802.1x XP Radius Wireless Authentication Pre-logon

Home Forums Microsoft Networking and Management Services Active Directory 802.1x XP Radius Wireless Authentication Pre-logon

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    ntoupin
    Member
    #161071

    Hello,
    Currently have a Radius server set up with our 802.1x wireless system, the radius authenticates users via their domain credentials, all has been working great until now where I need to have XP laptops use the network.

    The laptops are on the domain and log on using domain credentials but obviously users can’t logon until the network is connected to authenticate their credentials but can’t get the network connected until they are logged on, a fun circle!

    It was a very easy process setting up with Windows 7, the wireless configuration on the device allows you to set the SSID to connect pre-logon as a SSO configuration. Unfortunately this is not the case with XP.

    Basically what is happening now is the network connection is set up on a laptop, a user tries to connect and gets rejected by the Radius server. This to me shows that the wireless connection is active before logon by setting “Always wait for the network at computer startup and logon” via GPO. However what seems to be happening is that because the user does not have a local profile, it does not log on to the machine with the domain credentials authenticating to the Radius Server.

    The user receives “The Domain is not available”
    The Radius server denies authentication with the message:

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 3/6/2013 9:50:33 AM
    Event ID: 6273
    Task Category: Network Policy Server
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: Server
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NULL SID
    [B]Account Name: host/MACHINE.DOMAIN[/B]
    Account Domain: DOMAIN
    [B]Fully Qualified Account Name: DOMAINMACHINE$[/B]

    Client Machine:
    Security ID: NULL SID
    Account Name: –
    Fully Qualified Account Name: –
    OS-Version: –
    Called Station Identifier: 000B866111DC
    Calling Station Identifier: 0017F247AB7C

    NAS:
    NAS IPv4 Address: IP
    NAS IPv6 Address: –
    NAS Identifier: –
    NAS Port-Type: Wireless – IEEE 802.11
    NAS Port: 0

    RADIUS Client:
    Client Friendly Name: WLAN
    Client IP Address: IP

    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: –
    Authentication Provider: Windows
    Authentication Server: SERVER
    Authentication Type: MS-CHAPv2
    EAP Type: –
    Account Session Identifier: –
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 16
    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    Event Xml:

    6273
    1
    0
    12552
    0
    0x8010000000000000

    358634403


    Security
    SERVER



    S-1-0-0
    host/MACHINE.DOMAIN
    HPS
    HPSHPS-MBI$
    S-1-0-0



    000B866111DC
    0017F247AB7C
    ——–


    Wireless – IEEE 802.11
    0
    WLAN
    IP
    Secure Wireless Connections

    Windows
    SERVER
    MS-CHAPv2


    16
    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    Accounting information was written to the local log file.

    [/CODE]

    In that message it is showing the Account Name and Fully Qualified Account Name as the machine name instead of a user, when a successful authentication through the Radius is made it shows the domainuser not machine.

    Now IF the user HAS a local account already such as a test user I made to try all of this that logged on via a wired connection, that user can log on (due to having a local profile and saved/cached credentials that allow it to logon regardless of the network connection) and then the wireless authenticates via their windows account.

    So has anyone gotten XP SSO/Pre-logon working in this situation?

    I have tried several changes of settings to the wireless configuration on the machine itself as well as making new network policies on the radius to try to “Grant Access” based on the machine security group instead of the user at first with no luck.[CODE]Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 3/6/2013 9:50:33 AM
    Event ID: 6273
    Task Category: Network Policy Server
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: Server
    Description:
    Network Policy Server denied access to a user.

    Contact the Network Policy Server administrator for more information.

    User:
    Security ID: NULL SID
    Account Name: host/MACHINE.DOMAIN
    Account Domain: DOMAIN
    Fully Qualified Account Name: DOMAINMACHINE$

    Client Machine:
    Security ID: NULL SID
    Account Name: –
    Fully Qualified Account Name: –
    OS-Version: –
    Called Station Identifier: 000B866111DC
    Calling Station Identifier: 0017F247AB7C

    NAS:
    NAS IPv4 Address: IP
    NAS IPv6 Address: –
    NAS Identifier: –
    NAS Port-Type: Wireless – IEEE 802.11
    NAS Port: 0

    RADIUS Client:
    Client Friendly Name: WLAN
    Client IP Address: IP

    Authentication Details:
    Connection Request Policy Name: Secure Wireless Connections
    Network Policy Name: –
    Authentication Provider: Windows
    Authentication Server: SERVER
    Authentication Type: MS-CHAPv2
    EAP Type: –
    Account Session Identifier: –
    Logging Results: Accounting information was written to the local log file.
    Reason Code: 16
    Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

    Event Xml:

    6273
    1
    0
    12552
    0
    0x8010000000000000

    358634403


    Security
    SERVER



    S-1-0-0
    host/MACHINE.DOMAIN
    HPS
    HPSHPS-MBI$
    S-1-0-0



    000B866111DC
    0017F247AB7C





    Wireless – IEEE 802.11
    0
    WLAN
    IP
    Secure Wireless Connections

    Windows
    SERVER
    MS-CHAPv2


    16
    Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    Accounting information was written to the local log file.

    [/CODE]

    In that message it is showing the Account Name and Fully Qualified Account Name as the machine name instead of a user, when a successful authentication through the Radius is made it shows the domainuser not machine.

    Now IF the user HAS a local account already such as a test user I made to try all of this that logged on via a wired connection, that user can log on (due to having a local profile and saved/cached credentials that allow it to logon regardless of the network connection) and then the wireless authenticates via their windows account.

    So has anyone gotten XP SSO/Pre-logon working in this situation?

    I have tried several changes of settings to the wireless configuration on the machine itself as well as making new network policies on the radius to try to “Grant Access” based on the machine security group instead of the user at first with no luck.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.