Windows Client Authentification bevore Domain logon

[Steven Atkinson]

At 16:26 22/08/05, you wrote:
>Hi, i sucessfully installed a Radius authentificated Network with EAP-TLS
>Authentifikation. But I cant get logon to my Domain Controller when
>themachines boot up.. Ok, I know this Problem is not new, but is there any
>chance to solve this problem without additional software like AEGIS?? Or is
>there an other Software for Windows XP and or 2000 which is free from
>license? And is itpossible to set a default vlan group where the Domain
>Controller exists and all Clients firstly get in and later change the
>VLANID??? Would this be possible and how would it work?
>
>Greetings Armin

I have managed to do this by three different routes.

1. Use the Microsoft built in wireless client. To do this you need to use 
mmc and the certificate plug in to install a CA certificate & personal 
certificate for the local machine. Create a wireless profile in XP which 
connects to your network using the CA certificate you installed. Then add a 
DWORD registry entry AuthType with a value of 2 to 
HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global. This causes XP to 
use the machine account to authenticate to the network. This only uses the 
machine account to authenticate against the network, at no time does it use 
the users account. Other values to use are 0 - Use the default XP 
authentication, 1 - Always perform user authentication when a user logs on, 
2 - Perform computer authentication only.

2. As above, but don't add the registry entry. This time the machine will 
authenticate itself to the network before logon which allows the computer 
to see the network and the domain. Once the user logs on to the domain the 
connection is lost and the user account is then used to authenticate 
against the network. The problem here is that unless the user also has a 
valid personal certificate the authentication fails. This means going round 
to each user and installing a certificate, unless you can do it via Active 
Directory, we are using a Samba PDC here so that is not possible. I decided 
against this option with having 1500 potential users.

3. If you are using Intel wireless cards download the full version of the 
ProSet drivers, mine were 2200BG. This allows for different profiles which 
work as the machine before logon, or during logon to validate the user 
against the network. It also adds TTLS as well as TLS. There is a problem 
with this software if you are using roaming profiles. During logoff the 
network connection is dropped and it is impossible to upload the profile to 
the servers. According to Intel this is a know problem and at this time 
they have not replied to say if there is going to be a fix for it. This 
method worked very well upto the point of saving the profile, it is also 
much easier to distribute the settings to other machine using the profile 
import feature the ProSet drivers provide.

Steve Atkinson
Deputy Network Manager

Fallibroome High School
Priory Lane
Macclesfield
Cheshire
SK10 4AF