Radius-based windows authentication

[Phil Mayers]

Mike Perdide wrote:
> Phil Mayers wrote:
>> Is the windows machine a domain member?
> No it's not. Only the users are.

?

When you sit at the login screen, and press ctrl+alt+del, are you 
logging in with a username and password which is checked against the 
domain controllers?

If so, then the machine *is* joined into the domain.

> 
>> I think you are asking "is it possible for the client to do 802.1x with
>> the username/password typed into the login box" and the answer is "yes".
> That's exactly my question, thanks ;).
> 
>>   1. Using the windows native supplicant and machine account
>> authentication. Basically the process is this:
>>      * machine powers on - no-one logged in
>>      * machine uses its own domain account to login "host/$machinename"
>>      * user presses ctrl+alt+del
> When you say user presses ctrl+alt+del, you mean that he closes the session 
> and uses his own login ?

No. The machine is sitting at the login prompt, and the user presses 
ctrl+alt+del to bring up the login box.

> 
>>      * machine validates credentials to the domain controller, over the
>> current network connection
> How did the machine obtain network connection ?
> 
>>      * machine downloads the users profile
>>      * once the profile is download, the machine does an EAP-Logoff and
>> then re-authenticates using the user credentials
>>      * when the user logs out, the machine does and EAP-Logoff and then
>> logs back in using the machine account
> 
>>   3. Using a different supplicant which has a GINA plugin; I believe the
>> Odyssey supplicant (which you have to pay for) can do this. SecureW2
>> (which is open source) may. Obviously you have to install software.

> I am currently using SecureW2 TTLS, and I did not see such thing as GINA 
> plugin. I am gonna look for documentation about that.