Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
BCM
Member Login

Site Notices
Posted: 3/30/2017 3:09:46 PM EDT
Adding a new wireless network with WPA2 Enterprise authentication.  It mostly works, but RADIUS authentication fails if the client selects "automatically use my Windows login and password"

With the Auto box checked, the client tries to use DOMAIN\Username and fails.

Clients can manually enter Username and that works.  Clients can also enter [email protected] and that works as well.

Anyone know how to fix this?
Link Posted: 3/30/2017 3:37:18 PM EDT
What vendor is the wireless and radius server?
Link Posted: 3/30/2017 5:49:41 PM EDT
Is the RADIUS server actually authenticating against the DC?  Are the machines domain joined/enrolled?
Link Posted: 3/30/2017 5:58:21 PM EDT
Aruba IAP-325 authenticating against a Windows Server 2008 R2 domain controller/RADIUS server via Network Policy Server.  Clients PC's are joined to the domain.
Link Posted: 4/3/2017 12:51:18 AM EDT
Quoted:
Adding a new wireless network with WPA2 Enterprise authentication.  It mostly works, but RADIUS authentication fails if the client selects "automatically use my Windows login and password"

With the Auto box checked, the client tries to use DOMAIN\Username and fails.

Clients can manually enter Username and that works.  Clients can also enter [email protected] and that works as well.

Anyone know how to fix this?
View Quote


I have no real experience with Windows' implementation of RADIUS in conjunction with AD (we use FreeRADIUS backed by OpenLDAP).

But I'm betting your users are logging into their Windows workstations by putting in just the bare username (or even putting in domain\username) for the username. Logging into the domain authenticated workstation prompt with just the username (no domain defined) in the username field results in the OS passing the deprecated "Down-Level" style logon name (domain\username).

If you have the client login to the workstation using the UPN formatted username (e.g. [email protected]), then the "automatically use my Windows login and password" option should work for RADIUS.
Link Posted: 4/3/2017 1:43:16 PM EDT
I am testing a very similar setup with AD, a Server 2012 RADIUS server that is joined to the domain and Aruba IAP 315s.

This is the guide I used to get me up and running.

https://glazenbakje.wordpress.com/2013/08/31/microsoft-windows-server-2012-radius-setup/

Make sure you pay attention to the NPS, the policies and that you add a Windows group to have access.

My test computer is domain joined and I don't even have to type in a username or password when I connect to the test SSID. I have not tried on a non domain joined laptop yet. 
Link Posted: 4/21/2017 10:46:17 PM EDT
install MS CA and use certificates to authenticate the machine.   That way you can admin the machine when users aren't logged in.

you can use GPO to lockdown the clients to specific SSIDs which makes for a pretty secure WLAN.
Top Top