Last week a client of mine asked me to put together an interesting wireless configuration. The requirement was 802.1x wireless authentication, but when we first set it up they found that if a technician stepped over to someone else’s (wirelessly connected) desktop, they would be unable to log in because their credentials were not cached on the system. Only by connecting the computer to a wired port to allow the OS to talk to the AD server were they able to finally log into a user’s laptop.
They asked me if we could setup the laptops to maintain a wireless network connection using machine authentication when at the login screen, and revert to user authentication when somebody logs into the laptop — allowing them to control who has access to the wireless network. I have to admit, I was initially skeptical that this would work but despite the complexity of the configuration I managed to do it.
Before I go into the details, here are the caveats as I see them.
- Because laptops will connect to wireless even when nobody is logged in, they will be actively using their radio all the time and this could potentially drain the battery of a laptop much more quickly than might be expected otherwise.
- There is always a security risk of an always-connected computer, and this is made more significant if that network is wireless. We are currently pretty safe with WPA2, but this situation could change.
- Lastly, there are some fairly in-depth Windows configurations going on here. I’m not an expert in Windows systems; these solutions I’m going to describe below are done by hand — and I expect that you will want to script these changes into Group Policy instead of visiting every laptop in your domain one by one.
First you should get 802.1x user level authentication working. See the following links for some guidance:
The configuration on the wireless controller is pretty trivial, just configure a radius server and set the WLAN to WPA/WPA2 with 802.1x authentication.
The first policy I created in MS IAS radius restricted authentication to the groups Domain Computers, and Wireless Users. Next I created a second radius policy on IAS to restrict authentication to the Domain Computer group only.
You need to configure a CA on your domain. My client used their Domain Controller, but there might be a better way to do this. From the CA, we exported a certificate that was loaded onto a laptop with a USB key — you could probably do this via GPO. Importing the certificate posed some problems, as the default behaviour is to store the certificate in a user profile. This meant that the systems were able to connect to wireless when a user was logged in, but after a reboot it wouldn’t work — so when installing the certificate we placed it manually.
- install CA server certificate on laptop
- Do NOT choose automatic installation.
- Place all certificates in the following store: (click the checkbox to show physical stores)
- Select Trusted Root Certification AuthoritiesLocal Computer
Next we had to configure the laptops to connect to wireless even when nobody was logged into the computer. To do this, I used this MS Support article: http://support.microsoft.com/kb/309448
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftEAPOLParametersGeneralGlobalAuthMode DWORD=1
Finally I configured the WLAN on the client to handle this configuration.
- Association Tab
- network authentication — wpa2
- data encryption — aes
- Authentication Tab
- EAP type — PEAP
- CHECK auth as computer
- CHECK auth as guest
- PEAP Properties
- CHECK validate server certificate
- CHECK YOUR-CA-HERE in the list of Trusted Root Certification Authorities
- Select Auth Method — Secured password EAP-MSCHAP v2
- CHECK Enable Fast Reconnect
- EAP-MSCHAPv2 Properties
- CHECK automatically use my windows logon name and password
- set to automatically connect
After all these steps, we had the laptops connecting properly. We passed the laptop around the room, having people who had never touched it before log in with their AD credentials. If one of these users were not in the Wireless Users AD group they would not be permitted wireless access when logged in.