Machine account authentication progress?
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Thu May 17 15:37:45 CEST 2007
Hi,
> >I have done all these steps except number 5. Are you saying that we can
> now get machine names to authenticate prior to the user actually logging
> in? I can get it working fine after the user has logged in. It's just
> getting the machine to join the wireless network before log in so that they
> join the domain ok.
oh for sure! and whats more, the login doesnt hang - because the wireless is on
and working. it means you arent relying on cached login credentials. as a side
affect, the network is 'real' when the windows box starts - so all the other parts
of windows works on the wireless - eg stuff you must be in the doamin for.
drive mappings, GPOs, SMS bits all 'just work(tm)'
BUT BEWARE
one thing doesnt work. microsoft, in their wisdom, decided that the machine<->AD
renegotiation of AD password key CANNOT WORK OVER AN ENCRYPTED LINK.
yes. that AD password will expire. on a wired network the machine will talk
to the AD to gets its new key. if you are USING the key the machine knows
for the login process then that key is invalid in the AD and cannot be upgraded
over the PEAP encrypted wifi link. - it also cant be updated on a PPTP link
from what I've read. the default time for this to occur is 30 days IIRC.
change it on the AD to longer if you want less pain.
alan
More information about the Freeradius-Users
mailing list