1

I am using a 2008 r2 dc that also performs Radius (NPS), I also have a 2008 r2 certificate authority which is giving out certificates. The computers are getting the certificate and when a user logs into the device (that has previously logged in) gets put on the correct VLAN (according to there user access). However I cant get the computers to join the wireless network prior to logging in, so that they can log in with their domain accounts and authenticate through the wireless. The basic setup is Computer gets group policy which tells it to get a certificate the computer then has a seperate vlan to join just as a computer account however the wireless computer wont connect through that vlan. (this vlan allows login information only then once the users credentials are verified it puts them onto another VLAN).

So I am trying to work out why the notebook wont auto connect to the wireless network as a computer.

Thanks

forgot to mention Win 7 ent client.

EDIT: I got this to work however I am having the issue that if someone who doesnt have the certificate eg an iphone get prompted whether they want to accept the certificate once you select accept it lets you join the network. I have tried to make it that your device has to be part of a certain group however when this happens, even a valid computer that is in the correct group cannot join. Has anybody else experienced this?

Zoredache
  • 128,755
  • 40
  • 271
  • 413
JohnyV
  • 938
  • 4
  • 26
  • 45

2 Answers2

1

If the laptops have intel proset wifi cards, than you can utilize "intel proset wireless pre-logon connect" via the administrative tool. It lets you create an executable about 100KB that applies one or many wireless profiles that can authenticate to WAPs prior to windows logon. I did this and pushed it out via group policy so I could VNC to Windows 7 workstations prior to any user logging on. I was using pre shared keys but I recall seeing radius instructions in the manual too.

Derek
  • 11
  • 1
0

Are you confusing WLAN and VLAN? Wireless clients generally get to decide which WLAN they join (based on SSID), but VLAN tagging usually isn't exposed to wireless clients. It's usually up to the APs, in conjunction with the WLAN Controller (if any) and the RADIUS (or other AAA) server to decide which VLAN ID that that client's traffic should be tagged with when the AP bridges it onto the wire.

So if the clients are failing to try to join the right WLAN (SSID), that's a sign of probably a configuration error on the client. But if their traffic is being tagged with the wrong VLAN ID, that's probably a problem with the network infrastructure.

Of course, if you have a 1:1 mapping between SSIDs and VLANs, then my point is moot.

Edit: One more thought: Do you have EAP-TLS (a.k.a. "smart card or other certificate") authentication enabled and working on your RADIUS server? Because if you've been authenticating your users via another EAP type (e.g. PEAP), it may be that you just haven't got EAP-TLS up and working yet. You might try using a user cert to authenticate as a user, just as a check that you've got EAP-TLS working.

Spiff
  • 2,496
  • 16
  • 17
  • No, I am not mixing them up. The notebook connects to an AP using a certain vlan and a computer certificate to authenticate to the radius server. Once the user logs in they then meet a new condition on the radius server and change their vlan according to the AD group that they are in. I am using EAP-PEAP. After your comments about the EAP tls I have changed my auth method to use the certificate however I now users are not getting the correct vlan once they log in (but the can log in which is a start) Thanks any other ideas? – JohnyV Mar 30 '10 at 03:44