Machine account authentication progress?

Peter Savage petesavage at ubuntu.com
Thu May 17 15:56:45 CEST 2007


On 17/05/07, A.L.M.Buxey at lboro.ac.uk <A.L.M.Buxey at lboro.ac.uk> wrote:
>
> Hi,
>
> > >I have done all these steps except number 5.  Are you saying that we
> can
> > now get machine names to authenticate prior to the user actually logging
> > in?  I can get it working fine after the user has logged in.  It's just
> > getting the machine to join the wireless network before log in so that
> they
> > join the domain ok.
>
> oh for sure! and whats more, the login doesnt hang - because the wireless
> is on
> and working. it means you arent relying on cached login credentials. as a
> side
> affect, the network is 'real' when the windows box starts - so all the
> other parts
> of windows works on the wireless - eg stuff you must be in the doamin for.
> drive mappings, GPOs, SMS bits all 'just work(tm)'


Wow, that's awesome, I read a post which said it wasn't working so I guess
it's been fixed....hoo diddly rah!!!
So now I just need to see why we're getting 0 length requests and mung about
with the User-Name as was stated earlier.  eeek!  So If I have EAP-TLS
working with PEAP ie, the AD users/passwords work....am I almost there?
;)


BUT BEWARE
>
> one thing doesnt work.  microsoft, in their wisdom, decided that the
> machine<->AD
> renegotiation of AD password key CANNOT WORK OVER AN ENCRYPTED LINK.
>
> yes. that AD password will expire. on a wired network the machine will
> talk
> to the AD to gets its new key. if you are USING the key the machine knows
> for the login process then that key is invalid in the AD and cannot be
> upgraded
> over the PEAP encrypted wifi link.  - it also cant be updated on a PPTP
> link
> from what I've read.  the default time for this to occur is 30 days IIRC.
> change it on the AD to longer if you want less pain.
>
>

-- 
Pete Savage - cbx33::silentk
wiki.ubuntu.com/PeteSavage
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070517/60c05d63/attachment.html>


More information about the Freeradius-Users mailing list