PEAP authentication for domain & non-domain computers

Hello Everyone,
Some of our users have laptops that are not in the domain and are unable to connect to the wireless network. Although their computers aren't in the domain, the users do have an AD account and are currently a part of the security group attached to the Wireless NPS policy. The only remedy I have for this problem is to manually add the SSID to their computer which defeats the purpose of this wireless network. The ultimate goal is to allow the user to connect to the wireless network by entering their domain credentials and moving on.
We have a WLC 2504 running 7.4.110.0 with 15 1602i APs. The SSID is configured to pass 802.1x EAP authentication to NPS running on windows 2008 R2. With mobile phones and tablets, the authentication is successful without a hitch so I don't understand why a non-domain computer is unable to connect without manually entering the SSID. In the WLC log, I will see entries such as:
"AAA Authentication Failure for UserName:host/LastNameFirstInitial-LT.mydomain.Local User Type: WLAN USER".
By examining this log entry, to me it says the domain profile on the computer is being sent to the NPS for authentication instead of the username and password. We have a 3rd party SSL certificate installed on the NPS server.
Taking it one step further - We have a second SSID for guest users that is configured with the same setup except that the NPS is configured to accept authentication attempts from a single AD user called "mydomain\guest". We decided on this approach for the guest wireless network so that we can rotate the password automatically every week with a vbscript that manipulates the password via LDAP. Users with laptops in different domains are unable to connect to the guest wireless network and I'm starting to think the machine authentication is a problem.
Any suggestions would be greatly appreciated.
Thanks,
Ali.

Hi Ali,
That’s all part of the wonderful world of wireless on Windows.
When a connection to a WLAN is made on a windows machine, by selecting it from available Wireless Networks list (Passive RF Scan), and Windows as parsed the 802.11 AP Beacon to contain the WPA2, 802.1X element, by default it will attempt to connect with known or active session credentials.
Typically it will be Machine account (they all have them whether on a Domain or not) and then /Or User. This order and preference may change depending on version of Windows (Vista to Windows 8) and service pack level.
Regardless the only thing you can count of for sure is that the first authentication attempt from a windows client will not involve the user entering information. Once the first attempt fails the Windows supplicant will prompt the user for login information via a notification in the system tray, which may or may be noticed by the user. May or may not stay for more than 5 seconds.
Windows XP and Vista were the worst for this. Windows 7 and Windows 8 this process and recovery and user prompt mechanism is greatly improved but not infallible.
The only way to avoid this would be to manually configure the WLAN profile on the windows machine as you are currently doing.
Mobile phones and tablets don’t have this issue as they don’t have issue because software coding in their supplicants. Besides the only “system” credentials on iOS or Android phone are typically your Play Store and App Store accounts, and both vendors know those won’t be accepted for network access by default anywhere.
There isn’t an easy way to support non-domain windows systems on a domain integrated one.
You might want to try adding another SSID.
You could have a corporate SSID, Guest Portal and a third that is PSK + Guest Portal. ON NPS you could filter for RADIUS attribute called-station-id (includes SSID) to allow all domain ID’s access instead of the just that WLAN.
Or you could look at swapping out NPS for a Cisco ISE VM/appliance with the new Plus licenses add lower cost for onboarding devices and Windows XP and up are supported for supplicant configuration via ISE.

Similar Messages

AD authentication for domain in another forest- XI R2

Situation:
- Windows 2003
- BOXI R2 (tomcat)
- 2 domains (in different forest)
- trust between the two domains
We have succesfully installed the AD-authentication plugin for domain1.
To work around for domain2, we've added users from domain2 inside a group of domain1, but these users are not shown inside the CMC when we import the AD-group.
Can we use the LDAP plugin for the domain2? What should be the procedure?
If found a similar question on this forum from one month ago, where they were talking about BO3 SP1, which will support multiple forest. But not really a solution the could help me out now.
Please advise
Thanks in advance!
Quinten

In XIR2 we cannot map in groups that contain users from 2 different forests. To work around this we could use LDAP to AD, but there are a few limitations.
If you want to upgrade the version that should contain this will hopefully be out by the end of this month XI 3.1 or XI 3.0 integrated SP1.
There should be some notes on using LDAP to AD in the SMP as well as it's documented in the [XI 3.0 Admin Guide|http://help.sap.com/businessobject/product_guides/boexir3/en/xi3_bip_admin_en.pdf]
Regards,
Tim

Run Batch File for Domain Computers on Startup

Hello,
I am trying to run a batch file I created to grab computer specs off of every computer on our domain. I have created a new GPO under my domain and under there I have the file sitting under Computer configuation>policy>windows settings>scripts>startup
and also computer configuation>policy>administrative template>system>run these programs at startup. Neither one seems to be working... I know the batch file works because I have tested it on multiple computers. Here is what the file
looks like:
@echo off
call :test >> \\10.0.2.3\users\rricks\computerinfo\%ComputerName%.log
goto :eof
:test
wmic csproduct get identifyingnumber,name,vendor
wmic os get osarchitecture
wmic os get name
wmic os get installdate
wmic computersystem get name
wmic computersystem get username
wmic computersystem get totalphysicalmemory
wmic baseboard get serialnumber
wmic cpu get name
I have also tried putting this file in the netlogon share folder on our DC with no luck. Let me know what Im doing wrong. Any help would be greatly appreciated.
Thanks,
Ryan

> call :test >> \\10.0.2.3\users\rricks\computerinfo\%ComputerName%.log
Who has access to this shared folder you are piping to? Did you try
piping to a local file? %public%\blah.log :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :))

PEAP authentication for laptops

Hi All,
We have created SSID with 802.1x authentication with WPA2 AES encrytion(Broadcast) . When I am trying to access the SSID in my Android , apple mobile it is directly asking for username and password . And it is getting authenticated .
Whereas in windows 7 laptop , I need to create the SSID profile(and need to choose the security type and all) for associating to that . Is there anyway that client will be able to connect without any SSID profling configuration in laptop ?..
Thanks ,
Regards,
Vijay.

Hello Vijay,
As per your query i can suggest you the following solution-
PEAP authenticates wireless LAN clients using only server-side digital certificates by creating an encrypted SSL/TLS tunnel between the client and the authentication server. The tunnel then protects the subsequent user authentication exchange.
Follow these steps-
1.Open wifi settings
From the Home screen, press the Menu button and then select 'Settings'
2.Open Wireless & Networks
Select 'Wireless & networks'
3.Enable WiFi
If 'Wi-Fi' is Off, Select 'Wi-Fi'
4.Enter WiFi settings
Enter Wi-Fi settings
Select 'Wi-Fi settings'
5.Add SSID manually
Scroll to the bottom of the screen and select 'Add Wi-Fi network'
Enter HC_Secure in the Name field
6.Set Security
Select 'Security' drop-down menu and select '802.1x Enterprise'
7.Authentication (Phase 2)
Select 'Phase 2 authentication' drop-down menu and select 'MSCHAPV2'
Note: You may need to scroll down on the page to access the 'Phase 2 authentication' drop-down menu
8. Enter your Account
Enter your HC Network ID in the 'Identity' field and the password in the 'Wireless password' field
Note: You must scroll down on the page to access these fields
9.Save
Select the 'Save' button
Hope this will help you.

Exchange 2010 Autodiscocer for non-domain computers.

Hello. I have problems with autodiscover for non -domain computers. Somebody can explain me in turn what i must do for configuration.

Hi,
For your Non-domain joined clients, the Outlook would connect to Exchange mailbox from the Internet. We need to enable Outlook Anywhere for your external users:
Enable-OutlookAnywhere -Server:Exch10 -ExternalHostname:mail.contoso.com
-ClientAuthenticationMethod:Ntlm -SSLOffloading:$true
For autodiscover service, when Outlook is started on a client that is not domain-connected, it first tries to locate the Autodiscover service by looking up the SCP object in Active Directory. Because the client is unable to contact Active
Directory, it tries to locate the Autodiscover service by using Domain Name System (DNS). In this scenario, the client will determine the right side of the user’s email address, that is, contoso.com, and check DNS by using two predefined URLs. For example,
if your email address is [email protected], Outlook will try the following two URLs to try to connect to the Autodiscover service:
https://contoso.com/autodiscover/autodiscover.xml
https://autodiscover.contoso.com/autodiscover/autodiscover.xml
For more information about autodiscover service in Exchange 2010, please refer to:
http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
Therefore, you don’t need to change any configuration for Autodiscover. Just make sure your Exchange certificate which is assigned with IIS service has included aotodiscover.contoso.com name and the certificate is valid and trusted for external
user using. If not, please create a new SRV record for your autodiscover service and pointed to
mail.contoso.com. For more information about SRV record of autodiscover, please click:
http://support.microsoft.com/kb/940881
Regards,
Winnie Liang
TechNet Community Support

Scom monitoring non domain computers

hello experts
i have scom 2012 and want to monitor non domain computers (servers in dmz)
i have created new template in ca server then create new certificates for dmz server and scom rms server.
now i have connection between two servers but there is an authentication error.
hear are logs.
please help
log from dmz computer
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 29/09/2014 10:54:51
Event ID: 20071
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SRV-AB-WWW1.somebank.am
Description:
The OpsMgr Connector connected to scom.somebank.am
, but the connection was closed immediately without authentication taking place. The most likely cause of this error is a failure to authenticate either this agent or the server . Check the event log on the server and on the agent for events which
indicate a failure to authenticate.
Event Xml:
<Event xmlns="">
<System>
<Provider Name="OpsMgr Connector" />
<EventID Qualifiers="49152">20071</
EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-29T06:54:51.000000000Z" />
<EventRecordID>2163</EventRecordID>
<Channel>Operations Manager</Channel>
<Computer>SRV-AB-WWW1.somebank.am</Computer>
<Security />
</System>
<EventData>
<Data>scom.somebank.am</Data>
</EventData>
</Event>
scom rms computer
Log Name: Operations Manager
Source: OpsMgr Connector
Date: 29/09/2014 11:18:57
Event ID: 21010
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SRV-SCOM1.somebank.local
Description:
The OpsMgr Connector negotiated the use of mutual authentication with 192.168.169.40:53552, but Active Directory is not available and no certificate is installed. A connection cannot be established.
Event Xml:
<Event xmlns="">
<System>
<Provider Name="OpsMgr Connector" />
<EventID Qualifiers="49152">21010</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-29T07:18:57.000000000Z" />
<EventRecordID>1269145</EventRecordID>
<Channel>Operations Manager</Channel>
<Computer>SRV-SCOM1.somebank.local</Computer>
<Security />
</System>
<EventData>
<Data>192.168.169.40:53552</Data>
</EventData>
</Event>
telnet to 5723 port from dmz server to scom rms server is ok

PS C:\Users\administrator.AMERIABANK> C:\Users\administrator.AMERIABANK\Desktop\1.ps1
This script will inspect Local Machine certificate
store and registry settings. This will take several seconds...
Script will check certificates to match the following requirements:
        Subject equals computer FQDN
        Certificate is time valid
        Certificate has private key and it supposed for computer certificate
        KeySpec is set to 1
        Certificate Application Policies (in former EKU) contains both Server and Client Authentication
WARNING: OpsMgr Agent is already configured to work with certificate, but this certificate don't exist in
WARNING: LocalComputer store or not match all certificate requirements.
To resolve this issue, obtain new certificate from trusted Certification Authority
using the following instructions: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=5
and install it by running the following command: MOMCertImport /Subject SRV-SCOM1.ameriabank.local

Restrict non-domain computers

Does anyone know if it is possible to restrict access based on domain membership or an AD Group?
The purpose is to restrict non-domain computers even if the client has a legitimate domain credential to use for authentication.

That is correct. The only way to restrict these computers would be to make a rule (above your auth group policies), that states the specific IPs / subnets are granted certain / no access.
As long as the rule is above all your auth rules, it will trigger first and take precedence. Be sure to disable WBRS for this rule as well, since there is a potential for +6 sites to be allowed.

SCSM 2012 Portal change from http to https to get silverlight to work on non domain computers?

Hi
Wanting to change our Self Service Portal from http to https and make it accessible from non domain computers.
Non domain computers - the sharpoint parts load (the silverlight does not load). Domain computers can access the portal with no problem.
Does this mean I need to reinstall the portal or can it be changed while in operation now?
Would something like the below link be enough to get https going?
http://blogs.technet.com/b/babulalghule/archive/2013/01/10/how-to-create-alternate-url-for-service-manager-self-service-portal.aspx
Thanks!

the silverlight part not loading due to SSL certification. import the certification into non domain computer will fix this issue.

Configure DHCP to add non domain computers to DNS

Hi
We would like to add non domain computers automaticallly to DNS through our DHCP server.
The reason is that we actally use Linux and our Linux admins would like the machines automatically to DNS when receiving a IP.
I assumed that it was just a matter of selecting "Always dynamically update DNS A and PTR records" on the IPv4 scope option, but it doesn't seem to work?
Lasse
/Lasse

I started out changing that setting to "Dynamically update DNS records for DHCP clients that do not request updates" but it didn't seem to work.
I then changed "Always dynamically update DNS A and PTR records" and it didn't work. Then I tried having both settings set and then it worked. I then removed "Always dynamically update DNS A and PTR records" since it shouldn't be necessary
and then it still worked..... :-)
Lasse
/Lasse

MBAM on Workgroup (non-domain) Computers

Hi,
is it possible to manage non-domain computers with MBAM to deploy bitlocker?
assuming policy is set by local policy or registry settings.
thanks ahead,

I was thinking the same as it was pointed in this thread - you will not be able to store keys on SQL database, because it´s relied on AD:
http://social.technet.microsoft.com/Forums/en-US/8eea1337-9cc7-47d4-87ca-83428abdce83/mbam-for-work-group-computers?forum=mdopmbam

Non Domain computers accessing Report Manager.

I'm using SQL 2012 and am having a hard time finding documentation on how to turn off authentication for the Report Manager. All i want to do is having some computers that are not on our domain be able to pull up a report without getting prompted with
login info.
SSRS is not installed with sharepoint mode.
I found this: http://msdn.microsoft.com/en-us/library/cc281383.aspx but had little luck getting it to work.

Hello,
SSRS uses by Default Windows authentication, but you can change it to anonymous access:
Configure Basic Authentication on the Report Server
Olaf Helper
[ Blog] [ Xing] [ MVP]

Non Domain Computers Becoming Master Browser

Hello,
I am troubleshooting an issue with the master browser service when an external user connects his workgroup laptop to our domain network and wins the election.
The network consists of a domain controller which has the following registry settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster = True
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList = Yes
All the client computers that are connected to the domain have IsDomainMaster = False and MaintainServerList = No.
When an external user connects to the network with a laptop that isn't part of the domain it causes a master browser election and wins. All the servers and client computers list only media devices instead of all the computers and servers on the network.
Is there a way to prevent non domain computers from becoming the master browser without changing registry settings on that computer?
Thanks
Jon

Hello,
The TechNet Wiki Forum is a place for the TechNet Wiki Community to engage, question, organize, debate, help, influence and foster the TechNet Wiki content, platform and Community.
Please note that this forum exists to discuss TechNet Wiki as a technology/application.
As it's off-topic here, I am moving the question to the
Where is the forum for... forum.
Karl
When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
My Blog: Unlock PowerShell
My Book:
Windows PowerShell 2.0 Bible
My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

Non-Domain computers via VPN

I am not sure if this a right forum for this. I have some non-domain devices that are coming in to my network via VPN (VPN client). can someone tell me on how to deny these non-devices coming in to my network. Is their a configuration in the VPN concentrator to deny non-domain computers? please advise

Did u deploy IPSEC in ur VPN network?.If snot, u just deploy IP SEC on all the peers and the VPN server.
IPSEC is a 2 phase VPN security provider.This IPsec along with IKE provides double level security.
With this ipsec, we configure some security parameters like hostname or remote ip address , pre-shared key etc on both ends(server and peer).When a non-domain client tries to access ur VPN, the vpn server may authenticate the in coming client using either ip address or host name and it wil contact with a aaa server or its own database for validating the user.
If u r using an external server for validating the incoming users, u must go for aaa server externally.
For a complete detail of deploying vpn with ipsec,
http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1045493

How to avoid none domain computers to login to the wireless

Hi, please help its killing me! Its not pure Cisco but Im sure you guys might have some solution in your mind.
I want only domain computers plus one OU (Staff) be able to connect to our network. I am trying to restrict Mobile Phones (iphone and android) and personal laptops from connecting to our wireless network.
We use a windows based NPS. it is currently set to allow anyone to connect with their domain computer OR Domain username.
So to the Network Policy I added "Domain Computers" (using "Windows Groups", I also tried "Machine Groups") within the Conditions tab.
I tested to see if a laptop could still connect and it could not.
I have tried many many different combinations within the conditions tab to try and get this working but to no avail.
1. just having "domain computers" (either windows or machine groups)
2. having domain users and domain computers (with all combinations of windows/machine/users groups)
3. I even tried Operating system conditions
These are all set in "And" values, if set to OR (in combination with Domain Users) then the laptop connects, but then so does the phone.
Regards?

I have got somewhere!!! the problem is Im not so confidence about it!
Firstly thanks everyone. specially Scott.
now
I set the NPS policy to be "Computer Domain" & "Staff OU" then on the Wireless group policy I set it only for " Computer domain". All authenticated users can logon to our domain laptops. no one can connect to the our network with phones or etc devices because they r not joined to the domain. those special people's phones and devices still can connect to the network if their user is in "Staff OU"
I gave up on Cisco! I created a ghost Vlan and tried to use "Local Profiling" to put whatever android or iphone devices available on that ghost vlan and result in disconnecting them but the device is so stupid which couldn't recognize android and iphones! it worked for only ipads but the rest wasn't recognizable by Cisco WLC.

"Sharepoint 2013" is giving error that prevents local domain users authentication for "Team Foundation Server"

I am getting 2 errors through the event viewer that prevents TFS 2013 authentication for local domain users, also this error started appearing after having TFS upgraded to [ 12.0.30723.0 (Tfs2013.Update3) ].
1st Error (from administrative events):
The Execute method of job definition Microsoft.SharePoint.Administration.SPUsageImportJobDefinition (ID a51a0244-765d-433b-8502-0bb0540ad1fd) threw an exception. More information is included below.
Access to the path 'C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\LOGS' is denied.
Tried so far:-
- changed the path to another folder from "Diagnostic Logging" in another drive, but still getting the same error.
2nd Error (from application server):
DistributedCOM error
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{000C101C-0000-0000-C000-000000000046}
and APPID
{000C101C-0000-0000-C000-000000000046}
to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
Which I already got fixed using the following steps on a thread I opened before (but still getting the same error).
https://social.technet.microsoft.com/Forums/windows/en-US/3896e35c-b99a-4d30-b662-f92d337c8d6f/windows-servers-components-services-and-regedit-permissions-are-grayed-out-for-my-admin-account?forum=winservergen
Other Fixes I tried
- Found on another topic that it is not sharepoint that is causing the problem, but it is the generated ASP.NET web pages used for testing is causing the memory to fill up due to cashing on RAM, the fix suggested to change IIS cashing from RAM to HD to prevent
loading up using w3wp.exe from processes.
Concern
- by checking other topics for people having the same problem, it was mentioned that this error appeared after the lastest TFS update, is there is a fix for it ?

Hi Kpdn,
Thanks for your post.
All your participation and support are very important to build such harmonious/ pleasant / learning environment for MSDN community.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

PEAP authentication for domain & non-domain computers

Similar Messages

Maybe you are looking for