802.1x authentication for computers

I have PEAP (MSChap v2) working as authentication for WLan connected
computers.

I have a domain consisting of w2k SP4 DCs. The IAS Radius server is w2k3.
Running Mixed Mode.

I would also like to authenticate client computers (Windows XP SP2) so I can
log on to the domain with scripts, gpos etc. So I select "Authenticae as
computer when possible" (translation) and add the computer account to the
same group as my other WLan users. In the IAS eventviewer log I can see
that my computer tries to authenticate but I'm being told that:

"User host/COMPUTERNAME.fq.dn was denied access."
....
"Reason = The connection attempt failed because remote access permission for
the user account was denied. To allow remote access, enable remote access
permission for the user account......"

I am a little confused here - is there supposed to be a "Dial-Up"-tag on my
computer objects in "Active Directory Users and Computers" on which I can
allow remote access?? I can not find it.

Could it be that I need a pure Windows 2003 domain to get this working?

The computer I try is member of the same domain as my IAS and DC servers. I
have also tried to import the CA certificate (which is also the IAS server).

On 2004-11-10 16:56:27 -0500, "Kjetil Pettersson"
<(E-Mail Removed)> said:

> I am a little confused here - is there supposed to be a "Dial-Up"-tag
> on my computer objects in "Active Directory Users and Computers" on
> which I can allow remote access?? I can not find it.
>

I had to get a patch from Microsoft in order to add the "Dial-Up" tab
to my Computer objects, and needed that tab before it would work. I
believe the article number that referenced the patch was 306260; try
the following URL:

<http://support.microsoft.com/default.aspx?scid=kb;en-us;306260:>

Basically, you call Microsoft, they send you an LDIF file that you
import into Active Directory, and the tab appears.

HTH.

--
Scott Lowe

> I had to get a patch from Microsoft in order to add the "Dial-Up" tab to
> my Computer objects, and needed that tab before it would work. I believe
> the article number that referenced the patch was 306260; try the following
> URL:



>
> <http://support.microsoft.com/default.aspx?scid=kb;en-us;306260:>
>
> Basically, you call Microsoft, they send you an LDIF file that you import
> into Active Directory, and the tab appears.
>
> HTH.
>
> --
> Scott Lowe
>

I have a Remote Access Policy in IAS who checks a Windows group (WLAN
Users). I tried to add the computer to this group without success. Then
later on I upgraded from Mixed mode to Native mode for my w2k domain and
waited about 15 minutes. It worked!

No need to patch anything though. I'm still not sure if it was the
mixed->native mode trick that did it or if it was just the good old "if it
doesn't work - try waiting a couple of hours for AD to catch up"-trick
though.

KP