Topic: Windows XP PDC Authentication over wireless network

[iltasu]

Hallo, I've setup the radius server on the Sme Server 7.3 configured as PDC, I've setup the Access Point as a client for this radius server (WPA Enterprise) and the clients (both linux and windows XP), can authenticate and use the wireless connection, this is good so far, but what I want to achieve is the next step, I mean, pull off all the ethernet cables from the clients and manage to authenticate Windows clients on the domain using wifi connection, the problem is that it seems that win xp enables wireless only after the login.
The wifi dongles are Wireless USB Adapters (A02-UP-W54) made by Atlantis.
Googlin' 'round I managed to understand that, maybe, if I could give a signed certificate to the win xp client, it will enable wifi before the login screen, thus allowing me to authenticate against the pdc..
From this point on I'm a bit confused and lost, how can I generate and use those certs (are they really needed)? anyway, the true question is: how could I authenticate the win xp clients through wireless network?

Thank you for the answers, if more infos are needed, please ask.

Gabriele

[ked]

Hello iltasu.

While I have no experience with WPA-Enterprise, a friend's small business is successfully using domain user authentication over wireless (WPA-PSK) on a SME Server I set up for them.

The domain/uid/password info is cached on the laptop itself, allowing each user to log in to the machine irrespective of the status of the network connection. (This has the added benefit of enabling them to log into their domain profile on their laptop when away from the office).

When they log in to their PCs in the office, the wifi connection is brought up post-login, and authentication to the SME Server PDC is seamlessly completed. They then have access to all the network shared resources. It works very well as long as:

- Each user logs in to the laptop the first time while it is connected to the network (ethernet) to cache their credentials locally;
- You are prepared to allow login details to be locally cached (note: XP does this by default, so unless you have taken steps to disable it, it should work fine. Whether its a good thing or not is a matter of opinion - for me the benefits outweigh the risks, given that there are plenty of other security risks with XP).

Cheers.

[iltasu]

Hi ked,
many thanks for your answer, really! ^_^
Indeed I realized the credential caching, but since I use roaming profiles (for backup reasons, but mainly for computer independence of the users), this leads always to not have the local profile in sync with the server one (possibly leading to erases of some files... indeed M$ networking is a bit crap, but it's still so widespread! O_O).
Another problem comes when mounting remote disks (uhm! I can't always recall how they call it... and since I'm italian, I'm not even used to the english term... maybe... "Connect network drive"?), since the wifi is almost the last thing that's enabled after the login (in which it complains that it can't find the remote profile, it will use local one, but all the modifications will be lost... or something like this...), all the connected drives fire up an error like "Unable to re-connect to the remote disk"... all this is quite... uhm... annoying... I mean, I can tell all the users that they have to double click on the network drive when the connection comes up, but I completely lose the roaming profiles feature (that, in this case, is mandatory, since all the users are supposed to use different workstations in different moments... by now, I'm missing home NFS mount... but those clients are mainly windows... thus I can't even think about it... sigh! -_-)

Cheers

[ked]

No problems - I'm at home sick so am bored enough to answer posts I only know a little bit about!

Indeed I realized the credential caching, but since I use roaming profiles (for backup reasons, but mainly for computer independence of the users), this leads always to not have the local profile in sync with the server one

Yeah, I considered roaming profiles for the same reason - but then decided it was too hard. Instead, we implemented it through policy instead. The business owner was quite happy to make a call that personal data is to be stored on each persons home directory on the server and that all email access is to be by webmail. In addition, all work is held in a central repository on the server. So any person can jump on any given machine, log in as themselves and effectively get the same user experience on each machine.

Once everyone got used to the strong password requirements they have all adhered to this approach surprisingly well. I have done occasional random scans of each machine and found very little local data stored in "My Documents" etc.

Another problem comes when mounting remote disks

Actually, I reckon remote disk mounting is considerably easier using authenticated logins. The netlogon.bat technique works perfectly at restoring network drives as they can only be attempted after the PC has successfully logged onto the domain. We don't use locally mapped drives at all. One big benefit is that a standard set of network drives are mounted for all users - eg. P: for project work,  I: for images etc. Using the IFMEMBER.EXE MS addon, http://www.microsoft.com/downloads/details.aspx?FamilyID=07C2F6D7-815E-4FA0-9043-4E4635CCD417&displaylang=en we have two levels of network shares mapping for the "business administration" and "general" groups.

Its true that users can't add their own maps to the netlogon.bat - but again, in our fairly locked-down environment it works to our advantage.

sigh! -_-

I'm with you mate. Its all too hard.

Cheers

[/quote]

[iltasu]

No problems - I'm at home sick so am bored enough to answer posts I only know a little bit about!

O_O I'm sorry, hope you'll get well soon!

Yeah, I considered roaming profiles for the same reason - but then decided it was too hard. Instead, we implemented it through policy instead. The business owner was quite happy to make a call that personal data is to be stored on each persons home directory

Indeed, even I've tried to make my clients aware of the greatness of web apps... apart from the centralization benefit, there would be a great optimization of resources client side... no more heavyweight softwares around your ram, but they are so used to the right click-> Send to... feature (not just that, the accounting software has some hooks in the groupware client for some functionalities and this is a showstopper, they're too used to work  that way...), that they've not even considered webmail/calendar an option... I think I'm not a good seller... O_O =_= -_-

We don't use locally mapped drives at all. One big benefit is that a standard set of network drives are mounted for all users - eg. P: for project work,  I: for images etc. Using the IFMEMBER.EXE MS addon

I'll have a look at that.. didn't know it existed... thanks for the tip! ^_^

I'm with you mate. Its all too hard.

What a sad monopolistic world! =_= ehehehehe! ^_^

Cheers!

[fpausp]

Hi itasu,

I am very interested to setup what you said:

I've setup the radius server on the Sme Server 7.3 configured as PDC, I've setup the Access Point as a client for this radius server (WPA Enterprise) and the clients (both linux and windows XP), can authenticate and use the wireless connection...

Can you give me more details please, maybe step by step ?


regards
fpausp

[iltasu]

well... dear fpausp... this is indeed the problem... From what I can understand from your post, you are in the same situation as myself, a complete WPA Enterprise solution working, from the structure point of view, all the computers can use the wireless network, but just after they have logged into the computer, from here on, it's a total mess, to have a complete success, we just need to work out authentication on the domain via wireless, but the wifi interface won't be initalized by windows unless you're already logged in.. from google I understood that, maybe, if you can authenticate the computer  against the same radius server you use to authenticate users of the wireless network, before the login scrren come out, using a certificate authority that can be a self signed cert from the PDC server, you can even login on the domain, but the obscure part is just this, how to establish a trust between the windows client and the SME Server/Freeradius server before the user logs in...
I'm keeping track of all the steps I took on my blog, but sorry, it's just in italian language... and it wouldn't be useful... we are at the same point... thus, please, if you can undestand how to achieve Domain logon over wifi, let me know through this thread, I'll surely do by myself if I'll manage to understand it...

By the way... Thanks for the post... and welcome aboard this bandwagon... we are a bit lost by now, but I'm sure we'll manage to achieve the target!!! ^_^

[Stefano]

Hi Gabriele

I've read your how-to on your blog.. a nice work indeed..

please, if you find 5 minutes, translate it in english and publish on the wiki..

btw, I'm italian and I'm writing in english because this forum is in english

come to the italian language forum too.. and welcome in the community.

Ciao

Stefano

[iltasu]

Thank you for the welcome, I'll surely check the italian forum ^_^ ... and I'm really glad to get involved in this great community! And... yes, you are right, I'll translate the little howto I made and put it on the wiki, it's something I feel due to this great piece of software! ^_^ Even if it's not complete (as you have read, I'm still struggling to find a way to enable the wifi adapter before windows logon...), it will be a good reference... I guess... ^_^

See you in the italian forum (ci vediamo nel forum italiano! ^_^)

Ciao

[iltasu]

O_O a Bit OT, but How could I create an account to edit the wiki and add an howto about this subject?

[ked]

Hello iltasu,

I was cruising around the MS networking blog on an unrelated issue and came across this page (http://technet.microsoft.com/en-us/library/bb878016.aspx?) which I thought might help you. It gives the impression that the "Authentication" tab on the wireless network properties dialog can be used to authenticate a PC without the user logging in. It does mention the certificates as per your OP, but to my reading this article implies that they are locally cached on the client machine and that to configure it all you have to do is nominate the name of the RADIUS server.

Cheers.

Ken

[iltasu]

Many Thanx! Really helpful! ^_^ I'm reading the page just now... I hope to manage to try it tomorrow on the network, it looks like it's all in our hands... I've just to try it! ^_^ Can't see the time to make a good, complete, howto and post it here! ^_^

[iltasu]

Indeed it's so strange I didn't found this resource until ked pointed out that link in his last post (again, many thanks)... however, probably it leaded to use different keywords for the google search that made this magic happen.. anyway, I'm even still wondering why I didn't managed to find that page since I even visited freeradius wiki.... now I just have to integrate this in the SME Server way of doing things... figuring out...