Vista Machine Authentication with 2008 NPS and 802.1x
We are currently deploying a 802.1X solution through a multi-vendor wireless environment.
We are using PEAPv1 or PEAP with EAP-TLS with smart card logon.
Equipment used:
Cisco Aironet 1200's APs, WiSM with 6500 series switch, Access/Distro/Core layers are all nortel equipment, using server 2008 enterprise R2 and vista workstation.
So far we have accomplished successfull connections with user smartcard authentication through the wireless network.
Here is the problem: User A successfully logons on to workstation with smartcard on the wired network. User A unplugs from wired network and connects to wireless network through PEAPv1 and is successful.
User B comes over to use the workstation when it is disconnected from wired network, User B does not have cached credentials, he is unable to login into the computer because the workstation can not connect to the domain until the wireless connection
is established. The wireless connection is not established until user logins. Catch 22......
Solution: Enable machine authentication, to give a "wired like" connection through wireless. Machine authenticates, so user credentials can be requested and user can login then connect to wireless with his credentials and ahve full access to the network.
Our problem with this: Machine authentication fails, I have debug commands running on the WiSM and it is passing information from workstation to WiSM, Wireshark on server is showing WiSM is forwarding information to Server and back. But authentication
still fails and says "eap method not supported" in the event logs. We have tried every facet of EAP flavors in the NPS policies option, nothing will authenticate this machine.
Any help on machine authentication using Peapv1 (EAP-PEAP EAP-TLS) with vista and server 2008 would be very very very much appreciated. Thank you.
Bryce"I wish I knew"
November 15th, 2010 3:18pm
We found the solution.
Certificate error between the Authentication server (NPS RADIUS) and supplicant WZC on the workstation. Server certificate was the same when we did the user authentication, so that cert should have been fine for machine authentication. For whatever
reason it was not, we revoked the original DC authentication cert and re-submitted the new one exported it to the workstation and voila...it worked.
So now users who do not have cached credentials can logon to a wireless workstation, then connect to the wireless network with their account.
"I wish I knew"
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 5:27pm