine authenticates user against AD
5.) machine does a 802.1x re-auth with the user's credentials
Windows does support this and (surprise) it actually works well.
Assuming you're using the native Windows 802.1x supplicant and have
the non-domain case working, you can get the above behavior by
enabling the following options in the supplicant: (how you do this
varies a bit across Windows versions)
'Authenticate as computer when computer information is available'
'Automatically use my Windows logon name and password (and domain if
any)'
Mike Loosbrock
Bethel University Network Services
651-638-6723
More information about the Freeradius-Users
mailing list