802.1x EAP-TLS wireless networking - connect before logon

Hi there.
I've set up a test lab using a windows XP SP2 laptop with built in W-LAN
card using EAP-TLS authentication and WPA encryption to connect to a Cisco
access point.
The authentication is done using a Windows 2000 server using IAS and running
as a certificate authority.

It's working happily with users requesting a certificate from the CA via the
web interface and they can then connect after they have logged onto the
laptop (using cached credentials as there is no connection to the network
yet).

Can anyone point me in the direction of a guide to getting it authenticating
the client PC (again via certificate) rather than the user and establishing
the wireless connection before the user has logged on so that logon scripts
etc will run reliably

Thanks

--
Alex

Hermes: "We can't afford that! Especially not Zoidberg!"
Zoidberg: "They took away my credit cards!"

www.drzoidberg.co.uk www.ebayfaq.co.uk

Dr Zoidberg schrieb:
> Hi there.
> I've set up a test lab using a windows XP SP2 laptop with built in W-LAN
> card using EAP-TLS authentication and WPA encryption to connect to a Cisco
> access point.
> The authentication is done using a Windows 2000 server using IAS and running
> as a certificate authority.
>
> It's working happily with users requesting a certificate from the CA via the
> web interface and they can then connect after they have logged onto the
> laptop (using cached credentials as there is no connection to the network
> yet).

To logon to the IAS before user logon the laptop must have a certificate
validating the computer account as well as the user account.

Look into the IAS logs to see any messages relating to failed computer
authentication.

Also, you should use the zero configuration service of XP to manage the
wlan card...

At our office, we do this successfully (almost the same setup as yours:
XPSP2 laptops (centrino) logging on to a network of cisco ap's using an
IAS server for 802.1x authentication...).


--
Martin Bodenstedt

(www.die-bodenstedts.de / www.maboko.de)

Martin Bodenstedt wrote:
> Dr Zoidberg schrieb:
>> Hi there.
>> I've set up a test lab using a windows XP SP2 laptop with built in
>> W-LAN card using EAP-TLS authentication and WPA encryption to
>> connect to a Cisco access point.
>> The authentication is done using a Windows 2000 server using IAS and
>> running as a certificate authority.
>>
>> It's working happily with users requesting a certificate from the CA
>> via the web interface and they can then connect after they have
>> logged onto the laptop (using cached credentials as there is no
>> connection to the network yet).
>
> To logon to the IAS before user logon the laptop must have a
> certificate validating the computer account as well as the user
> account.
> Look into the IAS logs to see any messages relating to failed computer
> authentication.
>
> Also, you should use the zero configuration service of XP to manage
> the wlan card...
>
> At our office, we do this successfully (almost the same setup as
> yours: XPSP2 laptops (centrino) logging on to a network of cisco ap's
> using an IAS server for 802.1x authentication...).

Yep , got it working last thing yesterday using group policy to
automatically generate certificates.

Thanks

--
Alex

Hermes: "We can't afford that! Especially not Zoidberg!"
Zoidberg: "They took away my credit cards!"

www.drzoidberg.co.uk www.ebayfaq.co.uk