Hello what is the real benefit of this type of network access. I know that clients need to trust the CA that issued the certificate on DC server and also provide login and pass authentication. My question is does the computer which will use 802.1x wireless authentication need to have another wired connection ( another nic card ) to the DC server so that account authentication to the DC can occur or can just a laptop switched on for the first time using only the wireless adapter connect and authenticate all at once. Also what is the difference between user and computer authentication because sometimes I have the option to choose one. I know that user authentication just asks for a valid username and password which are present in the Active Directory domain users and computers.

hi there, let us take an simple example where in you have the client configued with single wireless NIC and no physical NIC present. Your client will be initially in the workgroup, and when you have the appropriate IP address configured for your wireless connectivity , you can contact the CA server and obtain the certificate ( either machine cert or CA cert ) so in this process 2 things are important , an appropriate IP address and the domain credentials to access the CA .Once your client has the CA installed , you should not have any problem accessing the network. Second option would be when your client joins to the domain ( with appropriate dns IP address ) , your client receives the root CA certificate which you can observe using certmgr.msc from the client end, so for next consequtive authentications your client uses the certificate for authentication. and it depends what type of authenticatin you are using such as WPA , WPA2, WPA2-PSK, with either AES or TKIPyour second question depends on authentication EAP / EAP-TLS EAP conversation and user and client computer authentication. A complete EAP conversation between the client and the server is encapsulated within the TLS encryption channel. With PEAP, you can use any one of several EAP authentication methods, such as passwords, smart cards, and certificates, to authenticate the user and client computer EAP-TLS, which uses certificates for server authentication and either certificates or smart cards for user and client computer authentication. EAP-MS-CHAP v2, which uses certificates for server authentication and credentials for user authentication.sainath Windows Driver Development

Thank you so once I have obtained the computer certificate intended for client authentication, Server Authentication I will be able to join the domain if I setup the one and only wirless nic card within the same subnet range of the DC subnet and with the DC dns address. You quoted " and it depends what type of authenticatin you are using such as WPA , WPA2, WPA2-PSK, with either AES or TKIP " In this example what configuration I need to setup on the wireless properties of the client so that it uses the certificate to authenticate and what else on the server side. 10q

Just another option, but may not be suitable for your environment...We are using PEAPWPA2 for our wireless clients, but instead of certificate-based we are using a Network Policy Server to provide RADIUS authentication. Instead of the client having a certificate installed, the NPS has a RAS/IAS certificate.In this setup, the computermust be able to authenticate to RADIUS, which I havebased ona global group membership policy. In other words,my computers needs to be joined to the domain prior, which is handled by our help desk.We use computer authentication which I believe is more secure because it only allows an authenticated computer account togain access to the wireless network. With user authentication, a user can bring in arogue wireless computer/device and enter in credentials to join the wireless network. I don't believe Windows by itself provides a way to enter credentials, but many third-party applications do. With computer authentication, when the computer powers up andconnects to the wireless network, it sends its computer credentials. RADIUS verifies the credentialswith the domain controller. If the global groupmembership is valid, the RADIUS server responds to the access pointand the computer is allowed to use the wireless network. It all happens very quickly. Even before the user attempts to authenticate to the domain.I should mention that you need to configure the access points to use RADIUS with the configuration.

Hi, Computer and user certificates are not required when you deploy the Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) certificate-based authentication method. Only servers running Network Policy Server (NPS) or PEAP-MS-CHAP v2 are required to have a certificate. For more information, please refer to the following article: PEAP-MS-CHAP v2-based Authenticated Wireless Access Design http://technet.microsoft.com/en-us/library/dd348500.aspx The authenticated wireless access design based on Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) utilizes the user account credentials (user name and password) stored in Active Directory Domain Services (AD DS) to authenticate wireless access clients instead of using smart cards or user and computer certificates for client authentication.

Hi Brandon.MI have setup the NPS server as a radius server. The radius server has a valid certificate. I have added the computer accounts into a global group and we still cannot authenticate. Though the computer accounts seem as per the event logs.The only way to allow the access is by adding the user-accounts either in the network policy or adding them in the same group as the computer accounts. In this way, the computer accounts are ignored and any rogue machine can connect to the network with a domain user account.How did you get make this work on your end? We obviously would like to have only domain registered computer allowed on the network.Thanks

RXEBK,There are two pieces to configure. The NPS policy and the Windows client wireless network configuration.In NPS, I have a Network Policy configured to authenticate connections to our switches and wireless controllers based on the conditions of "Client Friendly Name" and "Machine Groups". The client firendly name is simply the name of the switch or wireless controller in NPS. The machine group I have configured is a Windows domain global group that only contains computer accounts. The Authentication Method I am using is PEAP MS-CHAPv2.On the Windows client, the wireless network properties for your wireless network must be configured for Computer authentication so that the computer uses its credentials rather than the user's credentials. By default, Windows sends user credentials. I only have a Windows 7 computer in front of me right now to look at and I assume Vista is the same. Windows XP is probably similar.Windows 7/Vista:Either go to the properties of your existing wireless network that has been setup or create a new connection and select "Change connection settings" on the last step of the wizard. In the security tab, click Advanced settings. Under 802.1x settings, select Computer authentication in the drop-down menu.I use Group Policy to push out this configuration to ensure that the settings are configured correctly. It also saves us from having to visit each computer individually.This configuration works great for us. Currently, we only enforce this authentication on all of our wireless network controllers. We have done some testing with our switches and everything works great as well. We may eventually enforce authentication on those devices as well.

Thanks for the feedback. we got it setup the same way in the end. I had forgotten that I had posted something here... but thanks anyway!! I have a question though regarding logon time: Do you notice a difference at all? For us, it seems to be a lot slower to boot up, while loading the startup scripts, before even entering credentials...

I have not noticed any difference in logon time, but I suppose that sort of thing could vary depending on the environment.

Hi, I'am not new in RADIUS configuration, and my goal is to set up NPS RADIUS for wireless clients. Would like to be able setting up one condition in which only members of security group (users) have access to connection, and condition to use domain computers too, as awoiding other computers possibility to connect using only domain credentials, since I plan to use secondary security group which will allow only few users to connect using only user credentials. Domain computers condition wont work for me when active, when domain computers is not condition works well. Nothin that I tried worked for me. Can please somebody explain how you managed to set up policy to use security group and domain computers to work. Do someone has some working manual ? Thanks in advance for any awnser

hii , i found your questions at this forum and i found it very similair tho the ptoject i am working at , please could u help me ? i need your experience :D i would like to ask you , about authentication to wifi access point via active directory credentials Scenario : we have active directory and radius server ( windows 2008 R2) installed on same pc and tp_link access point configured as radius client . i want to connect a pc outside the domain controller to WiFi (access point ) via active directory users credential , do you have any idea ?? I Appreciate Anyyy Helpp , THank uuu :D