Announcement

Collapse
No announcement yet.

802.1x XP Radius Wireless Authentication Pre-logon

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 802.1x XP Radius Wireless Authentication Pre-logon

    Hello,
    Currently have a Radius server set up with our 802.1x wireless system, the radius authenticates users via their domain credentials, all has been working great until now where I need to have XP laptops use the network.

    The laptops are on the domain and log on using domain credentials but obviously users can't logon until the network is connected to authenticate their credentials but can't get the network connected until they are logged on, a fun circle!

    It was a very easy process setting up with Windows 7, the wireless configuration on the device allows you to set the SSID to connect pre-logon as a SSO configuration. Unfortunately this is not the case with XP.

    Basically what is happening now is the network connection is set up on a laptop, a user tries to connect and gets rejected by the Radius server. This to me shows that the wireless connection is active before logon by setting "Always wait for the network at computer startup and logon" via GPO. However what seems to be happening is that because the user does not have a local profile, it does not log on to the machine with the domain credentials authenticating to the Radius Server.


    The user receives "The Domain is not available"
    The Radius server denies authentication with the message:

    Code:
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          3/6/2013 9:50:33 AM
    Event ID:      6273
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      Server
    Description:
    Network Policy Server denied access to a user.
    
    Contact the Network Policy Server administrator for more information.
    
    User:
    	Security ID:			NULL SID
    	Account Name:			host/MACHINE.DOMAIN
    	Account Domain:			DOMAIN
    	Fully Qualified Account Name:	DOMAIN\MACHINE$
    
    Client Machine:
    	Security ID:			NULL SID
    	Account Name:			-
    	Fully Qualified Account Name:	-
    	OS-Version:			-
    	Called Station Identifier:		000B866111DC
    	Calling Station Identifier:		0017F247AB7C
    
    NAS:
    	NAS IPv4 Address:		IP
    	NAS IPv6 Address:		-
    	NAS Identifier:			-
    	NAS Port-Type:			Wireless - IEEE 802.11
    	NAS Port:			0
    
    RADIUS Client:
    	Client Friendly Name:		WLAN
    	Client IP Address:			IP
    
    Authentication Details:
    	Connection Request Policy Name:	Secure Wireless Connections
    	Network Policy Name:		-
    	Authentication Provider:		Windows
    	Authentication Server:		SERVER
    	Authentication Type:		MS-CHAPv2
    	EAP Type:			-
    	Account Session Identifier:		-
    	Logging Results:			Accounting information was written to the local log file.
    	Reason Code:			16
    	Reason:				Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
    
    Event Xml:
    
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>6273</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2013-03-06T14:50:33.593542800Z" />
        <EventRecordID>358634403</EventRecordID>
        <Correlation />
        <Execution ProcessID="496" ThreadID="544" />
        <Channel>Security</Channel>
        <Computer>SERVER</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">host/MACHINE.DOMAIN</Data>
        <Data Name="SubjectDomainName">HPS</Data>
        <Data Name="FullyQualifiedSubjectUserName">HPS\HPS-MBI$</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">000B866111DC</Data>
        <Data Name="CallingStationID">0017F247AB7C</Data>
        <Data Name="NASIPv4Address">--------</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">-</Data>
        <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
        <Data Name="NASPort">0</Data>
        <Data Name="ClientName">WLAN</Data>
        <Data Name="ClientIPAddress">IP</Data>
        <Data Name="ProxyPolicyName">Secure Wireless Connections</Data>
        <Data Name="NetworkPolicyName">-</Data>
        <Data Name="AuthenticationProvider">Windows</Data>
        <Data Name="AuthenticationServer">SERVER</Data>
        <Data Name="AuthenticationType">MS-CHAPv2</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="ReasonCode">16</Data>
        <Data Name="Reason">Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.</Data>
        <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
      </EventData>
    </Event>

    In that message it is showing the Account Name and Fully Qualified Account Name as the machine name instead of a user, when a successful authentication through the Radius is made it shows the domain\user not machine.

    Now IF the user HAS a local account already such as a test user I made to try all of this that logged on via a wired connection, that user can log on (due to having a local profile and saved/cached credentials that allow it to logon regardless of the network connection) and then the wireless authenticates via their windows account.



    So has anyone gotten XP SSO/Pre-logon working in this situation?

    I have tried several changes of settings to the wireless configuration on the machine itself as well as making new network policies on the radius to try to "Grant Access" based on the machine security group instead of the user at first with no luck.
    Last edited by ntoupin; 6th March 2013, 16:30.

  • #2
    Re: 802.1x XP Radius Wireless Authentication Pre-logon

    have you created a security group for the domain computers on the radius server? just write another policy like your domain users policy, except make it the domain computers, and you should be good to go.

    the setup is much easier with win 7 and sso, just like you said, but with XP you have to get byzantine to make it work.

    hope that helps, and i hope i understood correctly.

    best of luck,

    J
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

    Comment


    • #3
      Re: 802.1x XP Radius Wireless Authentication Pre-logon

      Originally posted by James Haynes View Post
      have you created a security group for the domain computers on the radius server? just write another policy like your domain users policy, except make it the domain computers, and you should be good to go.

      the setup is much easier with win 7 and sso, just like you said, but with XP you have to get byzantine to make it work.

      hope that helps, and i hope i understood correctly.

      best of luck,

      J
      Hi,
      I did make another request policy and set it to domain\domain computers as well as trying to make a specific security group that the laptops were a member of, both with no success.

      Comment

      Working...
      X