1

So I have my Windows laptops using 802.1X for authentication to connect to my WPA2-Enterprise WiFi network. This works well except for one edge case.

These laptops are Windows 7 Pro and Windows 8 Pro.

As a background, I have only been able to get users to successfully log in to such a laptop if their profile already exists in some way on the laptop -- ie cached credentials are used for the login, which are then passed on to the 802.1X process for authorization to connect to the WiFi.

I am now being shipped laptops without physical ethernet connectors, meaning that I can't have users log in for the first time when connected by a wire. And therefore I have a chicken-and-egg problem:

  • there are no cached credentials;
  • the laptop doesn't try to connect to the WiFi because there are no credentials to pass through
  • the laptop can't authenticate the credentials because there is no network over which to perform the authentication

What I want is a way to set the laptop to pass the authentication information to the WiFi network before it tries to authenticate the user as a user. In other words, set up the network with the passed credentials so we have a network with which to perform the authentication.

I have tried:

  • the Enable single sign on for this network
  • the Perform immediately before user logon
  • the HKLM\Software\Microsoft\Windows\CurrentVersion\Run regedit update
  • the Computer Configuration\Policies\Administrative templates\System\Logon\Always wait for the network at computer startup and logon local policy change

The last two seem to depend on the network being a PSK network, not a Enterprise network, since network connect fails prior to logon because there are no credentials to use for connection.

Is there a way to make this work, or am I stuck buying a USB ethernet dongle and having users do their first logins using that?

David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
  • What you are describing is Radius authentication. We have a very similar situation (except we already have RADUIS set up). I'm following as we've had issues RADIUS authentication being "flaky" in a very similar environment. – Get-HomeByFiveOClock Jan 30 '15 at 20:31
  • We are actually using Radius between the WiFi controller and the AD server. Problem is chicken-and-egg as described above. – David Mackintosh Jan 30 '15 at 21:55
  • O.K., so you are able to authenticate just fine *when* and only when you have already established a connection? Then it's probably an issue at the wifi controller. Have you attempted MAC based authentication? – Get-HomeByFiveOClock Jan 31 '15 at 04:33

2 Answers2

1

You say, your users have their creds, so the computer must be a domain member. So initially you must join this computer to domain or to configure computer to connect WIFI. In both situations you need helpdesk to do this, so, I think, you have to choose between USB dongle and Wi-Fi with PSK (which is told to helpdesk) as two easiest ways of solving this problem.

filimonic
  • 323
  • 3
  • 13
  • Marking this answer as correct because there does not seem to be a way to short-circuit the chicken-and-egg problem. The solution we are working with is: A) the WiFi network specification is pushed to domain members as a GPO; B) the first time users log into a computer, it has to be attached through a wire -- we have purchased a couple of USB dongles for this express purpose. – David Mackintosh Feb 10 '15 at 16:38
  • Wait.. If your unboxed PC is already joined to domain, and wireless gpo is applied, there is no problem - because wireless gpo is computer setting, so the computer must know how to authenticate on wifi. It works in my enterprise - when pc boots up, it authenticates as computer and prompts logon. When user logs on, it loads user profile and after that it reconnects to wifi as user(authenticates as user not as computer). Nb: reconnection is optional and not necessary – filimonic Feb 11 '15 at 17:00
  • Well in practice it doesn't work like that. If your wifi-enabled PC only joins the WiFi with domain validated credentials, there's no network link with which to do validation prior to connection. And if the computer doesn't have the credentials cached, the only response the computer has is "That account doesn't exist". – David Mackintosh Feb 12 '15 at 14:47
  • I`ll check tommorrow this. I think it worksworks in my enterprise, but we do not have such use cases – filimonic Feb 12 '15 at 19:25
  • Checked. It works... I add computer to domain via cable, I add my computer to WiFi-Emp-Computers group, I reboot my computer (with cable connected), I make GPUPdate /Force, I receive certificates and wi-fi profile (via GPO), I take off the Ethernet cable, I reboot computer, and it connects to Wi-Fi. Then I add user to Wifi-Emp-Users group and logon to this computer. The problem is we have cert-based wi-fi auth and vlan swithing in Wi-Fi profile, so the user does not receive certificate immediately, so the Wi-Fi for him does not work, but if I change auth to password-based, everything works! – filimonic Feb 17 '15 at 18:53
  • So you are adding the domain user to a local group before that user logs into the local computer for the first time? – David Mackintosh Feb 17 '15 at 21:34
  • No, not local but domain group. This is because we have VLAN switching in our wireless policy. If you do not use VLAN switching, then you grant access per-computer, so if the PC is already joined to domain, it will authenticate on Wi-Fi before user logon and never disconnect after. – filimonic Feb 17 '15 at 22:26
0

You can try opening credential manager and Add Windows credential on each PC and saving user credentials before they connect to the WPA2-Ent wifi network.

For Internet or network address add FQDN of your domain controller For Username - domain\username

Andrysha
  • 158
  • 6
  • Not sure how that is supposed to work -- the Credential manager appears to manage per-user credentials. So in order to create the credentials for a new user, they'd have to log in in order to bind their credentials to their account. But if they log in, they have cached credentials anyway. Unless I'm not understanding something. – David Mackintosh Jan 30 '15 at 21:56
  • Have you tried storing them under the local account? – Andrysha Jan 30 '15 at 22:12
  • Honestly no, because I wouldn't think sharing account credentials between login accounts would be in any way secure. – David Mackintosh Jan 31 '15 at 03:29