Archived from groups: microsoft.public.windows.networking.wireless (
More info?)
I have reinstalled the notebook and the problem with requesting certificates
went awas... Now it seems I'm back at the machine authentication. I actually
set some EAPOL registry key called Authmode to 2, thereby forcing machine
authentication only.
Remember I had user authentication working ok, machine authentication not.
When I change this registry key to 2, the wireless notebook shows
"validating identity" and this goes on forever. No reject/accept messages in
the IAS log, nothing in the IAS system event log. The AP is Linksys WAP54G
and has almost no logging feauture. THe IAS is a service of the SBS 2003
does-it-all server. I have requested user and machine certificates.
Are you still there?
Thanks,
Ivo
"Mark Gamache" wrote:
> I reread the thread and am not sure, so I'll ask. Were you able to
> provision a machine certificate on the laptop?
>
> Does your AP have any logging features that may give EAP related info and
> association info? Before the AP sends you laptops EAP-TLS to the IAS
> server, the wireless client must associate. Then the AP sends and
> EAP-Request-Identity, which I'm sure this is working if you are getting on
> with user certs. You laptop should send and EAP-Response-Identity. The
> response is based on the setup of your wireless auth tab. It would help to
> know if your PC is association and if it is seeing and responding to the EAP
> messages. Only when this works does your IAS server get to see traffic.
>
> Cheers,
>
>
> --
> Mark Gamache
> Certified Security Solutions
>
http://www.css-security.com
>
>
>
> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> news:41CC592A-0893-4E57-8F5D-F0B91F006232@microsoft.com...
> > In the meanwhile I have it working nicely at another site. That's SBS2003,
> > with EAP-TLS and machine connects and then the logon dialogue and after
> > logon
> > the user connects. Same equipment: Linksys WAP54G and Intel 2100 chip on
> > the
> > client notebook.
> >
> > At the site with the problem described in the thread, it's SBS2000, I
> > think
> > I made everybody believe it was SBS2003 so far... Anyway, on this
> > installation we still have to hope for the better, at the moment user
> > connect
> > is OK but no preceding machine connect, nothing is entering the IAS. O how
> > I
> > would love to solve this issue...
> >
> > Regards, Ivo
> >
> >
> >
> > "Ivo" wrote:
> >
> >> I understand your remarkts. I'm using software certificates, this PC has
> >> both
> >> user and computer certificates all right. I'll double check it when I get
> >> to
> >> that PC. The machine certificates were provisioned through manual
> >> certificates, which was successful. I followed the procedures as in hte
> >> Windows SBS 2003 Administrator's Companion (MS Press book).
> >>
> >> Thanks again, Ivo
> >>
> >> "Mark Gamache" wrote:
> >>
> >> > Are you using smartcards or software certificates? How are the machine
> >> > certificates provisioned? I skimmed back through your posts and didn't
> >> > see
> >> > any reference to the machine certs. You have to have them.
> >> >
> >> > --
> >> > Mark Gamache
> >> > Certified Security Solutions
> >> >
http://www.css-security.com
> >> >
> >> >
> >> >
> >> > "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> > news
😀BA82155-384D-47A7-B6B8-AEE865C0EACB@microsoft.com...
> >> > > You were right about not passing 802.1X authentication based on host
> >> > > verification. I looked into the IAS log and the computer account is
> >> > > not
> >> > > trying to connect. In the properties of the wireless connection,
> >> > > there's
> >> > > the
> >> > > Verification (i have it here in Dutch language so the english wording
> >> > > may
> >> > > be
> >> > > not exactly as my translation) tab and there's IEEE 802.1X
> >> > > verification is
> >> > > enabled, EAP type is smartcard or other certificate and the check box
> >> > > "verify
> >> > > as computer when computer information is available" is selected all
> >> > > right.
> >> > > But there's nothing in the IAS log about the computer trying to
> >> > > connect...
> >> > >
> >> > > So I'm afraid this is the unlikely option in your diagnosis...
> >> > > Thanks for your assistance, where do we go from here?
> >> > >
> >> > > Ivo
> >> > >
> >> > > P.S. I've tried to run tests with another notebook at home against a
> >> > > SBS2003
> >> > > installation but ran into a certification problem, so I'll start a
> >> > > new
> >> > > thread
> >> > > for that one.
> >> > >
> >> > > "Mark Gamache" wrote:
> >> > >
> >> > >> Based on your description, I am sure you are not passing 802.1X
> >> > >> authentication until after the user is logged in. If these laptops
> >> > >> are
> >> > >> going to always be wireless, you will have to resolve the issue. If
> >> > >> its
> >> > >> not
> >> > >> resolved, your machine group policy won't work and various things
> >> > >> such as
> >> > >> mapped drives and password expiration warnings will not be
> >> > >> generated.
> >> > >>
> >> > >> The first place to start is your IAS logs. Boot the laptop but
> >> > >> don't
> >> > >> login.
> >> > >> Check your IAS logs to see if the computer account is trying to
> >> > >> connect.
> >> > >> I
> >> > >> use this app to look at the logs. Its free to try.
> >> > >> http://www.deepsoftware.ru/iasviewer/ It makes them much easier to
> >> > >> read.
> >> > >>
> >> > >> If the laptop doesn't even try to connect (there are no logs of it
> >> > >> attempting to auth. to the IAS server) then its likely that your
> >> > >> Intel
> >> > >> NIC
> >> > >> or the app running it is not allowing it to associate to the AP
> >> > >> until
> >> > >> someone is logged in. This is unlikely as the Intel 2100 should
> >> > >> work
> >> > >> correctly. If the logs show an attempted connect that fails, then
> >> > >> you
> >> > >> simply verify why it is failing. The logs are likely to answer that
> >> > >> question for you.
> >> > >>
> >> > >> I suspect the logs will tell you exactly what is going on. Its
> >> > >> likely
> >> > >> that
> >> > >> not remote access policies apply to the computer's security context.
> >> > >> Remember, the computer has an account in the domain that it uses to
> >> > >> automatically log its self in to the domain with. This account
> >> > >> needs to
> >> > >> have the appropriate group membership etc to pass your remote access
> >> > >> policy.
> >> > >>
> >> > >> Cheers,
> >> > >>
> >> > >> --
> >> > >> Mark Gamache
> >> > >> Certified Security Solutions
> >> > >>
http://www.css-security.com
> >> > >>
> >> > >>
> >> > >>
> >> > >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> > >> news:EF15A10B-365D-4469-97EA-E9EDFF35BB93@microsoft.com...
> >> > >> > Hello Mark,
> >> > >> >
> >> > >> > I've upgraded to the latest available Intel 2100b driver found on
> >> > >> > the
> >> > >> > Acer
> >> > >> > TM803LMi support site. Afterwards I could choose WPA/TKIP in my
> >> > >> > WXPSP2
> >> > >> > notebook and I changed the settings on the Linksys WAP54G
> >> > >> > accordingly.
> >> > >> > When
> >> > >> > the notebook is restarted (disconnected from the wired network),
> >> > >> > I'm
> >> > >> > presented with the logon dialogue and then (after OK) it takes
> >> > >> > some
> >> > >> > time,
> >> > >> > but
> >> > >> > unfortunately the message about not being able to reach the
> >> > >> > roaming
> >> > >> > profile
> >> > >> > reappears. And once logged on, the drive letters to network shares
> >> > >> > are
> >> > >> > not
> >> > >> > available (I do NET USE to get the list, it's empty). When I then
> >> > >> > logoff/logon, the situation is different. THis time it takes the
> >> > >> > roaming
> >> > >> > profile and NET USE shows the drive letters my user likes. But the
> >> > >> > letters
> >> > >> > still do not appear in his Windows Explorer / My Computer, this
> >> > >> > takes
> >> > >> > extra
> >> > >> > time, but eventually they become available with no extra actions.
> >> > >> >
> >> > >> > Still some questions about this:
> >> > >> > - is this the best result I can obtain or can we do better?
> >> > >> > - would it work with the roaming profile also after a notebook
> >> > >> > restart
> >> > >> > (i.e
> >> > >> > on the first logon)
> >> > >> > - would there be a sign indicating that the computer connected OK
> >> > >> > to
> >> > >> > the
> >> > >> > domain, or how does the user know how long to wait before clicking
> >> > >> > OK
> >> > >> > on
> >> > >> > the
> >> > >> > logon dialog.
> >> > >> >
> >> > >> > Suggestions on how to proceed are very much ppreciated, thanks in
> >> > >> > advance,
> >> > >> > Ivo
> >> > >> >
> >> > >> > "Mark Gamache" wrote:
> >> > >> >
> >> > >> >> Ivo,
> >> > >> >>
> >> > >> >> This is partly reliant on your hardware and partly on your remote
> >> > >> >> access
> >> > >> >> policy and group membership. Not all wireless hardware will
> >> > >> >> associate
> >> > >> >> to
> >> > >> >> the AP and authenticate without a user logged in. Most will
> >> > >> >> retain
> >> > >> >> the
> >> > >> >> settings of the last user. Assuming that your hardware supports
> >> > >> >> it,
> >> > >> >> you
> >> > >> >> need the computer to be able to log in using its machine account.
> >> > >> >> This
> >> > >> >> means that the computer accounts need to be a member of the
> >> > >> >> wireless
> >> > >> >> group
> >> > >> >> that you are adding your users too. If you are using
> >> > >> >> certificates for
> >> > >> >> TLS,
> >> > >> >> then you will need to make sure the computers have machine
> >> > >> >> certificates.
> >> > >> >>
> >> > >> >> Once you do this, the computer will authenticate to the AP when
> >> > >> >> it
> >> > >> >> boots.
> >> > >> >> This will allow for your users to log into the domain instead of
> >> > >> >> using
> >> > >> >> their
> >> > >> >> cached creds.
> >> > >> >>
> >> > >> >> Cheers,
> >> > >> >>
> >> > >> >>
> >> > >> >> --
> >> > >> >> Mark Gamache
> >> > >> >> Certified Security Solutions
> >> > >> >>
http://www.css-security.com
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >> >> "Ivo" <Ivo@discussions.microsoft.com> wrote in message
> >> > >> >> news:EDB2DF53-DFFF-4BEB-85B4-17B1AA4A9158@microsoft.com...
> >> > >> >> > I've set up a secure wireless infrastructure on SBS2000, it's
> >> > >> >> > small
> >> > >> >> > and
> >> > >> >> > I
> >> > >> >> > test it on one ACER TM803LMi (with the Intel 2100 built-in).
> >> > >> >> > It
> >> > >> >> > works
> >> > >> >> > with
> >> > >> >> > certificates etc. When I disconnect the cable and restart the
> >> > >> >> > PC,
> >> > >> >> > then
> >> > >> >> > the
> >> > >> >> > user apparently gets logged on with its cached credentials and
> >> > >> >> > then
> >> > >> >> > the
> >> > >> >> > wifi
> >> > >> >> > comes up. There was a warning (cannot find your roaming
> >> > >> >> > profile)
> >> > >> >> > also.
> >> > >> >> > So
> >> > >> >> > the
> >> > >> >> > end result is connectivity but no use of the roaming profile
> >> > >> >> > and
> >> > >> >> > also
> >> > >> >> > the
> >> > >> >> > user's netlogon script (net use etc) was not executed.
> >> > >> >> > Can wireless connection be combined with roaming profiles?
> >> > >> >> >
> >> > >> >> > Thanks, Ivo
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >>
> >> > >>
> >> > >>
> >> >
> >> >
> >> >
>
>
>
Facebook
Twitter
Instagram