Re: Domain not available on PEAP clients at first logon

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 01/10/05

• Next message: Sam Salhi [MSFT]: "Re: Extending IAS"
• Previous message: James McIllece [MS]: "Re: IAS Server, Cisco AP1200 and PEAP"
• In reply to: Mimmus: "Re: Domain not available on PEAP clients at first logon"
• Next in thread: Mimmus: "Re: Domain not available on PEAP clients at first logon"
• Reply: Mimmus: "Re: Domain not available on PEAP clients at first logon"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 10 Jan 2005 15:15:12 -0800

You may go down that path too. But if the computer is not in the domain or
doesn't have wired access at the time, you're back to square 1

-- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no rights
      =============================================
"Mimmus" <viggiani@hotmail.com> wrote in message 
news:32rEd.23134$_E5.590955@twister2.libero.it...
> Thank you very much.
> At this point, I think that user auth is almost useless: I saw a thread 
> below ('802.1x Computer validation') describing a couple of registry key 
> to enable computer authentication only.
>
> Thanks
>
>
> "Sam Salhi [MSFT]" <samers@online.microsoft.com> ha scritto nel messaggio 
> news:ewKeXhf9EHA.2572@tk2msftngp13.phx.gbl...
>> Your solution is innovative. I commend you on it. That's an awesome way 
>> to do it
>>>
>>>> What I would suggest to you here is to go to the PEAP configuration and 
>>>> allow the user to specify the credentials (don't use windows 
>>>> credentials)
>>> No, I'd like a transparent access to the network. It is a switched (not 
>>> wireless), enterprise network and I'd like to implement access control 
>>> without forcong clientrs to re-enter credentials.
>>>
>>>> The other option you have is to provision the machines on the regular 
>>>> network first, THEN get them on your secured 802.1x
>>> I solved enabling PEAP with 'computer' logon in addition to 'user' 
>>> logon; in such a way, if a PC belongs to domain, it enters in the 
>>> network (like host/machine-name) already before prompt and a user can 
>>> login even if this is his first logon (non cached credentials) or his 
>>> password expired. During next 802.1x re-authentications (or because 
>>> network cable is unplugged or because I enable reauth timeout on the 
>>> switches), I will see a user login (i.e. domain/user) in IAS log and 
>>> this is OK for me.
>>> Non-domain clients and 'no more valid' users will be put in a guest, 
>>> isolated VLAN.
>>>
>>> I hope that this is correct!
>
> 

---

• Next message: Sam Salhi [MSFT]: "Re: Extending IAS"
• Previous message: James McIllece [MS]: "Re: IAS Server, Cisco AP1200 and PEAP"
• In reply to: Mimmus: "Re: Domain not available on PEAP clients at first logon"
• Next in thread: Mimmus: "Re: Domain not available on PEAP clients at first logon"
• Reply: Mimmus: "Re: Domain not available on PEAP clients at first logon"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: XP Pro - Logging on to Domain issues ... > The only thing I could find that closely resembles that is under Logon not ... > Group Policy and it is "Always wait for the network at computer startup ... >>> XP Pro machines that are joined on the domain and rebooted cannot ... >>> dialog box pops up asking you to log on with DIFFERENT credentials ... (microsoft.public.windowsxp.network_web) Re: Cant use WM6 to access network shares ... unfortunately nothing in any of the event logs. ... the logon prompt. ... So for whatever reason it's just not passing my credentials ... Can get to about any other share on the network. ... (microsoft.public.pocketpc.wireless) Re: IIS Auth Error - Kerberos/NTLM not accepting credentials ... > Services that users are having problems authenticating against. ... > someone tries to connect they are prompted for credentials. ... > Logon Failure: ... > network but the name of the machine. ... (microsoft.public.inetserver.iis.security) Re: Domain not available on PEAP clients at first logon ... >>> What I would suggest to you here is to go to the PEAP configuration and>> allow the user to specify the credentials > No, I'd like a transparent access to the network. ... It is a switched, enterprise network and I'd like to implement access control ... >>> The other option you have is to provision the machines on the regular>> network first, THEN get them on your secured 802.1x> I solved enabling PEAP with 'computer' logon in addition to 'user' logon;> in such a way, if a PC belongs to domain, it enters in the network already before prompt and a user can login even if this> is his first logon or his password expired. ... > During next 802.1x re-authentications, I will see> a user login in IAS log and this is OK for me. ... (microsoft.public.internet.radius) Re: Domain not available on PEAP clients at first logon ... > allow the user to specify the credentials ... I'd like a transparent access to the network. ... I solved enabling PEAP with 'computer' logon in addition to 'user' logon; ... because I enable reauth timeout on the switches), I will see a user login ... (microsoft.public.internet.radius)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)