The other alternative is to use a third party 802.1x supplicant with a decent GINA module. This behaves *exactly* as you want. It accepts the users' credentials at the windows login, stops the windows login process, logs the user into the network, then returns control to windows to login the user to the AD. I've been doing this with EAP-TTLS/PAP to an AD backend with LDAP (no NTLM :-) for a while.
<br><br>Rgds,<br><br>Guy<br><br><div><span class="gmail_quote">On 22/12/05, <b class="gmail_sendername">Stefan Adams</b> <<a href="mailto:stefan@borgia.com">stefan@borgia.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Phil, thanks for the information!<br><br>"Finally you need an AD domain (not NT4) to do that."<br><br>Are you saying I actually need a Microsoft Server? A Samba domain<br>control won't suffice? Being that I have no (ZERO) Microsoft servers,
<br>are my chances of doing machine authentication nil?<br><br>Stefan<br><br>> Date: Thu, 22 Dec 2005 12:44:04 +0000<br>> From: Phil Mayers <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>>
<br>> Subject: Re: Windows WPA<br>> To: FreeRadius users mailing list<br>> <<a href="mailto:freeradius-users@lists.freeradius.org">freeradius-users@lists.freeradius.org</a>><br>> Message-ID: <
<a href="mailto:43AA9F94.5070108@imperial.ac.uk">43AA9F94.5070108@imperial.ac.uk</a>><br>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed<br>><br>> Stefan Adams wrote:<br>> > Does anyone know how it's possible to log into a windows domain (no
<br>> > local account) from a Windows XP computer using WPA when the user has<br>> > never logged in before (making cached credentials impossible)?<br>> ><br>> > I work at a high school. We have several mobile carts with laptop
<br>> > computers that do NOT have local accounts for each student.<br>> > Therefore, each student is required to logon to the windows domain<br>> > using wireless. This works fine using WEP.<br>> >
<br>> > However, using WPA, with the automatically supply windows<br>> > username/password/domain checkbox selected, a user that has never<br>> > logged into that machine before is not able to log on. The Windows
<br>> > computer complains that the domain controller is not available. This,<br>> > of course, is true because there are no 'up' network interfaces.<br>> ><br>> > But wouldn't it be logical for Windows to first supply the entered
<br>> > credentials to the access point for authorization to the WPA WLAN and<br>> > then supply those same credentials to the domain controller?<br>><br>> It would be logical. It does not do that.<br>>
<br>> See the archives for "machine AND PEAP" - basically, you need to make<br>> the machines authenticate themselves with their machine account first,<br>> then those creds are used for the network login during profile download,
<br>> at which point windows will switch to the user creds.<br>><br>> One point to note: apparently the inbuilt windows supplicant has to use<br>> the *same method* for both the machine and user creds (e.g. both TLS or
<br>> both PEAP+MS-CHAP).<br>><br>> Also note that in order to authenticate a machine (as opposed to user)<br>> account, FreeRadius needs to be talking to an "ntlm_auth" which in turn<br>> talks to a patched samba (the messages you find with the above search
<br>> should reference the location of the patch and/or the version from which<br>> it's integrated). Finally you need an AD domain (not NT4) to do that.<br>><br>> ><br>> > Is that the way it works, is there some other way, or are people that
<br>> > have never logged on to these laptops before condemned to never logon<br>> > at all given our new WPA infrastructure?<br>><br>> No, you just have to work hard to fix microsoft's broken behaviour. As
<br>> always.<br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>