Re: "any user" logon?
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Jan 2007 12:20:34 -0800
"jb" <jb@xxxxxxxxxxxxxx> wrote in
news:OgIPOWaOHHA.5000@xxxxxxxxxxxxxxxxxxxx:
Here's the deal, we have been told that as long as the user has a
certificate in AD and the machine has it's certificate installed
locally - all of which is being done by GP - then any user should be
able to logon to any machine wirelessly.
However, when we try that - with users that can get in on other
machines and on machines that can login with a domain acct. that has
local admin rights - the wireless will not connect. The error relates
to not finding the cert. The ONLY users who can do this are those
whose domain account is a local admin on the laptop. CONFUSION!
We are a school with many lab/library laprops and we must be ablet o
have any user logon to any one of them and get authenticated to the
network as if they are on wire.
Do I make any sense????? LOL
Hi JB --
I don't know what the server or client OS's are here or what authentication
method you are trying to use -- is it PEAP-TLS or EAP-TLS?
I assume that you have deployed your own CA and that you have auto-enrolled
server certificates to your IAS server, is that the case?
I am not 100% sure based on the information you have provided, but I think
the problem is that you have deployed an authentication method with user
certs that are installed when GP is updated in the Current User certificate
store, but then users are switching computers.
To get the cert for every user into the Current Users cert store on every
computer, I believe it is necessary for the user to log onto the computer
while it is plugged into the wire. I haven't tested this personally so I am
not certain, but I believe this is necessary.
If you are having users move around from one PC to another all the time,
you might want to change the authentication method to PEAP-MS-CHAP v2,
where users type password-based credentials. I think that would be a
simpler deployment and that auth method is very secure.
To deploy this, assuming that your IAS server has a properly configured
certificate, all you need to do is change the authentication method on the
remote access policy to PEAP-MS-CHAP v2.
If you don't want to change the auth method, you should ensure that client
computers have the setting enabled "Authenticate as computer when computer
information is available." (This setting can be found in the properties for
the wireless network, on the Authentication tab.) See if enabling that
setting allows GP to update and download the user cert through wireless. If
not, try having the user log onto the machine when it is plugged into the
wire, look in the cert store for the Current User to see if the user cert
was enrolled, and if it was, try another wireless logon.
Also ensure that the user cert is properly configured (See the Help topic
"Network access authentication and certificates" in Windows Server 2003 IAS
or VPN Help, or on the web at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx).
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- Re: "any user" logon?
- From: jb
- Re: "any user" logon?
- References:
- "any user" logon?
- From: jb
- "any user" logon?
- Prev by Date: Re: VLAN with IAS and Cisco
- Next by Date: Re: IAS Proxy + Computer based accounts
- Previous by thread: "any user" logon?
- Next by thread: Re: "any user" logon?
- Index(es):
Relevant Pages
|
Loading
